diff --git a/client/deps/mbedtls.cmake b/client/deps/mbedtls.cmake
index b18537c84..40929e1ea 100644
--- a/client/deps/mbedtls.cmake
+++ b/client/deps/mbedtls.cmake
@@ -8,7 +8,6 @@ add_library(pm3rrg_rdv4_mbedtls STATIC
         ../../common/mbedtls/entropy_poll.c
         ../../common/mbedtls/entropy.c
         ../../common/mbedtls/error.c
-        ../../common/mbedtls/timing.c
         ../../common/mbedtls/ecp.c
         ../../common/mbedtls/ecp_curves.c
         ../../common/mbedtls/certs.c
@@ -20,7 +19,6 @@ add_library(pm3rrg_rdv4_mbedtls STATIC
         ../../common/mbedtls/des.c
         ../../common/mbedtls/ecdsa.c
         ../../common/mbedtls/md.c
-        ../../common/mbedtls/md_wrap.c
         ../../common/mbedtls/md5.c
         ../../common/mbedtls/oid.c
         ../../common/mbedtls/pem.c
diff --git a/client/src/emv/test/cryptotest.c b/client/src/emv/test/cryptotest.c
index c15ec54f9..4e6c1192e 100644
--- a/client/src/emv/test/cryptotest.c
+++ b/client/src/emv/test/cryptotest.c
@@ -23,7 +23,7 @@
 #include "base64.h"
 #include "ctr_drbg.h"
 #include "entropy.h"
-#include "timing.h"
+//#include "timing.h" // Beware it requires adjustments for ProxSpace
 #include "crypto_test.h"
 #include "sda_test.h"
 #include "dda_test.h"
@@ -56,6 +56,7 @@ int ExecuteCryptoTests(bool verbose, bool ignore_time, bool include_slow_tests)
     res = mbedtls_entropy_self_test(verbose);
     if (res && !ignore_time) TestFail = true;
 
+    /*
     // retry for CI (when resources too low)
     for (int i = 0; i < 3; i++) {
         res = mbedtls_timing_self_test(verbose);
@@ -64,6 +65,7 @@ int ExecuteCryptoTests(bool verbose, bool ignore_time, bool include_slow_tests)
         PrintAndLogEx(WARNING, "Repeat timing test " _RED_("%d"), i + 1);
     }
     if (res && !ignore_time) TestFail = true;
+*/
 
     res = mbedtls_ctr_drbg_self_test(verbose);
     if (res) TestFail = true;
diff --git a/common/mbedtls/Makefile b/common/mbedtls/Makefile
index 4ae8357b3..142ac6b12 100644
--- a/common/mbedtls/Makefile
+++ b/common/mbedtls/Makefile
@@ -12,7 +12,6 @@ MYSRCS = \
 	entropy_poll.c \
 	entropy.c \
 	error.c \
-	timing.c \
 	ecp.c \
 	ecp_curves.c \
 	certs.c \
@@ -24,7 +23,6 @@ MYSRCS = \
 	des.c \
 	ecdsa.c \
 	md.c \
-	md_wrap.c \
 	md5.c \
 	oid.c \
 	pem.c \
diff --git a/common/mbedtls/aes.c b/common/mbedtls/aes.c
index 2fca6b8cb..832228818 100644
--- a/common/mbedtls/aes.c
+++ b/common/mbedtls/aes.c
@@ -1,24 +1,20 @@
 /*
  *  FIPS-197 compliant AES implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
@@ -27,18 +23,16 @@
  *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_AES_C)
 
 #include <string.h>
 
 #include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 #if defined(MBEDTLS_PADLOCK_C)
 #include "mbedtls/padlock.h"
 #endif
@@ -57,27 +51,33 @@
 
 #if !defined(MBEDTLS_AES_ALT)
 
+/* Parameter validation macros based on platform_util.h */
+#define AES_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
+#define AES_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 /*
  * 32-bit integer manipulation macros (little endian)
  */
 #ifndef GET_UINT32_LE
 #define GET_UINT32_LE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint32_t) (b)[(i)    ]       )             \
-              | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 2] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 3] << 24 );            \
-    }
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
 #endif
 
 #ifndef PUT_UINT32_LE
 #define PUT_UINT32_LE(n,b,i)                                    \
-    {                                                               \
-        (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
-        (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
-        (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
-        (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
-    }
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
 #endif
 
 #if defined(MBEDTLS_PADLOCK_C) &&                      \
@@ -128,7 +128,7 @@ static const unsigned char FSb[256] = {
  * Forward tables
  */
 #define FT \
-    \
+\
     V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
     V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
     V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
@@ -258,7 +258,7 @@ static const unsigned char RSb[256] = {
  * Reverse tables
  */
 #define RT \
-    \
+\
     V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
     V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
     V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
@@ -387,9 +387,9 @@ static uint32_t RCON[10];
 /*
  * Tables generation code
  */
-#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
-#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
-#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
+#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
+#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
+#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
 
 static int aes_init_done = 0;
 
@@ -507,6 +507,8 @@ static void aes_gen_tables(void) {
 #endif /* MBEDTLS_AES_FEWER_TABLES */
 
 void mbedtls_aes_init(mbedtls_aes_context *ctx) {
+    AES_VALIDATE(ctx != NULL);
+
     memset(ctx, 0, sizeof(mbedtls_aes_context));
 }
 
@@ -519,11 +521,16 @@ void mbedtls_aes_free(mbedtls_aes_context *ctx) {
 
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) {
+    AES_VALIDATE(ctx != NULL);
+
     mbedtls_aes_init(&ctx->crypt);
     mbedtls_aes_init(&ctx->tweak);
 }
 
 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) {
+    if (ctx == NULL)
+        return;
+
     mbedtls_aes_free(&ctx->crypt);
     mbedtls_aes_free(&ctx->tweak);
 }
@@ -538,13 +545,8 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
     unsigned int i;
     uint32_t *RK;
 
-#if !defined(MBEDTLS_AES_ROM_TABLES)
-    if (aes_init_done == 0) {
-        aes_gen_tables();
-        aes_init_done = 1;
-
-    }
-#endif
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(key != NULL);
 
     switch (keybits) {
         case 128:
@@ -560,6 +562,13 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
             return (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH);
     }
 
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+    if (aes_init_done == 0) {
+        aes_gen_tables();
+        aes_init_done = 1;
+    }
+#endif
+
 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
     if (aes_padlock_ace == -1)
         aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
@@ -653,6 +662,9 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
     uint32_t *RK;
     uint32_t *SK;
 
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(key != NULL);
+
     mbedtls_aes_init(&cty);
 
 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
@@ -705,6 +717,7 @@ exit:
 
     return (ret);
 }
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
 
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
@@ -736,10 +749,13 @@ static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
                                const unsigned char *key,
                                unsigned int keybits) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const unsigned char *key1, *key2;
     unsigned int key1bits, key2bits;
 
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(key != NULL);
+
     ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
                                       &key2, &key2bits);
     if (ret != 0)
@@ -757,10 +773,13 @@ int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
                                const unsigned char *key,
                                unsigned int keybits) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const unsigned char *key1, *key2;
     unsigned int key1bits, key2bits;
 
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(key != NULL);
+
     ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
                                       &key2, &key2bits);
     if (ret != 0)
@@ -776,53 +795,53 @@ int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
 }
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 
-#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
+#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                     \
+    do                                                          \
+    {                                                           \
+        (X0) = *RK++ ^ AES_FT0( ( (Y0)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y1) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y3) >> 24 ) & 0xFF );        \
+                                                                \
+        (X1) = *RK++ ^ AES_FT0( ( (Y1)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y2) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y0) >> 24 ) & 0xFF );        \
+                                                                \
+        (X2) = *RK++ ^ AES_FT0( ( (Y2)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y3) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y1) >> 24 ) & 0xFF );        \
+                                                                \
+        (X3) = *RK++ ^ AES_FT0( ( (Y3)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y0) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y2) >> 24 ) & 0xFF );        \
+    } while( 0 )
 
-#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)         \
-    {                                                   \
-        X0 = *RK++ ^ AES_FT0( ( Y0       ) & 0xFF ) ^   \
-             AES_FT1( ( Y1 >>  8 ) & 0xFF ) ^   \
-             AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^   \
-             AES_FT3( ( Y3 >> 24 ) & 0xFF );    \
-        \
-        X1 = *RK++ ^ AES_FT0( ( Y1       ) & 0xFF ) ^   \
-             AES_FT1( ( Y2 >>  8 ) & 0xFF ) ^   \
-             AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^   \
-             AES_FT3( ( Y0 >> 24 ) & 0xFF );    \
-        \
-        X2 = *RK++ ^ AES_FT0( ( Y2       ) & 0xFF ) ^   \
-             AES_FT1( ( Y3 >>  8 ) & 0xFF ) ^   \
-             AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^   \
-             AES_FT3( ( Y1 >> 24 ) & 0xFF );    \
-        \
-        X3 = *RK++ ^ AES_FT0( ( Y3       ) & 0xFF ) ^   \
-             AES_FT1( ( Y0 >>  8 ) & 0xFF ) ^   \
-             AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^   \
-             AES_FT3( ( Y2 >> 24 ) & 0xFF );    \
-    }
-
-#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)         \
-    {                                                   \
-        X0 = *RK++ ^ AES_RT0( ( Y0       ) & 0xFF ) ^   \
-             AES_RT1( ( Y3 >>  8 ) & 0xFF ) ^   \
-             AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^   \
-             AES_RT3( ( Y1 >> 24 ) & 0xFF );    \
-        \
-        X1 = *RK++ ^ AES_RT0( ( Y1       ) & 0xFF ) ^   \
-             AES_RT1( ( Y0 >>  8 ) & 0xFF ) ^   \
-             AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^   \
-             AES_RT3( ( Y2 >> 24 ) & 0xFF );    \
-        \
-        X2 = *RK++ ^ AES_RT0( ( Y2       ) & 0xFF ) ^   \
-             AES_RT1( ( Y1 >>  8 ) & 0xFF ) ^   \
-             AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^   \
-             AES_RT3( ( Y3 >> 24 ) & 0xFF );    \
-        \
-        X3 = *RK++ ^ AES_RT0( ( Y3       ) & 0xFF ) ^   \
-             AES_RT1( ( Y2 >>  8 ) & 0xFF ) ^   \
-             AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^   \
-             AES_RT3( ( Y0 >> 24 ) & 0xFF );    \
-    }
+#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                 \
+    do                                                      \
+    {                                                       \
+        (X0) = *RK++ ^ AES_RT0( ( (Y0)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y3) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y1) >> 24 ) & 0xFF );    \
+                                                            \
+        (X1) = *RK++ ^ AES_RT0( ( (Y1)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y0) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y2) >> 24 ) & 0xFF );    \
+                                                            \
+        (X2) = *RK++ ^ AES_RT0( ( (Y2)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y1) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y3) >> 24 ) & 0xFF );    \
+                                                            \
+        (X3) = *RK++ ^ AES_RT0( ( (Y3)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y2) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y0) >> 24 ) & 0xFF );    \
+    } while( 0 )
 
 /*
  * AES-ECB block encryption
@@ -832,54 +851,58 @@ int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16]) {
     int i;
-    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+    uint32_t *RK = ctx->rk;
+    struct {
+        uint32_t X[4];
+        uint32_t Y[4];
+    } t;
 
-    RK = ctx->rk;
-
-    GET_UINT32_LE(X0, input,  0);
-    X0 ^= *RK++;
-    GET_UINT32_LE(X1, input,  4);
-    X1 ^= *RK++;
-    GET_UINT32_LE(X2, input,  8);
-    X2 ^= *RK++;
-    GET_UINT32_LE(X3, input, 12);
-    X3 ^= *RK++;
+    GET_UINT32_LE(t.X[0], input,  0);
+    t.X[0] ^= *RK++;
+    GET_UINT32_LE(t.X[1], input,  4);
+    t.X[1] ^= *RK++;
+    GET_UINT32_LE(t.X[2], input,  8);
+    t.X[2] ^= *RK++;
+    GET_UINT32_LE(t.X[3], input, 12);
+    t.X[3] ^= *RK++;
 
     for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
-        AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
-        AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
+        AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+        AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
     }
 
-    AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
+    AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
 
-    X0 = *RK++ ^ \
-         ((uint32_t) FSb[(Y0) & 0xFF ]) ^
-         ((uint32_t) FSb[(Y1 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) FSb[(Y2 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) FSb[(Y3 >> 24) & 0xFF ] << 24);
+    t.X[0] = *RK++ ^ \
+             ((uint32_t) FSb[(t.Y[0]) & 0xFF ]) ^
+             ((uint32_t) FSb[(t.Y[1] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) FSb[(t.Y[2] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) FSb[(t.Y[3] >> 24) & 0xFF ] << 24);
 
-    X1 = *RK++ ^ \
-         ((uint32_t) FSb[(Y1) & 0xFF ]) ^
-         ((uint32_t) FSb[(Y2 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) FSb[(Y3 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) FSb[(Y0 >> 24) & 0xFF ] << 24);
+    t.X[1] = *RK++ ^ \
+             ((uint32_t) FSb[(t.Y[1]) & 0xFF ]) ^
+             ((uint32_t) FSb[(t.Y[2] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) FSb[(t.Y[3] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) FSb[(t.Y[0] >> 24) & 0xFF ] << 24);
 
-    X2 = *RK++ ^ \
-         ((uint32_t) FSb[(Y2) & 0xFF ]) ^
-         ((uint32_t) FSb[(Y3 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) FSb[(Y0 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) FSb[(Y1 >> 24) & 0xFF ] << 24);
+    t.X[2] = *RK++ ^ \
+             ((uint32_t) FSb[(t.Y[2]) & 0xFF ]) ^
+             ((uint32_t) FSb[(t.Y[3] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) FSb[(t.Y[0] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) FSb[(t.Y[1] >> 24) & 0xFF ] << 24);
 
-    X3 = *RK++ ^ \
-         ((uint32_t) FSb[(Y3) & 0xFF ]) ^
-         ((uint32_t) FSb[(Y0 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) FSb[(Y1 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) FSb[(Y2 >> 24) & 0xFF ] << 24);
+    t.X[3] = *RK++ ^ \
+             ((uint32_t) FSb[(t.Y[3]) & 0xFF ]) ^
+             ((uint32_t) FSb[(t.Y[0] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) FSb[(t.Y[1] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) FSb[(t.Y[2] >> 24) & 0xFF ] << 24);
 
-    PUT_UINT32_LE(X0, output,  0);
-    PUT_UINT32_LE(X1, output,  4);
-    PUT_UINT32_LE(X2, output,  8);
-    PUT_UINT32_LE(X3, output, 12);
+    PUT_UINT32_LE(t.X[0], output,  0);
+    PUT_UINT32_LE(t.X[1], output,  4);
+    PUT_UINT32_LE(t.X[2], output,  8);
+    PUT_UINT32_LE(t.X[3], output, 12);
+
+    mbedtls_platform_zeroize(&t, sizeof(t));
 
     return (0);
 }
@@ -901,54 +924,58 @@ int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16]) {
     int i;
-    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+    uint32_t *RK = ctx->rk;
+    struct {
+        uint32_t X[4];
+        uint32_t Y[4];
+    } t;
 
-    RK = ctx->rk;
-
-    GET_UINT32_LE(X0, input,  0);
-    X0 ^= *RK++;
-    GET_UINT32_LE(X1, input,  4);
-    X1 ^= *RK++;
-    GET_UINT32_LE(X2, input,  8);
-    X2 ^= *RK++;
-    GET_UINT32_LE(X3, input, 12);
-    X3 ^= *RK++;
+    GET_UINT32_LE(t.X[0], input,  0);
+    t.X[0] ^= *RK++;
+    GET_UINT32_LE(t.X[1], input,  4);
+    t.X[1] ^= *RK++;
+    GET_UINT32_LE(t.X[2], input,  8);
+    t.X[2] ^= *RK++;
+    GET_UINT32_LE(t.X[3], input, 12);
+    t.X[3] ^= *RK++;
 
     for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
-        AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
-        AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
+        AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+        AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
     }
 
-    AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
+    AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
 
-    X0 = *RK++ ^ \
-         ((uint32_t) RSb[(Y0) & 0xFF ]) ^
-         ((uint32_t) RSb[(Y3 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) RSb[(Y2 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) RSb[(Y1 >> 24) & 0xFF ] << 24);
+    t.X[0] = *RK++ ^ \
+             ((uint32_t) RSb[(t.Y[0]) & 0xFF ]) ^
+             ((uint32_t) RSb[(t.Y[3] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) RSb[(t.Y[2] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) RSb[(t.Y[1] >> 24) & 0xFF ] << 24);
 
-    X1 = *RK++ ^ \
-         ((uint32_t) RSb[(Y1) & 0xFF ]) ^
-         ((uint32_t) RSb[(Y0 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) RSb[(Y3 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) RSb[(Y2 >> 24) & 0xFF ] << 24);
+    t.X[1] = *RK++ ^ \
+             ((uint32_t) RSb[(t.Y[1]) & 0xFF ]) ^
+             ((uint32_t) RSb[(t.Y[0] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) RSb[(t.Y[3] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) RSb[(t.Y[2] >> 24) & 0xFF ] << 24);
 
-    X2 = *RK++ ^ \
-         ((uint32_t) RSb[(Y2) & 0xFF ]) ^
-         ((uint32_t) RSb[(Y1 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) RSb[(Y0 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) RSb[(Y3 >> 24) & 0xFF ] << 24);
+    t.X[2] = *RK++ ^ \
+             ((uint32_t) RSb[(t.Y[2]) & 0xFF ]) ^
+             ((uint32_t) RSb[(t.Y[1] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) RSb[(t.Y[0] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) RSb[(t.Y[3] >> 24) & 0xFF ] << 24);
 
-    X3 = *RK++ ^ \
-         ((uint32_t) RSb[(Y3) & 0xFF ]) ^
-         ((uint32_t) RSb[(Y2 >>  8) & 0xFF ] <<  8) ^
-         ((uint32_t) RSb[(Y1 >> 16) & 0xFF ] << 16) ^
-         ((uint32_t) RSb[(Y0 >> 24) & 0xFF ] << 24);
+    t.X[3] = *RK++ ^ \
+             ((uint32_t) RSb[(t.Y[3]) & 0xFF ]) ^
+             ((uint32_t) RSb[(t.Y[2] >>  8) & 0xFF ] <<  8) ^
+             ((uint32_t) RSb[(t.Y[1] >> 16) & 0xFF ] << 16) ^
+             ((uint32_t) RSb[(t.Y[0] >> 24) & 0xFF ] << 24);
 
-    PUT_UINT32_LE(X0, output,  0);
-    PUT_UINT32_LE(X1, output,  4);
-    PUT_UINT32_LE(X2, output,  8);
-    PUT_UINT32_LE(X3, output, 12);
+    PUT_UINT32_LE(t.X[0], output,  0);
+    PUT_UINT32_LE(t.X[1], output,  4);
+    PUT_UINT32_LE(t.X[2], output,  8);
+    PUT_UINT32_LE(t.X[3], output, 12);
+
+    mbedtls_platform_zeroize(&t, sizeof(t));
 
     return (0);
 }
@@ -969,6 +996,12 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
                           int mode,
                           const unsigned char input[16],
                           unsigned char output[16]) {
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
+    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
+                     mode == MBEDTLS_AES_DECRYPT);
+
 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
     if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
         return (mbedtls_aesni_crypt_ecb(ctx, mode, input, output));
@@ -1004,6 +1037,13 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
     int i;
     unsigned char temp[16];
 
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
+                     mode == MBEDTLS_AES_DECRYPT);
+    AES_VALIDATE_RET(iv != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
+
     if (length % 16)
         return (MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH);
 
@@ -1055,30 +1095,30 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
 /* Endianess with 64 bits values */
 #ifndef GET_UINT64_LE
 #define GET_UINT64_LE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint64_t) (b)[(i) + 7] << 56 )             \
-              | ( (uint64_t) (b)[(i) + 6] << 48 )             \
-              | ( (uint64_t) (b)[(i) + 5] << 40 )             \
-              | ( (uint64_t) (b)[(i) + 4] << 32 )             \
-              | ( (uint64_t) (b)[(i) + 3] << 24 )             \
-              | ( (uint64_t) (b)[(i) + 2] << 16 )             \
-              | ( (uint64_t) (b)[(i) + 1] <<  8 )             \
-              | ( (uint64_t) (b)[(i)    ]       );            \
-    }
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i) + 7] << 56 )             \
+        | ( (uint64_t) (b)[(i) + 6] << 48 )             \
+        | ( (uint64_t) (b)[(i) + 5] << 40 )             \
+        | ( (uint64_t) (b)[(i) + 4] << 32 )             \
+        | ( (uint64_t) (b)[(i) + 3] << 24 )             \
+        | ( (uint64_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint64_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint64_t) (b)[(i)    ]       );            \
+}
 #endif
 
 #ifndef PUT_UINT64_LE
 #define PUT_UINT64_LE(n,b,i)                            \
-    {                                                       \
-        (b)[(i) + 7] = (unsigned char) ( (n) >> 56 );       \
-        (b)[(i) + 6] = (unsigned char) ( (n) >> 48 );       \
-        (b)[(i) + 5] = (unsigned char) ( (n) >> 40 );       \
-        (b)[(i) + 4] = (unsigned char) ( (n) >> 32 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i)    ] = (unsigned char) ( (n)       );       \
-    }
+{                                                       \
+    (b)[(i) + 7] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i)    ] = (unsigned char) ( (n)       );       \
+}
 #endif
 
 typedef unsigned char mbedtls_be128[16];
@@ -1114,18 +1154,25 @@ int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
                           const unsigned char data_unit[16],
                           const unsigned char *input,
                           unsigned char *output) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t blocks = length / 16;
     size_t leftover = length % 16;
     unsigned char tweak[16];
     unsigned char prev_tweak[16];
     unsigned char tmp[16];
 
-    /* Sectors must be at least 16 bytes. */
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
+                     mode == MBEDTLS_AES_DECRYPT);
+    AES_VALIDATE_RET(data_unit != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
+
+    /* Data units must be at least 16 bytes long. */
     if (length < 16)
         return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
 
-    /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
+    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
     if (length > (1 << 20) * 16)
         return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
 
@@ -1215,7 +1262,20 @@ int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
                              const unsigned char *input,
                              unsigned char *output) {
     int c;
-    size_t n = *iv_off;
+    size_t n;
+
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
+                     mode == MBEDTLS_AES_DECRYPT);
+    AES_VALIDATE_RET(iv_off != NULL);
+    AES_VALIDATE_RET(iv != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
+
+    n = *iv_off;
+
+    if (n > 15)
+        return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
 
     if (mode == MBEDTLS_AES_DECRYPT) {
         while (length--) {
@@ -1256,6 +1316,12 @@ int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
     unsigned char c;
     unsigned char ov[17];
 
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
+                     mode == MBEDTLS_AES_DECRYPT);
+    AES_VALIDATE_RET(iv != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
     while (length--) {
         memcpy(ov, iv, 16);
         mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
@@ -1286,7 +1352,18 @@ int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
                           const unsigned char *input,
                           unsigned char *output) {
     int ret = 0;
-    size_t n = *iv_off;
+    size_t n;
+
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(iv_off != NULL);
+    AES_VALIDATE_RET(iv != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
+
+    n = *iv_off;
+
+    if (n > 15)
+        return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
 
     while (length--) {
         if (n == 0) {
@@ -1318,7 +1395,16 @@ int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
                           const unsigned char *input,
                           unsigned char *output) {
     int c, i;
-    size_t n = *nc_off;
+    size_t n;
+
+    AES_VALIDATE_RET(ctx != NULL);
+    AES_VALIDATE_RET(nc_off != NULL);
+    AES_VALIDATE_RET(nonce_counter != NULL);
+    AES_VALIDATE_RET(stream_block != NULL);
+    AES_VALIDATE_RET(input != NULL);
+    AES_VALIDATE_RET(output != NULL);
+
+    n = *nc_off;
 
     if (n > 0x0F)
         return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
@@ -1772,7 +1858,7 @@ int mbedtls_aes_self_test(int verbose) {
         mode = i & 1;
 
         if (verbose != 0)
-            mbedtls_printf("  AES-ECB-%3d (%s): ", keybits,
+            mbedtls_printf("  AES-ECB-%3u (%s): ", keybits,
                            (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
 
         memset(buf, 0, 16);
@@ -1790,7 +1876,7 @@ int mbedtls_aes_self_test(int verbose) {
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if (ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192) {
+        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
             mbedtls_printf("skipped\n");
             continue;
         } else if (ret != 0) {
@@ -1825,7 +1911,7 @@ int mbedtls_aes_self_test(int verbose) {
         mode = i & 1;
 
         if (verbose != 0)
-            mbedtls_printf("  AES-CBC-%3d (%s): ", keybits,
+            mbedtls_printf("  AES-CBC-%3u (%s): ", keybits,
                            (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
 
         memset(iv, 0, 16);
@@ -1845,7 +1931,7 @@ int mbedtls_aes_self_test(int verbose) {
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if (ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192) {
+        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
             mbedtls_printf("skipped\n");
             continue;
         } else if (ret != 0) {
@@ -1890,7 +1976,7 @@ int mbedtls_aes_self_test(int verbose) {
         mode = i & 1;
 
         if (verbose != 0)
-            mbedtls_printf("  AES-CFB128-%3d (%s): ", keybits,
+            mbedtls_printf("  AES-CFB128-%3u (%s): ", keybits,
                            (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
 
         memcpy(iv,  aes_test_cfb128_iv, 16);
@@ -1903,7 +1989,7 @@ int mbedtls_aes_self_test(int verbose) {
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if (ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192) {
+        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
             mbedtls_printf("skipped\n");
             continue;
         } else if (ret != 0) {
@@ -1945,7 +2031,7 @@ int mbedtls_aes_self_test(int verbose) {
         mode = i & 1;
 
         if (verbose != 0)
-            mbedtls_printf("  AES-OFB-%3d (%s): ", keybits,
+            mbedtls_printf("  AES-OFB-%3u (%s): ", keybits,
                            (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
 
         memcpy(iv,  aes_test_ofb_iv, 16);
@@ -1958,7 +2044,7 @@ int mbedtls_aes_self_test(int verbose) {
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if (ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192) {
+        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
             mbedtls_printf("skipped\n");
             continue;
         } else if (ret != 0) {
diff --git a/common/mbedtls/aes.h b/common/mbedtls/aes.h
index 522bdb87e..0ca3a20db 100644
--- a/common/mbedtls/aes.h
+++ b/common/mbedtls/aes.h
@@ -20,31 +20,28 @@
  *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
  */
 
-/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
- *  SPDX-License-Identifier: GPL-2.0
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_AES_H
 #define MBEDTLS_AES_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -62,7 +59,11 @@
 
 /* Error codes in range 0x0021-0x0025 */
 #define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021  /**< Invalid input data. */
+
+/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
+
+/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
 
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
@@ -117,7 +118,7 @@ typedef struct mbedtls_aes_xts_context {
  *                 It must be the first API called before using
  *                 the context.
  *
- * \param ctx      The AES context to initialize.
+ * \param ctx      The AES context to initialize. This must not be \c NULL.
  */
 void mbedtls_aes_init(mbedtls_aes_context *ctx);
 
@@ -125,6 +126,8 @@ void mbedtls_aes_init(mbedtls_aes_context *ctx);
  * \brief          This function releases and clears the specified AES context.
  *
  * \param ctx      The AES context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
  */
 void mbedtls_aes_free(mbedtls_aes_context *ctx);
 
@@ -135,7 +138,7 @@ void mbedtls_aes_free(mbedtls_aes_context *ctx);
  *                 It must be the first API called before using
  *                 the context.
  *
- * \param ctx      The AES XTS context to initialize.
+ * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
  */
 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx);
 
@@ -143,6 +146,8 @@ void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx);
  * \brief          This function releases and clears the specified AES XTS context.
  *
  * \param ctx      The AES XTS context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
  */
 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx);
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
@@ -151,7 +156,9 @@ void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx);
  * \brief          This function sets the encryption key.
  *
  * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
  * \param key      The encryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
  * \param keybits  The size of data passed in bits. Valid options are:
  *                 <ul><li>128 bits</li>
  *                 <li>192 bits</li>
@@ -167,7 +174,9 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
  * \brief          This function sets the decryption key.
  *
  * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
  * \param key      The decryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
  * \param keybits  The size of data passed. Valid options are:
  *                 <ul><li>128 bits</li>
  *                 <li>192 bits</li>
@@ -185,8 +194,10 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
  *                 sets the encryption key.
  *
  * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
  * \param key      The encryption key. This is comprised of the XTS key1
  *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
  * \param keybits  The size of \p key passed in bits. Valid options are:
  *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
  *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
@@ -203,8 +214,10 @@ int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
  *                 sets the decryption key.
  *
  * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
  * \param key      The decryption key. This is comprised of the XTS key1
  *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
  * \param keybits  The size of \p key passed in bits. Valid options are:
  *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
  *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
@@ -230,10 +243,13 @@ int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
  *                 call to this API with the same context.
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT.
- * \param input    The 16-Byte buffer holding the input data.
- * \param output   The 16-Byte buffer holding the output data.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and at least \c 16 Bytes long.
+ * \param output   The buffer where the output data will be written.
+ *                 It must be writeable and at least \c 16 Bytes long.
 
  * \return         \c 0 on success.
  */
@@ -256,8 +272,8 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
  *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
  *         before the first call to this API with the same context.
  *
- * \note   This function operates on aligned blocks, that is, the input size
- *         must be a multiple of the AES block size of 16 Bytes.
+ * \note   This function operates on full blocks, that is, the input size
+ *         must be a multiple of the AES block size of \c 16 Bytes.
  *
  * \note   Upon exit, the content of the IV is updated so that you can
  *         call the same function again on the next
@@ -268,13 +284,17 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
  *
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT.
  * \param length   The length of the input data in Bytes. This must be a
- *                 multiple of the block size (16 Bytes).
+ *                 multiple of the block size (\c 16 Bytes).
  * \param iv       Initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
  * \return         \c 0 on success.
  * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
@@ -302,9 +322,10 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
  *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
  *
  * \param ctx          The AES XTS context to use for AES XTS operations.
+ *                     It must be initialized and bound to a key.
  * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                     #MBEDTLS_AES_DECRYPT.
- * \param length       The length of a data unit in bytes. This can be any
+ * \param length       The length of a data unit in Bytes. This can be any
  *                     length between 16 bytes and 2^24 bytes inclusive
  *                     (between 1 and 2^20 block cipher blocks).
  * \param data_unit    The address of the data unit encoded as an array of 16
@@ -312,15 +333,15 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
  *                     is typically the index of the block device sector that
  *                     contains the data.
  * \param input        The buffer holding the input data (which is an entire
- *                     data unit). This function reads \p length bytes from \p
+ *                     data unit). This function reads \p length Bytes from \p
  *                     input.
  * \param output       The buffer holding the output data (which is an entire
- *                     data unit). This function writes \p length bytes to \p
+ *                     data unit). This function writes \p length Bytes to \p
  *                     output.
  *
  * \return             \c 0 on success.
  * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
- *                     smaller than an AES block in size (16 bytes) or if \p
+ *                     smaller than an AES block in size (16 Bytes) or if \p
  *                     length is larger than 2^20 blocks (16 MiB).
  */
 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
@@ -356,13 +377,18 @@ int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
  *
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT.
- * \param length   The length of the input data.
+ * \param length   The length of the input data in Bytes.
  * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
  * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
  * \return         \c 0 on success.
  */
@@ -397,12 +423,16 @@ int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
  *
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT
  * \param length   The length of the input data.
  * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
  * \return         \c 0 on success.
  */
@@ -447,11 +477,16 @@ int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
  *              will compromise security.
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param length   The length of the input data.
  * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
  * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
  * \return         \c 0 on success.
  */
@@ -523,15 +558,21 @@ int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
  *             securely discarded as soon as it's no longer needed.
  *
  * \param ctx              The AES context to use for encryption or decryption.
+ *                         It must be initialized and bound to a key.
  * \param length           The length of the input data.
  * \param nc_off           The offset in the current \p stream_block, for
  *                         resuming within the current cipher stream. The
  *                         offset pointer should be 0 at the start of a stream.
+ *                         It must point to a valid \c size_t.
  * \param nonce_counter    The 128-bit nonce and counter.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
  * \param stream_block     The saved stream block for resuming. This is
  *                         overwritten by the function.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
  * \param input            The buffer holding the input data.
+ *                         It must be readable and of size \p length Bytes.
  * \param output           The buffer holding the output data.
+ *                         It must be writeable and of size \p length Bytes.
  *
  * \return                 \c 0 on success.
  */
@@ -584,7 +625,7 @@ int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
  * \brief           Deprecated internal AES block encryption function
  *                  without return value.
  *
- * \deprecated      Superseded by mbedtls_aes_encrypt_ext() in 2.5.0.
+ * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
  *
  * \param ctx       The AES context to use for encryption.
  * \param input     Plaintext block.
@@ -598,7 +639,7 @@ MBEDTLS_DEPRECATED void mbedtls_aes_encrypt(mbedtls_aes_context *ctx,
  * \brief           Deprecated internal AES block decryption function
  *                  without return value.
  *
- * \deprecated      Superseded by mbedtls_aes_decrypt_ext() in 2.5.0.
+ * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
  *
  * \param ctx       The AES context to use for decryption.
  * \param input     Ciphertext block.
@@ -611,6 +652,8 @@ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+
+#if defined(MBEDTLS_SELF_TEST)
 /**
  * \brief          Checkup routine.
  *
@@ -619,6 +662,8 @@ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
  */
 int mbedtls_aes_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/aesni.c b/common/mbedtls/aesni.c
new file mode 100644
index 000000000..7a89a298b
--- /dev/null
+++ b/common/mbedtls/aesni.c
@@ -0,0 +1,460 @@
+/*
+ *  AES-NI support functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * [AES-WP] http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set
+ * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_AESNI_C)
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#warning "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
+#endif
+#endif
+
+#include "mbedtls/aesni.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+/*
+ * AES-NI support detection routine
+ */
+int mbedtls_aesni_has_support(unsigned int what) {
+    static int done = 0;
+    static unsigned int c = 0;
+
+    if (! done) {
+        asm("movl  $1, %%eax   \n\t"
+            "cpuid             \n\t"
+            : "=c"(c)
+            :
+            : "eax", "ebx", "edx");
+        done = 1;
+    }
+
+    return ((c & what) != 0);
+}
+
+/*
+ * Binutils needs to be at least 2.19 to support AES-NI instructions.
+ * Unfortunately, a lot of users have a lower version now (2014-04).
+ * Emit bytecode directly in order to support "old" version of gas.
+ *
+ * Opcodes from the Intel architecture reference manual, vol. 3.
+ * We always use registers, so we don't need prefixes for memory operands.
+ * Operand macros are in gas order (src, dst) as opposed to Intel order
+ * (dst, src) in order to blend better into the surrounding assembly code.
+ */
+#define AESDEC      ".byte 0x66,0x0F,0x38,0xDE,"
+#define AESDECLAST  ".byte 0x66,0x0F,0x38,0xDF,"
+#define AESENC      ".byte 0x66,0x0F,0x38,0xDC,"
+#define AESENCLAST  ".byte 0x66,0x0F,0x38,0xDD,"
+#define AESIMC      ".byte 0x66,0x0F,0x38,0xDB,"
+#define AESKEYGENA  ".byte 0x66,0x0F,0x3A,0xDF,"
+#define PCLMULQDQ   ".byte 0x66,0x0F,0x3A,0x44,"
+
+#define xmm0_xmm0   "0xC0"
+#define xmm0_xmm1   "0xC8"
+#define xmm0_xmm2   "0xD0"
+#define xmm0_xmm3   "0xD8"
+#define xmm0_xmm4   "0xE0"
+#define xmm1_xmm0   "0xC1"
+#define xmm1_xmm2   "0xD1"
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16]) {
+    asm("movdqu    (%3), %%xmm0    \n\t"  // load input
+        "movdqu    (%1), %%xmm1    \n\t" // load round key 0
+        "pxor      %%xmm1, %%xmm0  \n\t" // round 0
+        "add       $16, %1         \n\t" // point to next round key
+        "subl      $1, %0          \n\t" // normal rounds = nr - 1
+        "test      %2, %2          \n\t" // mode?
+        "jz        2f              \n\t" // 0 = decrypt
+
+        "1:                        \n\t" // encryption loop
+        "movdqu    (%1), %%xmm1    \n\t" // load round key
+        AESENC     xmm1_xmm0      "\n\t" // do round
+        "add       $16, %1         \n\t" // point to next round key
+        "subl      $1, %0          \n\t" // loop
+        "jnz       1b              \n\t"
+        "movdqu    (%1), %%xmm1    \n\t" // load round key
+        AESENCLAST xmm1_xmm0      "\n\t" // last round
+        "jmp       3f              \n\t"
+
+        "2:                        \n\t" // decryption loop
+        "movdqu    (%1), %%xmm1    \n\t"
+        AESDEC     xmm1_xmm0      "\n\t" // do round
+        "add       $16, %1         \n\t"
+        "subl      $1, %0          \n\t"
+        "jnz       2b              \n\t"
+        "movdqu    (%1), %%xmm1    \n\t" // load round key
+        AESDECLAST xmm1_xmm0      "\n\t" // last round
+
+        "3:                        \n\t"
+        "movdqu    %%xmm0, (%4)    \n\t" // export output
+        :
+        : "r"(ctx->nr), "r"(ctx->rk), "r"(mode), "r"(input), "r"(output)
+        : "memory", "cc", "xmm0", "xmm1");
+
+
+    return (0);
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16]) {
+    unsigned char aa[16], bb[16], cc[16];
+    size_t i;
+
+    /* The inputs are in big-endian order, so byte-reverse them */
+    for (i = 0; i < 16; i++) {
+        aa[i] = a[15 - i];
+        bb[i] = b[15 - i];
+    }
+
+    asm("movdqu (%0), %%xmm0               \n\t"  // a1:a0
+        "movdqu (%1), %%xmm1               \n\t" // b1:b0
+
+        /*
+         * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
+         * using [CLMUL-WP] algorithm 1 (p. 13).
+         */
+        "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
+        "movdqa %%xmm1, %%xmm3             \n\t" // same
+        "movdqa %%xmm1, %%xmm4             \n\t" // same
+        PCLMULQDQ xmm0_xmm1 ",0x00         \n\t" // a0*b0 = c1:c0
+        PCLMULQDQ xmm0_xmm2 ",0x11         \n\t" // a1*b1 = d1:d0
+        PCLMULQDQ xmm0_xmm3 ",0x10         \n\t" // a0*b1 = e1:e0
+        PCLMULQDQ xmm0_xmm4 ",0x01         \n\t" // a1*b0 = f1:f0
+        "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
+        "movdqa %%xmm4, %%xmm3             \n\t" // same
+        "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
+        "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
+        "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
+        "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
+
+        /*
+         * Now shift the result one bit to the left,
+         * taking advantage of [CLMUL-WP] eq 27 (p. 20)
+         */
+        "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
+        "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
+        "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
+        "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
+        "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
+        "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
+        "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
+        "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
+        "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
+        "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
+        "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
+        "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
+        "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
+
+        /*
+         * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+         * using [CLMUL-WP] algorithm 5 (p. 20).
+         * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
+         */
+        /* Step 2 (1) */
+        "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
+        "movdqa %%xmm1, %%xmm4             \n\t" // same
+        "movdqa %%xmm1, %%xmm5             \n\t" // same
+        "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
+        "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
+        "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
+
+        /* Step 2 (2) */
+        "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
+        "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
+        "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
+        "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
+
+        /* Steps 3 and 4 */
+        "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
+        "movdqa %%xmm1,%%xmm4              \n\t" // same
+        "movdqa %%xmm1,%%xmm5              \n\t" // same
+        "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
+        "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
+        "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
+        "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
+        "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
+        // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
+        // bits carried from d. Now get those\t bits back in.
+        "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
+        "movdqa %%xmm1,%%xmm4              \n\t" // same
+        "movdqa %%xmm1,%%xmm5              \n\t" // same
+        "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
+        "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
+        "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
+        "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
+        "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
+        "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
+        "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
+        "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
+        "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
+
+        "movdqu %%xmm0, (%2)               \n\t" // done
+        :
+        : "r"(aa), "r"(bb), "r"(cc)
+        : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5");
+
+    /* Now byte-reverse the outputs */
+    for (i = 0; i < 16; i++)
+        c[i] = cc[15 - i];
+
+    return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey, int nr) {
+    unsigned char *ik = invkey;
+    const unsigned char *fk = fwdkey + 16 * nr;
+
+    memcpy(ik, fk, 16);
+
+    for (fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16)
+        asm("movdqu (%0), %%xmm0       \n\t"
+            AESIMC  xmm0_xmm0         "\n\t"
+            "movdqu %%xmm0, (%1)       \n\t"
+            :
+            : "r"(fk), "r"(ik)
+            : "memory", "xmm0");
+
+    memcpy(ik, fk, 16);
+}
+
+/*
+ * Key expansion, 128-bit case
+ */
+static void aesni_setkey_enc_128(unsigned char *rk,
+                                 const unsigned char *key) {
+    asm("movdqu (%1), %%xmm0               \n\t"  // copy the original key
+        "movdqu %%xmm0, (%0)               \n\t" // as round key 0
+        "jmp 2f                            \n\t" // skip auxiliary routine
+
+        /*
+         * Finish generating the next round key.
+         *
+         * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
+         * with X = rot( sub( r3 ) ) ^ RCON.
+         *
+         * On exit, xmm0 is r7:r6:r5:r4
+         * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+         * and those are written to the round key buffer.
+         */
+        "1:                                \n\t"
+        "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
+        "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
+        "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
+        "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
+        "pslldq $4, %%xmm0                 \n\t" // etc
+        "pxor %%xmm0, %%xmm1               \n\t"
+        "pslldq $4, %%xmm0                 \n\t"
+        "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
+        "add $16, %0                       \n\t" // point to next round key
+        "movdqu %%xmm0, (%0)               \n\t" // write it
+        "ret                               \n\t"
+
+        /* Main "loop" */
+        "2:                                \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x01        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x02        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x04        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x08        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x10        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x20        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x40        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x80        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x1B        \n\tcall 1b \n\t"
+        AESKEYGENA xmm0_xmm1 ",0x36        \n\tcall 1b \n\t"
+        :
+        : "r"(rk), "r"(key)
+        : "memory", "cc", "0");
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+static void aesni_setkey_enc_192(unsigned char *rk,
+                                 const unsigned char *key) {
+    asm("movdqu (%1), %%xmm0   \n\t"  // copy original round key
+        "movdqu %%xmm0, (%0)   \n\t"
+        "add $16, %0           \n\t"
+        "movq 16(%1), %%xmm1   \n\t"
+        "movq %%xmm1, (%0)     \n\t"
+        "add $8, %0            \n\t"
+        "jmp 2f                \n\t" // skip auxiliary routine
+
+        /*
+         * Finish generating the next 6 quarter-keys.
+         *
+         * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
+         * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
+         *
+         * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
+         * and those are written to the round key buffer.
+         */
+        "1:                            \n\t"
+        "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
+        "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
+        "pslldq $4, %%xmm0             \n\t" // etc
+        "pxor %%xmm0, %%xmm2           \n\t"
+        "pslldq $4, %%xmm0             \n\t"
+        "pxor %%xmm0, %%xmm2           \n\t"
+        "pslldq $4, %%xmm0             \n\t"
+        "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
+        "movdqu %%xmm0, (%0)           \n\t"
+        "add $16, %0                   \n\t"
+        "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
+        "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
+        "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
+        "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
+        "movq %%xmm1, (%0)             \n\t"
+        "add $8, %0                    \n\t"
+        "ret                           \n\t"
+
+        "2:                            \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x01    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x02    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x04    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x08    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x10    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x20    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x40    \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x80    \n\tcall 1b \n\t"
+
+        :
+        : "r"(rk), "r"(key)
+        : "memory", "cc", "0");
+}
+
+/*
+ * Key expansion, 256-bit case
+ */
+static void aesni_setkey_enc_256(unsigned char *rk,
+                                 const unsigned char *key) {
+    asm("movdqu (%1), %%xmm0           \n\t"
+        "movdqu %%xmm0, (%0)           \n\t"
+        "add $16, %0                   \n\t"
+        "movdqu 16(%1), %%xmm1         \n\t"
+        "movdqu %%xmm1, (%0)           \n\t"
+        "jmp 2f                        \n\t" // skip auxiliary routine
+
+        /*
+         * Finish generating the next two round keys.
+         *
+         * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
+         * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+         *
+         * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
+         * and those have been written to the output buffer.
+         */
+        "1:                                \n\t"
+        "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
+        "pxor %%xmm0, %%xmm2               \n\t"
+        "pslldq $4, %%xmm0                 \n\t"
+        "pxor %%xmm0, %%xmm2               \n\t"
+        "pslldq $4, %%xmm0                 \n\t"
+        "pxor %%xmm0, %%xmm2               \n\t"
+        "pslldq $4, %%xmm0                 \n\t"
+        "pxor %%xmm2, %%xmm0               \n\t"
+        "add $16, %0                       \n\t"
+        "movdqu %%xmm0, (%0)               \n\t"
+
+        /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
+         * and proceed to generate next round key from there */
+        AESKEYGENA xmm0_xmm2 ",0x00        \n\t"
+        "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
+        "pxor %%xmm1, %%xmm2               \n\t"
+        "pslldq $4, %%xmm1                 \n\t"
+        "pxor %%xmm1, %%xmm2               \n\t"
+        "pslldq $4, %%xmm1                 \n\t"
+        "pxor %%xmm1, %%xmm2               \n\t"
+        "pslldq $4, %%xmm1                 \n\t"
+        "pxor %%xmm2, %%xmm1               \n\t"
+        "add $16, %0                       \n\t"
+        "movdqu %%xmm1, (%0)               \n\t"
+        "ret                               \n\t"
+
+        /*
+         * Main "loop" - Generating one more key than necessary,
+         * see definition of mbedtls_aes_context.buf
+         */
+        "2:                                \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x01        \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x02        \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x04        \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x08        \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x10        \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x20        \n\tcall 1b \n\t"
+        AESKEYGENA xmm1_xmm2 ",0x40        \n\tcall 1b \n\t"
+        :
+        : "r"(rk), "r"(key)
+        : "memory", "cc", "0");
+}
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesni_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             size_t bits) {
+    switch (bits) {
+        case 128:
+            aesni_setkey_enc_128(rk, key);
+            break;
+        case 192:
+            aesni_setkey_enc_192(rk, key);
+            break;
+        case 256:
+            aesni_setkey_enc_256(rk, key);
+            break;
+        default :
+            return (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH);
+    }
+
+    return (0);
+}
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_C */
diff --git a/common/mbedtls/aesni.h b/common/mbedtls/aesni.h
new file mode 100644
index 000000000..ea2c6b85f
--- /dev/null
+++ b/common/mbedtls/aesni.h
@@ -0,0 +1,136 @@
+/**
+ * \file aesni.h
+ *
+ * \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_AESNI_H
+#define MBEDTLS_AESNI_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/aes.h"
+
+#define MBEDTLS_AESNI_AES      0x02000000u
+#define MBEDTLS_AESNI_CLMUL    0x00000002u
+
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) &&  \
+    ( defined(__amd64__) || defined(__x86_64__) )   &&  \
+    ! defined(MBEDTLS_HAVE_X86_64)
+#define MBEDTLS_HAVE_X86_64
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param what     The feature to detect
+ *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_aesni_has_support(unsigned int what);
+
+/**
+ * \brief          Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 on success (cannot fail)
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16]);
+
+/**
+ * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param c        Result
+ * \param a        First operand
+ * \param b        Second operand
+ *
+ * \note           Both operands and result are bit strings interpreted as
+ *                 elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16]);
+
+/**
+ * \brief           Internal round key inversion. This function computes
+ *                  decryption round keys from the encryption round keys.
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param invkey    Round keys for the equivalent inverse cipher
+ * \param fwdkey    Original round keys (for encryption)
+ * \param nr        Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey,
+                               int nr);
+
+/**
+ * \brief           Internal key expansion for encryption
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param rk        Destination buffer where the round keys are written
+ * \param key       Encryption key
+ * \param bits      Key size in bits (must be 128, 192 or 256)
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesni_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             size_t bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_H */
diff --git a/common/mbedtls/arc4.c b/common/mbedtls/arc4.c
index 0b245b0c4..9a7cfff6f 100644
--- a/common/mbedtls/arc4.c
+++ b/common/mbedtls/arc4.c
@@ -1,24 +1,20 @@
 /*
  *  An implementation of the ARCFOUR algorithm
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The ARCFOUR algorithm was publicly disclosed on 94/09.
@@ -26,11 +22,7 @@
  *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_ARC4_C)
 
diff --git a/common/mbedtls/arc4.h b/common/mbedtls/arc4.h
index 4c0a4ca57..bef4b4a09 100644
--- a/common/mbedtls/arc4.h
+++ b/common/mbedtls/arc4.h
@@ -7,37 +7,34 @@
  *            security risk. We recommend considering stronger ciphers instead.
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  *
  */
 #ifndef MBEDTLS_ARC4_H
 #define MBEDTLS_ARC4_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
 #include <stddef.h>
 
+/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
 
 #ifdef __cplusplus
@@ -123,6 +120,8 @@ void mbedtls_arc4_setup(mbedtls_arc4_context *ctx, const unsigned char *key,
 int mbedtls_arc4_crypt(mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
                        unsigned char *output);
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -135,6 +134,8 @@ int mbedtls_arc4_crypt(mbedtls_arc4_context *ctx, size_t length, const unsigned
  */
 int mbedtls_arc4_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/aria.c b/common/mbedtls/aria.c
new file mode 100644
index 000000000..119ba02fb
--- /dev/null
+++ b/common/mbedtls/aria.c
@@ -0,0 +1,1041 @@
+/*
+ *  ARIA implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define ARIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
+#define ARIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE( n, b, i )                \
+{                                               \
+    (n) = ( (uint32_t) (b)[(i)    ]       )     \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )     \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );    \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE( n, b, i )                                \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p1(uint32_t x) {
+    uint32_t r;
+    __asm("rev16 %0, %1" : "=l"(r) : "l"(x));
+    return (r);
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p1(uint32_t x) {
+    uint32_t r;
+    __asm("rev16 r, x");
+    return (r);
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ *
+ * Some compilers fail to translate this to a single instruction,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p3(uint32_t x) {
+    uint32_t r;
+    __asm("rev %0, %1" : "=l"(r) : "l"(x));
+    return (r);
+}
+#define ARIA_P3 aria_p3
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p3(uint32_t x) {
+    uint32_t r;
+    __asm("rev r, x");
+    return (r);
+}
+#define ARIA_P3 aria_p3
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+static inline uint32_t aria_p3(uint32_t x) {
+    __asm("bswap %0" : "=r"(x) : "0"(x));
+    return (x);
+}
+#define ARIA_P3 aria_p3
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P3)
+#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
+#endif
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a(uint32_t *a, uint32_t *b,
+                          uint32_t *c, uint32_t *d) {
+    uint32_t ta, tb, tc;
+    ta  =  *b;                      // 4567
+    *b  =  *a;                      // 0123
+    *a  =  ARIA_P2(ta);             // 6745
+    tb  =  ARIA_P2(*d);             // efcd
+    *d  =  ARIA_P1(*c);             // 98ba
+    *c  =  ARIA_P1(tb);             // fedc
+    ta  ^= *d;                      // 4567+98ba
+    tc  =  ARIA_P2(*b);             // 2301
+    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
+    tb  ^= ARIA_P2(*d);             // ba98+efcd
+    tc  ^= ARIA_P1(*a);             // 2301+7654
+    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
+    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
+    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+    tc  =  ARIA_P2(tc);             // 0123+5476
+    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl(uint32_t *a, uint32_t *b,
+                           uint32_t *c, uint32_t *d,
+                           const uint8_t sa[256], const uint8_t sb[256],
+                           const uint8_t sc[256], const uint8_t sd[256]) {
+    *a = ((uint32_t) sa[ *a        & 0xFF]) ^
+         (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *a >> 24        ]) << 24);
+    *b = ((uint32_t) sa[ *b        & 0xFF]) ^
+         (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *b >> 24        ]) << 24);
+    *c = ((uint32_t) sa[ *c        & 0xFF]) ^
+         (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *c >> 24        ]) << 24);
+    *d = ((uint32_t) sa[ *d        & 0xFF]) ^
+         (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *d >> 24        ]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] = {
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+    0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] = {
+    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+    0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] = {
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+    0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] = {
+    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+    0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
+                        const uint32_t k[4], const uint32_t x[4]) {
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
+    aria_a(&a, &b, &c, &d);
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
+                        const uint32_t k[4], const uint32_t x[4]) {
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
+    aria_a(&a, &b, &c, &d);
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * GET/PUT_UINT32_LE) so we need to reverse bytes here.
+ */
+static void aria_rot128(uint32_t r[4], const uint32_t a[4],
+                        const uint32_t b[4], uint8_t n) {
+    uint8_t i, j;
+    uint32_t t, u;
+
+    const uint8_t n1 = n % 32;              // bit offset
+    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
+
+    j = (n / 32) % 4;                       // initial word offset
+    t = ARIA_P3(b[j]);                      // big endian
+    for (i = 0; i < 4; i++) {
+        j = (j + 1) % 4;                    // get next word, big endian
+        u = ARIA_P3(b[j]);
+        t <<= n1;                           // rotate
+        t |= u >> n2;
+        t = ARIA_P3(t);                     // back to little endian
+        r[i] = a[i] ^ t;                    // store
+        t = u;                              // move to next word
+    }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
+                            const unsigned char *key, unsigned int keybits) {
+    /* round constant masks */
+    const uint32_t rc[3][4] = {
+        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
+        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
+        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
+    };
+
+    int i;
+    uint32_t w[4][4], *w2;
+    ARIA_VALIDATE_RET(ctx != NULL);
+    ARIA_VALIDATE_RET(key != NULL);
+
+    if (keybits != 128 && keybits != 192 && keybits != 256)
+        return (MBEDTLS_ERR_ARIA_BAD_INPUT_DATA);
+
+    /* Copy key to W0 (and potential remainder to W1) */
+    GET_UINT32_LE(w[0][0], key,  0);
+    GET_UINT32_LE(w[0][1], key,  4);
+    GET_UINT32_LE(w[0][2], key,  8);
+    GET_UINT32_LE(w[0][3], key, 12);
+
+    memset(w[1], 0, 16);
+    if (keybits >= 192) {
+        GET_UINT32_LE(w[1][0], key, 16);    // 192 bit key
+        GET_UINT32_LE(w[1][1], key, 20);
+    }
+    if (keybits == 256) {
+        GET_UINT32_LE(w[1][2], key, 24);    // 256 bit key
+        GET_UINT32_LE(w[1][3], key, 28);
+    }
+
+    i = (keybits - 128) >> 6;               // index: 0, 1, 2
+    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
+
+    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
+    i = i < 2 ? i + 1 : 0;
+    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
+    i = i < 2 ? i + 1 : 0;
+    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
+
+    for (i = 0; i < 4; i++) {               // create round keys
+        w2 = w[(i + 1) & 3];
+        aria_rot128(ctx->rk[i     ], w[i], w2, 128 - 19);
+        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
+        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
+        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
+    }
+    aria_rot128(ctx->rk[16], w[0], w[1], 19);
+
+    /* w holds enough info to reconstruct the round keys */
+    mbedtls_platform_zeroize(w, sizeof(w));
+
+    return (0);
+}
+
+/*
+ * Set decryption key
+ */
+int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
+                            const unsigned char *key, unsigned int keybits) {
+    int i, j, k, ret;
+    ARIA_VALIDATE_RET(ctx != NULL);
+    ARIA_VALIDATE_RET(key != NULL);
+
+    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
+    if (ret != 0)
+        return (ret);
+
+    /* flip the order of round keys */
+    for (i = 0, j = ctx->nr; i < j; i++, j--) {
+        for (k = 0; k < 4; k++) {
+            uint32_t t = ctx->rk[i][k];
+            ctx->rk[i][k] = ctx->rk[j][k];
+            ctx->rk[j][k] = t;
+        }
+    }
+
+    /* apply affine transform to middle keys */
+    for (i = 1; i < ctx->nr; i++) {
+        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
+               &ctx->rk[i][2], &ctx->rk[i][3]);
+    }
+
+    return (0);
+}
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
+                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) {
+    int i;
+
+    uint32_t a, b, c, d;
+    ARIA_VALIDATE_RET(ctx != NULL);
+    ARIA_VALIDATE_RET(input != NULL);
+    ARIA_VALIDATE_RET(output != NULL);
+
+    GET_UINT32_LE(a, input,  0);
+    GET_UINT32_LE(b, input,  4);
+    GET_UINT32_LE(c, input,  8);
+    GET_UINT32_LE(d, input, 12);
+
+    i = 0;
+    while (1) {
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
+        aria_a(&a, &b, &c, &d);
+
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
+        if (i >= ctx->nr)
+            break;
+        aria_a(&a, &b, &c, &d);
+    }
+
+    /* final key mixing */
+    a ^= ctx->rk[i][0];
+    b ^= ctx->rk[i][1];
+    c ^= ctx->rk[i][2];
+    d ^= ctx->rk[i][3];
+
+    PUT_UINT32_LE(a, output,  0);
+    PUT_UINT32_LE(b, output,  4);
+    PUT_UINT32_LE(c, output,  8);
+    PUT_UINT32_LE(d, output, 12);
+
+    return (0);
+}
+
+/* Initialize context */
+void mbedtls_aria_init(mbedtls_aria_context *ctx) {
+    ARIA_VALIDATE(ctx != NULL);
+    memset(ctx, 0, sizeof(mbedtls_aria_context));
+}
+
+/* Clear context */
+void mbedtls_aria_free(mbedtls_aria_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output) {
+    int i;
+    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+    ARIA_VALIDATE_RET(ctx != NULL);
+    ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
+                      mode == MBEDTLS_ARIA_DECRYPT);
+    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
+    ARIA_VALIDATE_RET(length == 0 || output != NULL);
+    ARIA_VALIDATE_RET(iv != NULL);
+
+    if (length % MBEDTLS_ARIA_BLOCKSIZE)
+        return (MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH);
+
+    if (mode == MBEDTLS_ARIA_DECRYPT) {
+        while (length > 0) {
+            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
+            mbedtls_aria_crypt_ecb(ctx, input, output);
+
+            for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++)
+                output[i] = (unsigned char)(output[i] ^ iv[i]);
+
+            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    } else {
+        while (length > 0) {
+            for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++)
+                output[i] = (unsigned char)(input[i] ^ iv[i]);
+
+            mbedtls_aria_crypt_ecb(ctx, output, output);
+            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
+                              int mode,
+                              size_t length,
+                              size_t *iv_off,
+                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                              const unsigned char *input,
+                              unsigned char *output) {
+    unsigned char c;
+    size_t n;
+
+    ARIA_VALIDATE_RET(ctx != NULL);
+    ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
+                      mode == MBEDTLS_ARIA_DECRYPT);
+    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
+    ARIA_VALIDATE_RET(length == 0 || output != NULL);
+    ARIA_VALIDATE_RET(iv != NULL);
+    ARIA_VALIDATE_RET(iv_off != NULL);
+
+    n = *iv_off;
+
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if (n >= MBEDTLS_ARIA_BLOCKSIZE)
+        return (MBEDTLS_ERR_ARIA_BAD_INPUT_DATA);
+
+    if (mode == MBEDTLS_ARIA_DECRYPT) {
+        while (length--) {
+            if (n == 0)
+                mbedtls_aria_crypt_ecb(ctx, iv, iv);
+
+            c = *input++;
+            *output++ = c ^ iv[n];
+            iv[n] = c;
+
+            n = (n + 1) & 0x0F;
+        }
+    } else {
+        while (length--) {
+            if (n == 0)
+                mbedtls_aria_crypt_ecb(ctx, iv, iv);
+
+            iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
+
+            n = (n + 1) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return (0);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
+                           size_t length,
+                           size_t *nc_off,
+                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output) {
+    int c, i;
+    size_t n;
+
+    ARIA_VALIDATE_RET(ctx != NULL);
+    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
+    ARIA_VALIDATE_RET(length == 0 || output != NULL);
+    ARIA_VALIDATE_RET(nonce_counter != NULL);
+    ARIA_VALIDATE_RET(stream_block  != NULL);
+    ARIA_VALIDATE_RET(nc_off != NULL);
+
+    n = *nc_off;
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if (n >= MBEDTLS_ARIA_BLOCKSIZE)
+        return (MBEDTLS_ERR_ARIA_BAD_INPUT_DATA);
+
+    while (length--) {
+        if (n == 0) {
+            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
+                                   stream_block);
+
+            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--)
+                if (++nonce_counter[i - 1] != 0)
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)(c ^ stream_block[n]);
+
+        n = (n + 1) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return (0);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] = {         // test key
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
+    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = {          // plaintext
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
+    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = {       // ciphertext
+    {
+        0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
+        0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78
+    },
+    {
+        0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
+        0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79
+    },
+    {
+        0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
+        0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC
+    }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA"  Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] = {
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] = {
+    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
+    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = {
+    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
+    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] = {       // CBC ciphertext
+    {
+        0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
+        0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+        0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+        0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+        0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+        0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15
+    },
+    {
+        0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
+        0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+        0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+        0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+        0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+        0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e
+    },
+    {
+        0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
+        0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+        0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+        0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+        0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+        0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] = {       // CFB ciphertext
+    {
+        0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
+        0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+        0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+        0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+        0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+        0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b
+    },
+    {
+        0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
+        0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+        0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+        0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+        0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+        0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b
+    },
+    {
+        0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
+        0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+        0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+        0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+        0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+        0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] = {       // CTR ciphertext
+    {
+        0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
+        0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+        0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+        0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+        0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+        0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3
+    },
+    {
+        0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
+        0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+        0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+        0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+        0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+        0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf
+    },
+    {
+        0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
+        0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+        0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+        0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+        0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+        0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_IF_FAIL              \
+        {                                   \
+            if( verbose )                   \
+                mbedtls_printf( "failed\n" );       \
+            return( 1 );                    \
+        } else {                            \
+            if( verbose )                   \
+                mbedtls_printf( "passed\n" );       \
+        }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test(int verbose) {
+    int i;
+    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+    size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+     defined(MBEDTLS_CIPHER_MODE_CFB) || \
+     defined(MBEDTLS_CIPHER_MODE_CTR))
+    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+    /*
+     * Test set 1
+     */
+    for (i = 0; i < 3; i++) {
+        /* test ECB encryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
+        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
+        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
+        if (memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* test ECB decryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
+        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
+        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
+        if (memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if (verbose)
+        mbedtls_printf("\n");
+
+    /*
+     * Test set 2
+     */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    for (i = 0; i < 3; i++) {
+        /* Test CBC encryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0x55, sizeof(buf));
+        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+                               aria_test2_pt, buf);
+        if (memcmp(buf, aria_test2_cbc_ct[i], 48) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CBC decryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
+        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0xAA, sizeof(buf));
+        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+                               aria_test2_cbc_ct[i], buf);
+        if (memcmp(buf, aria_test2_pt, 48) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if (verbose)
+        mbedtls_printf("\n");
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    for (i = 0; i < 3; i++) {
+        /* Test CFB encryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0x55, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+                                  aria_test2_pt, buf);
+        if (memcmp(buf, aria_test2_cfb_ct[i], 48) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CFB decryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0xAA, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+                                  iv, aria_test2_cfb_ct[i], buf);
+        if (memcmp(buf, aria_test2_pt, 48) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if (verbose)
+        mbedtls_printf("\n");
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    for (i = 0; i < 3; i++) {
+        /* Test CTR encryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
+        memset(buf, 0x55, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
+                               aria_test2_pt, buf);
+        if (memcmp(buf, aria_test2_ctr_ct[i], 48) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CTR decryption */
+        if (verbose)
+            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
+        memset(buf, 0xAA, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
+                               aria_test2_ctr_ct[i], buf);
+        if (memcmp(buf, aria_test2_pt, 48) != 0)
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if (verbose)
+        mbedtls_printf("\n");
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return (0);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/common/mbedtls/aria.h b/common/mbedtls/aria.h
new file mode 100644
index 000000000..305f42f6c
--- /dev/null
+++ b/common/mbedtls/aria.h
@@ -0,0 +1,368 @@
+/**
+ * \file aria.h
+ *
+ * \brief ARIA block cipher
+ *
+ *        The ARIA algorithm is a symmetric block cipher that can encrypt and
+ *        decrypt information. It is defined by the Korean Agency for
+ *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
+ *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
+ *        and also described by the IETF in <em>RFC 5794</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_ARIA_H
+#define MBEDTLS_ARIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "mbedtls/platform_util.h"
+
+#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
+#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
+
+#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
+#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maxiumum number of rounds in ARIA. */
+#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
+
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A  /**< Feature not available. For example, an unsupported ARIA key size. */
+
+/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058  /**< ARIA hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief The ARIA context-type definition.
+ */
+typedef struct mbedtls_aria_context {
+    unsigned char nr;           /*!< The number of rounds (12, 14 or 16) */
+    /*! The ARIA round keys. */
+    uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+}
+mbedtls_aria_context;
+
+#else  /* MBEDTLS_ARIA_ALT */
+#include "aria_alt.h"
+#endif /* MBEDTLS_ARIA_ALT */
+
+/**
+ * \brief          This function initializes the specified ARIA context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The ARIA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aria_init(mbedtls_aria_context *ctx);
+
+/**
+ * \brief          This function releases and clears the specified ARIA context.
+ *
+ * \param ctx      The ARIA context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized ARIA context.
+ */
+void mbedtls_aria_free(mbedtls_aria_context *ctx);
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The encryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of \p key in Bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
+                            const unsigned char *key,
+                            unsigned int keybits);
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
+                            const unsigned char *key,
+                            unsigned int keybits);
+
+/**
+ * \brief          This function performs an ARIA single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs encryption or decryption (depending on whether
+ *                 the key was set for encryption on decryption) on the input
+ *                 data buffer defined in the \p input parameter.
+ *
+ *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
+ *                 mbedtls_aria_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param input    The 16-Byte buffer holding the input data.
+ * \param output   The 16-Byte buffer holding the output data.
+
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
+                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an ARIA-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aria_init(), and either
+ *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on aligned blocks, that is, the input size
+ *         must be a multiple of the ARIA block size of 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an ARIA-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data \p input in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 This must not be larger than 15.
+ * \param iv       The initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
+                              int mode,
+                              size_t length,
+                              size_t *iv_off,
+                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                              const unsigned char *input,
+                              unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an ARIA-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aria_setkey_enc()
+ *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an ARIA block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The ARIA context to use for encryption or decryption.
+ *                         This must be initialized and bound to a key.
+ * \param length           The length of the input data \p input in Bytes.
+ * \param nc_off           The offset in Bytes in the current \p stream_block,
+ *                         for resuming within the current cipher stream. The
+ *                         offset pointer should be \c 0 at the start of a
+ *                         stream. This must not be larger than \c 15 Bytes.
+ * \param nonce_counter    The 128-bit nonce and counter. This must point to
+ *                         a read/write buffer of length \c 16 bytes.
+ * \param stream_block     The saved stream block for resuming. This must
+ *                         point to a read/write buffer of length \c 16 bytes.
+ *                         This is overwritten by the function.
+ * \param input            The buffer holding the input data. This must
+ *                         be a readable buffer of length \p length Bytes.
+ * \param output           The buffer holding the output data. This must
+ *                         be a writable buffer of length \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ * \return                 A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
+                           size_t length,
+                           size_t *nc_off,
+                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aria_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aria.h */
diff --git a/common/mbedtls/asn1.h b/common/mbedtls/asn1.h
index 7eb06c543..fe881af2d 100644
--- a/common/mbedtls/asn1.h
+++ b/common/mbedtls/asn1.h
@@ -4,30 +4,26 @@
  * \brief Generic ASN.1 parsing
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_ASN1_H
 #define MBEDTLS_ASN1_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -35,7 +31,7 @@
 #include <stddef.h>
 
 #if defined(MBEDTLS_BIGNUM_C)
-#include "bignum.h"
+#include "mbedtls/bignum.h"
 #endif
 
 /**
@@ -54,7 +50,7 @@
 #define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062  /**< ASN1 tag was of an unexpected value. */
 #define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064  /**< Error when trying to determine the length or invalid length. */
 #define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066  /**< Actual length differs from expected length. */
-#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. (not used) */
+#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. */
 #define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A  /**< Memory allocation failed */
 #define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C  /**< Buffer too small when writing ASN.1 data structure. */
 
@@ -77,6 +73,7 @@
 #define MBEDTLS_ASN1_OCTET_STRING            0x04
 #define MBEDTLS_ASN1_NULL                    0x05
 #define MBEDTLS_ASN1_OID                     0x06
+#define MBEDTLS_ASN1_ENUMERATED              0x0A
 #define MBEDTLS_ASN1_UTF8_STRING             0x0C
 #define MBEDTLS_ASN1_SEQUENCE                0x10
 #define MBEDTLS_ASN1_SET                     0x11
@@ -91,6 +88,18 @@
 #define MBEDTLS_ASN1_CONSTRUCTED             0x20
 #define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
 
+/* Slightly smaller way to check if tag is a string tag
+ * compared to canonical implementation. */
+#define MBEDTLS_ASN1_IS_STRING_TAG( tag )                                     \
+    ( ( tag ) < 32u && (                                                      \
+        ( ( 1u << ( tag ) ) & ( ( 1u << MBEDTLS_ASN1_BMP_STRING )       |     \
+                                ( 1u << MBEDTLS_ASN1_UTF8_STRING )      |     \
+                                ( 1u << MBEDTLS_ASN1_T61_STRING )       |     \
+                                ( 1u << MBEDTLS_ASN1_IA5_STRING )       |     \
+                                ( 1u << MBEDTLS_ASN1_UNIVERSAL_STRING ) |     \
+                                ( 1u << MBEDTLS_ASN1_PRINTABLE_STRING ) |     \
+                                ( 1u << MBEDTLS_ASN1_BIT_STRING ) ) ) != 0 ) )
+
 /*
  * Bit masks for each of the components of an ASN.1 tag as specified in
  * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
@@ -118,8 +127,12 @@
  * 'unsigned char *oid' here!
  */
 #define MBEDTLS_OID_CMP(oid_str, oid_buf)                                   \
-    ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) ||                \
-      memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
+        ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) ||                \
+          memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
+
+#define MBEDTLS_OID_CMP_RAW(oid_str, oid_buf, oid_buf_len)              \
+        ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf_len) ) ||             \
+          memcmp( (oid_str), (oid_buf), (oid_buf_len) ) != 0 )
 
 #ifdef __cplusplus
 extern "C" {
@@ -174,29 +187,44 @@ mbedtls_asn1_named_data;
  * \brief       Get the length of an ASN.1 element.
  *              Updates the pointer to immediately behind the length.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param len   The variable that will receive the value
+ * \param p     On entry, \c *p points to the first byte of the length,
+ *              i.e. immediately after the tag.
+ *              On successful completion, \c *p points to the first byte
+ *              after the length, i.e. the first byte of the content.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param len   On successful completion, \c *len contains the length
+ *              read from the ASN.1 input.
  *
- * \return      0 if successful, MBEDTLS_ERR_ASN1_OUT_OF_DATA on reaching
- *              end of data, MBEDTLS_ERR_ASN1_INVALID_LENGTH if length is
- *              unparseable.
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
+ *              would end beyond \p end.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparseable.
  */
 int mbedtls_asn1_get_len(unsigned char **p,
                          const unsigned char *end,
                          size_t *len);
 
 /**
- * \brief       Get the tag and length of the tag. Check for the requested tag.
+ * \brief       Get the tag and length of the element.
+ *              Check for the requested tag.
  *              Updates the pointer to immediately behind the tag and length.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param len   The variable that will receive the length
- * \param tag   The expected tag
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              after the length, i.e. the first byte of the content.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param len   On successful completion, \c *len contains the length
+ *              read from the ASN.1 input.
+ * \param tag   The expected tag.
  *
- * \return      0 if successful, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if tag did
- *              not match requested tag, or another specific ASN.1 error code.
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the data does not start
+ *              with the requested tag.
+ * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
+ *              would end beyond \p end.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparseable.
  */
 int mbedtls_asn1_get_tag(unsigned char **p,
                          const unsigned char *end,
@@ -206,11 +234,16 @@ int mbedtls_asn1_get_tag(unsigned char **p,
  * \brief       Retrieve a boolean ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param val   The variable that will receive the value
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param val   On success, the parsed value (\c 0 or \c 1).
  *
- * \return      0 if successful or a specific ASN.1 error code.
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 BOOLEAN.
  */
 int mbedtls_asn1_get_bool(unsigned char **p,
                           const unsigned char *end,
@@ -220,25 +253,60 @@ int mbedtls_asn1_get_bool(unsigned char **p,
  * \brief       Retrieve an integer ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param val   The variable that will receive the value
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param val   On success, the parsed value.
  *
- * \return      0 if successful or a specific ASN.1 error code.
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 INTEGER.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
+ *              not fit in an \c int.
  */
 int mbedtls_asn1_get_int(unsigned char **p,
                          const unsigned char *end,
                          int *val);
 
+/**
+ * \brief       Retrieve an enumerated ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param val   On success, the parsed value.
+ *
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 ENUMERATED.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
+ *              not fit in an \c int.
+ */
+int mbedtls_asn1_get_enum(unsigned char **p,
+                          const unsigned char *end,
+                          int *val);
+
 /**
  * \brief       Retrieve a bitstring ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param bs    The variable that will receive the value
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p is equal to \p end.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param bs    On success, ::mbedtls_asn1_bitstring information about
+ *              the parsed value.
  *
- * \return      0 if successful or a specific ASN.1 error code.
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
+ *              extra data after a valid BIT STRING.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 BIT STRING.
  */
 int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
                                mbedtls_asn1_bitstring *bs);
@@ -248,41 +316,209 @@ int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
  *              value.
  *              Updates the pointer to the beginning of the bit/octet string.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param len   Length of the actual bit/octect string in bytes
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              of the content of the BIT STRING.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param len   On success, \c *len is the length of the content in bytes.
  *
- * \return      0 if successful or a specific ASN.1 error code.
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_DATA if the input starts with
+ *              a valid BIT STRING with a nonzero number of unused bits.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 BIT STRING.
  */
-int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
+int mbedtls_asn1_get_bitstring_null(unsigned char **p,
+                                    const unsigned char *end,
                                     size_t *len);
 
 /**
- * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>"
- *              Updated the pointer to immediately behind the full sequence tag.
+ * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>".
+ *              Updates the pointer to immediately behind the full sequence tag.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param cur   First variable in the chain to fill
- * \param tag   Type of sequence
+ * This function allocates memory for the sequence elements. You can free
+ * the allocated memory with mbedtls_asn1_sequence_free().
  *
- * \return      0 if successful or a specific ASN.1 error code.
+ * \note        On error, this function may return a partial list in \p cur.
+ *              You must set `cur->next = NULL` before calling this function!
+ *              Otherwise it is impossible to distinguish a previously non-null
+ *              pointer from a pointer to an object allocated by this function.
+ *
+ * \note        If the sequence is empty, this function does not modify
+ *              \c *cur. If the sequence is valid and non-empty, this
+ *              function sets `cur->buf.tag` to \p tag. This allows
+ *              callers to distinguish between an empty sequence and
+ *              a one-element sequence.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p is equal to \p end.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param cur   A ::mbedtls_asn1_sequence which this function fills.
+ *              When this function returns, \c *cur is the head of a linked
+ *              list. Each node in this list is allocated with
+ *              mbedtls_calloc() apart from \p cur itself, and should
+ *              therefore be freed with mbedtls_free().
+ *              The list describes the content of the sequence.
+ *              The head of the list (i.e. \c *cur itself) describes the
+ *              first element, `*cur->next` describes the second element, etc.
+ *              For each element, `buf.tag == tag`, `buf.len` is the length
+ *              of the content of the content of the element, and `buf.p`
+ *              points to the first byte of the content (i.e. immediately
+ *              past the length of the element).
+ *              Note that list elements may be allocated even on error.
+ * \param tag   Each element of the sequence must have this tag.
+ *
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
+ *              extra data after a valid SEQUENCE OF \p tag.
+ * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts with
+ *              an ASN.1 SEQUENCE in which an element has a tag that
+ *              is different from \p tag.
+ * \return      #MBEDTLS_ERR_ASN1_ALLOC_FAILED if a memory allocation failed.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 SEQUENCE.
  */
 int mbedtls_asn1_get_sequence_of(unsigned char **p,
                                  const unsigned char *end,
                                  mbedtls_asn1_sequence *cur,
                                  int tag);
+/**
+ * \brief          Free a heap-allocated linked list presentation of
+ *                 an ASN.1 sequence, including the first element.
+ *
+ * There are two common ways to manage the memory used for the representation
+ * of a parsed ASN.1 sequence:
+ * - Allocate a head node `mbedtls_asn1_sequence *head` with mbedtls_calloc().
+ *   Pass this node as the `cur` argument to mbedtls_asn1_get_sequence_of().
+ *   When you have finished processing the sequence,
+ *   call mbedtls_asn1_sequence_free() on `head`.
+ * - Allocate a head node `mbedtls_asn1_sequence *head` in any manner,
+ *   for example on the stack. Make sure that `head->next == NULL`.
+ *   Pass `head` as the `cur` argument to mbedtls_asn1_get_sequence_of().
+ *   When you have finished processing the sequence,
+ *   call mbedtls_asn1_sequence_free() on `head->cur`,
+ *   then free `head` itself in the appropriate manner.
+ *
+ * \param seq      The address of the first sequence component. This may
+ *                 be \c NULL, in which case this functions returns
+ *                 immediately.
+ */
+void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq);
+
+/**
+ * \brief                Traverse an ASN.1 SEQUENCE container and
+ *                       call a callback for each entry.
+ *
+ * This function checks that the input is a SEQUENCE of elements that
+ * each have a "must" tag, and calls a callback function on the elements
+ * that have a "may" tag.
+ *
+ * For example, to validate that the input is a SEQUENCE of `tag1` and call
+ * `cb` on each element, use
+ * ```
+ * mbedtls_asn1_traverse_sequence_of(&p, end, 0xff, tag1, 0, 0, cb, ctx);
+ * ```
+ *
+ * To validate that the input is a SEQUENCE of ANY and call `cb` on
+ * each element, use
+ * ```
+ * mbedtls_asn1_traverse_sequence_of(&p, end, 0, 0, 0, 0, cb, ctx);
+ * ```
+ *
+ * To validate that the input is a SEQUENCE of CHOICE {NULL, OCTET STRING}
+ * and call `cb` on each element that is an OCTET STRING, use
+ * ```
+ * mbedtls_asn1_traverse_sequence_of(&p, end, 0xfe, 0x04, 0xff, 0x04, cb, ctx);
+ * ```
+ *
+ * The callback is called on the elements with a "may" tag from left to
+ * right. If the input is not a valid SEQUENCE of elements with a "must" tag,
+ * the callback is called on the elements up to the leftmost point where
+ * the input is invalid.
+ *
+ * \warning              This function is still experimental and may change
+ *                       at any time.
+ *
+ * \param p              The address of the pointer to the beginning of
+ *                       the ASN.1 SEQUENCE header. This is updated to
+ *                       point to the end of the ASN.1 SEQUENCE container
+ *                       on a successful invocation.
+ * \param end            The end of the ASN.1 SEQUENCE container.
+ * \param tag_must_mask  A mask to be applied to the ASN.1 tags found within
+ *                       the SEQUENCE before comparing to \p tag_must_value.
+ * \param tag_must_val   The required value of each ASN.1 tag found in the
+ *                       SEQUENCE, after masking with \p tag_must_mask.
+ *                       Mismatching tags lead to an error.
+ *                       For example, a value of \c 0 for both \p tag_must_mask
+ *                       and \p tag_must_val means that every tag is allowed,
+ *                       while a value of \c 0xFF for \p tag_must_mask means
+ *                       that \p tag_must_val is the only allowed tag.
+ * \param tag_may_mask   A mask to be applied to the ASN.1 tags found within
+ *                       the SEQUENCE before comparing to \p tag_may_value.
+ * \param tag_may_val    The desired value of each ASN.1 tag found in the
+ *                       SEQUENCE, after masking with \p tag_may_mask.
+ *                       Mismatching tags will be silently ignored.
+ *                       For example, a value of \c 0 for \p tag_may_mask and
+ *                       \p tag_may_val means that any tag will be considered,
+ *                       while a value of \c 0xFF for \p tag_may_mask means
+ *                       that all tags with value different from \p tag_may_val
+ *                       will be ignored.
+ * \param cb             The callback to trigger for each component
+ *                       in the ASN.1 SEQUENCE that matches \p tag_may_val.
+ *                       The callback function is called with the following
+ *                       parameters:
+ *                       - \p ctx.
+ *                       - The tag of the current element.
+ *                       - A pointer to the start of the current element's
+ *                         content inside the input.
+ *                       - The length of the content of the current element.
+ *                       If the callback returns a non-zero value,
+ *                       the function stops immediately,
+ *                       forwarding the callback's return value.
+ * \param ctx            The context to be passed to the callback \p cb.
+ *
+ * \return               \c 0 if successful the entire ASN.1 SEQUENCE
+ *                       was traversed without parsing or callback errors.
+ * \return               #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input
+ *                       contains extra data after a valid SEQUENCE
+ *                       of elements with an accepted tag.
+ * \return               #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts
+ *                       with an ASN.1 SEQUENCE in which an element has a tag
+ *                       that is not accepted.
+ * \return               An ASN.1 error code if the input does not start with
+ *                       a valid ASN.1 SEQUENCE.
+ * \return               A non-zero error code forwarded from the callback
+ *                       \p cb in case the latter returns a non-zero value.
+ */
+int mbedtls_asn1_traverse_sequence_of(
+    unsigned char **p,
+    const unsigned char *end,
+    unsigned char tag_must_mask, unsigned char tag_must_val,
+    unsigned char tag_may_mask, unsigned char tag_may_val,
+    int (*cb)(void *ctx, int tag,
+              unsigned char *start, size_t len),
+    void *ctx);
 
 #if defined(MBEDTLS_BIGNUM_C)
 /**
- * \brief       Retrieve a MPI value from an integer ASN.1 tag.
+ * \brief       Retrieve an integer ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param X     The MPI that will receive the value
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param X     On success, the parsed value.
  *
- * \return      0 if successful or a specific ASN.1 or MPI error code.
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 INTEGER.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
+ *              not fit in an \c int.
+ * \return      An MPI error code if the parsed value is too large.
  */
 int mbedtls_asn1_get_mpi(unsigned char **p,
                          const unsigned char *end,
@@ -294,10 +530,14 @@ int mbedtls_asn1_get_mpi(unsigned char **p,
  *              Updates the pointer to immediately behind the full
  *              AlgorithmIdentifier.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param alg   The buffer to receive the OID
- * \param params The buffer to receive the params (if any)
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the AlgorithmIdentifier element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param alg   The buffer to receive the OID.
+ * \param params The buffer to receive the parameters.
+ *              This is zeroized if there are no parameters.
  *
  * \return      0 if successful or a specific ASN.1 or MPI error code.
  */
@@ -311,9 +551,12 @@ int mbedtls_asn1_get_alg(unsigned char **p,
  *              Updates the pointer to immediately behind the full
  *              AlgorithmIdentifier.
  *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param alg   The buffer to receive the OID
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the AlgorithmIdentifier element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param alg   The buffer to receive the OID.
  *
  * \return      0 if successful or a specific ASN.1 or MPI error code.
  */
@@ -337,15 +580,19 @@ mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(mbedtls_asn1_named_data *l
 /**
  * \brief       Free a mbedtls_asn1_named_data entry
  *
- * \param entry The named data entry to free
+ * \param entry The named data entry to free.
+ *              This function calls mbedtls_free() on
+ *              `entry->oid.p` and `entry->val.p`.
  */
 void mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *entry);
 
 /**
- * \brief       Free all entries in a mbedtls_asn1_named_data list
- *              Head will be set to NULL
+ * \brief       Free all entries in a mbedtls_asn1_named_data list.
  *
- * \param head  Pointer to the head of the list of named data entries to free
+ * \param head  Pointer to the head of the list of named data entries to free.
+ *              This function calls mbedtls_asn1_free_named_data() and
+ *              mbedtls_free() on each list element and
+ *              sets \c *head to \c NULL.
  */
 void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head);
 
diff --git a/common/mbedtls/asn1parse.c b/common/mbedtls/asn1parse.c
index c39fe29b5..98460e055 100644
--- a/common/mbedtls/asn1parse.c
+++ b/common/mbedtls/asn1parse.c
@@ -1,36 +1,29 @@
 /*
  *  Generic ASN.1 parsing
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_ASN1_PARSE_C)
 
 #include "mbedtls/asn1.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -121,7 +114,7 @@ int mbedtls_asn1_get_tag(unsigned char **p,
 int mbedtls_asn1_get_bool(unsigned char **p,
                           const unsigned char *end,
                           int *val) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
 
     if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_BOOLEAN)) != 0)
@@ -136,20 +129,39 @@ int mbedtls_asn1_get_bool(unsigned char **p,
     return (0);
 }
 
-int mbedtls_asn1_get_int(unsigned char **p,
-                         const unsigned char *end,
-                         int *val) {
-    int ret;
+static int asn1_get_tagged_int(unsigned char **p,
+                               const unsigned char *end,
+                               int tag, int *val) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
 
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0)
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len, tag)) != 0)
         return (ret);
 
-    if (len == 0 || len > sizeof(int) || (**p & 0x80) != 0)
+    /*
+     * len==0 is malformed (0 must be represented as 020100 for INTEGER,
+     * or 0A0100 for ENUMERATED tags
+     */
+    if (len == 0)
+        return (MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+    /* This is a cryptography library. Reject negative integers. */
+    if ((**p & 0x80) != 0)
+        return (MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+
+    /* Skip leading zeros. */
+    while (len > 0 && **p == 0) {
+        ++(*p);
+        --len;
+    }
+
+    /* Reject integers that don't fit in an int. This code assumes that
+     * the int type has no padding bit. */
+    if (len > sizeof(int))
+        return (MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+    if (len == sizeof(int) && (**p & 0x80) != 0)
         return (MBEDTLS_ERR_ASN1_INVALID_LENGTH);
 
     *val = 0;
-
     while (len-- > 0) {
         *val = (*val << 8) | **p;
         (*p)++;
@@ -158,11 +170,23 @@ int mbedtls_asn1_get_int(unsigned char **p,
     return (0);
 }
 
+int mbedtls_asn1_get_int(unsigned char **p,
+                         const unsigned char *end,
+                         int *val) {
+    return (asn1_get_tagged_int(p, end, MBEDTLS_ASN1_INTEGER, val));
+}
+
+int mbedtls_asn1_get_enum(unsigned char **p,
+                          const unsigned char *end,
+                          int *val) {
+    return (asn1_get_tagged_int(p, end, MBEDTLS_ASN1_ENUMERATED, val));
+}
+
 #if defined(MBEDTLS_BIGNUM_C)
 int mbedtls_asn1_get_mpi(unsigned char **p,
                          const unsigned char *end,
                          mbedtls_mpi *X) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
 
     if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0)
@@ -178,7 +202,7 @@ int mbedtls_asn1_get_mpi(unsigned char **p,
 
 int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
                                mbedtls_asn1_bitstring *bs) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     /* Certificate type is a single byte bitstring */
     if ((ret = mbedtls_asn1_get_tag(p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING)) != 0)
@@ -206,22 +230,113 @@ int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
 }
 
 /*
- * Get a bit string without unused bits
+ * Traverse an ASN.1 "SEQUENCE OF <tag>"
+ * and call a callback for each entry found.
  */
-int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
-                                    size_t *len) {
+int mbedtls_asn1_traverse_sequence_of(
+    unsigned char **p,
+    const unsigned char *end,
+    unsigned char tag_must_mask, unsigned char tag_must_val,
+    unsigned char tag_may_mask, unsigned char tag_may_val,
+    int (*cb)(void *ctx, int tag,
+              unsigned char *start, size_t len),
+    void *ctx) {
     int ret;
+    size_t len;
 
-    if ((ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_BIT_STRING)) != 0)
+    /* Get main sequence tag */
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
         return (ret);
+    }
 
-    if ((*len)-- < 2 || *(*p)++ != 0)
-        return (MBEDTLS_ERR_ASN1_INVALID_DATA);
+    if (*p + len != end)
+        return (MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    while (*p < end) {
+        unsigned char const tag = *(*p)++;
+
+        if ((tag & tag_must_mask) != tag_must_val)
+            return (MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+
+        if ((ret = mbedtls_asn1_get_len(p, end, &len)) != 0)
+            return (ret);
+
+        if ((tag & tag_may_mask) == tag_may_val) {
+            if (cb != NULL) {
+                ret = cb(ctx, tag, *p, len);
+                if (ret != 0)
+                    return (ret);
+            }
+        }
+
+        *p += len;
+    }
 
     return (0);
 }
 
+/*
+ * Get a bit string without unused bits
+ */
+int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
+                                    size_t *len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
+    if ((ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_BIT_STRING)) != 0)
+        return (ret);
+
+    if (*len == 0)
+        return (MBEDTLS_ERR_ASN1_INVALID_DATA);
+    --(*len);
+
+    if (**p != 0)
+        return (MBEDTLS_ERR_ASN1_INVALID_DATA);
+    ++(*p);
+
+    return (0);
+}
+
+void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq) {
+    while (seq != NULL) {
+        mbedtls_asn1_sequence *next = seq->next;
+        mbedtls_platform_zeroize(seq, sizeof(*seq));
+        mbedtls_free(seq);
+        seq = next;
+    }
+}
+
+typedef struct {
+    int tag;
+    mbedtls_asn1_sequence *cur;
+} asn1_get_sequence_of_cb_ctx_t;
+
+static int asn1_get_sequence_of_cb(void *ctx,
+                                   int tag,
+                                   unsigned char *start,
+                                   size_t len) {
+    asn1_get_sequence_of_cb_ctx_t *cb_ctx =
+        (asn1_get_sequence_of_cb_ctx_t *) ctx;
+    mbedtls_asn1_sequence *cur =
+        cb_ctx->cur;
+
+    if (cur->buf.p != NULL) {
+        cur->next =
+            mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+        if (cur->next == NULL)
+            return (MBEDTLS_ERR_ASN1_ALLOC_FAILED);
+
+        cur = cur->next;
+    }
+
+    cur->buf.p = start;
+    cur->buf.len = len;
+    cur->buf.tag = tag;
+
+    cb_ctx->cur = cur;
+    return (0);
+}
 
 /*
  *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
@@ -230,53 +345,17 @@ int mbedtls_asn1_get_sequence_of(unsigned char **p,
                                  const unsigned char *end,
                                  mbedtls_asn1_sequence *cur,
                                  int tag) {
-    int ret;
-    size_t len;
-    mbedtls_asn1_buf *buf;
-
-    /* Get main sequence tag */
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
-        return (ret);
-
-    if (*p + len != end)
-        return (MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    while (*p < end) {
-        buf = &(cur->buf);
-        buf->tag = **p;
-
-        if ((ret = mbedtls_asn1_get_tag(p, end, &buf->len, tag)) != 0)
-            return (ret);
-
-        buf->p = *p;
-        *p += buf->len;
-
-        /* Allocate and assign next pointer */
-        if (*p < end) {
-            cur->next = (mbedtls_asn1_sequence *)mbedtls_calloc(1,
-                                                                sizeof(mbedtls_asn1_sequence));
-
-            if (cur->next == NULL)
-                return (MBEDTLS_ERR_ASN1_ALLOC_FAILED);
-
-            cur = cur->next;
-        }
-    }
-
-    /* Set final sequence entry's next pointer to NULL */
-    cur->next = NULL;
-
-    if (*p != end)
-        return (MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    return (0);
+    asn1_get_sequence_of_cb_ctx_t cb_ctx = { tag, cur };
+    memset(cur, 0, sizeof(mbedtls_asn1_sequence));
+    return (mbedtls_asn1_traverse_sequence_of(
+                p, end, 0xFF, tag, 0, 0,
+                asn1_get_sequence_of_cb, &cb_ctx));
 }
 
 int mbedtls_asn1_get_alg(unsigned char **p,
                          const unsigned char *end,
                          mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
 
     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
@@ -318,7 +397,7 @@ int mbedtls_asn1_get_alg(unsigned char **p,
 int mbedtls_asn1_get_alg_null(unsigned char **p,
                               const unsigned char *end,
                               mbedtls_asn1_buf *alg) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_asn1_buf params;
 
     memset(&params, 0, sizeof(mbedtls_asn1_buf));
diff --git a/common/mbedtls/asn1write.c b/common/mbedtls/asn1write.c
index 9b1373d0e..6c2d26685 100644
--- a/common/mbedtls/asn1write.c
+++ b/common/mbedtls/asn1write.c
@@ -1,35 +1,28 @@
 /*
  * ASN.1 buffer writing functionality
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_ASN1_WRITE_C)
 
 #include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -125,7 +118,7 @@ int mbedtls_asn1_write_raw_buffer(unsigned char **p, unsigned char *start,
 
 #if defined(MBEDTLS_BIGNUM_C)
 int mbedtls_asn1_write_mpi(unsigned char **p, unsigned char *start, const mbedtls_mpi *X) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     // Write the MPI
@@ -160,7 +153,7 @@ cleanup:
 #endif /* MBEDTLS_BIGNUM_C */
 
 int mbedtls_asn1_write_null(unsigned char **p, unsigned char *start) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     // Write NULL
@@ -173,7 +166,7 @@ int mbedtls_asn1_write_null(unsigned char **p, unsigned char *start) {
 
 int mbedtls_asn1_write_oid(unsigned char **p, unsigned char *start,
                            const char *oid, size_t oid_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
@@ -187,7 +180,7 @@ int mbedtls_asn1_write_oid(unsigned char **p, unsigned char *start,
 int mbedtls_asn1_write_algorithm_identifier(unsigned char **p, unsigned char *start,
                                             const char *oid, size_t oid_len,
                                             size_t par_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     if (par_len == 0)
@@ -205,7 +198,7 @@ int mbedtls_asn1_write_algorithm_identifier(unsigned char **p, unsigned char *st
 }
 
 int mbedtls_asn1_write_bool(unsigned char **p, unsigned char *start, int boolean) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     if (*p - start < 1)
@@ -220,77 +213,132 @@ int mbedtls_asn1_write_bool(unsigned char **p, unsigned char *start, int boolean
     return ((int) len);
 }
 
-int mbedtls_asn1_write_int(unsigned char **p, unsigned char *start, int val) {
-    int ret;
+static int asn1_write_tagged_int(unsigned char **p, unsigned char *start, int val, int tag) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
-    if (*p - start < 1)
-        return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
-
-    len += 1;
-    *--(*p) = val;
-
-    if (val > 0 && **p & 0x80) {
+    do {
         if (*p - start < 1)
             return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+        len += 1;
+        *--(*p) = val & 0xff;
+        val >>= 8;
+    } while (val > 0);
 
+    if (**p & 0x80) {
+        if (*p - start < 1)
+            return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
         *--(*p) = 0x00;
         len += 1;
     }
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_INTEGER));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, tag));
 
     return ((int) len);
 }
 
+int mbedtls_asn1_write_int(unsigned char **p, unsigned char *start, int val) {
+    return (asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_INTEGER));
+}
+
+int mbedtls_asn1_write_enum(unsigned char **p, unsigned char *start, int val) {
+    return (asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_ENUMERATED));
+}
+
+int mbedtls_asn1_write_tagged_string(unsigned char **p, unsigned char *start, int tag,
+                                     const char *text, size_t text_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+                                                            (const unsigned char *) text, text_len));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, tag));
+
+    return ((int) len);
+}
+
+int mbedtls_asn1_write_utf8_string(unsigned char **p, unsigned char *start,
+                                   const char *text, size_t text_len) {
+    return (mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len));
+}
+
 int mbedtls_asn1_write_printable_string(unsigned char **p, unsigned char *start,
                                         const char *text, size_t text_len) {
-    int ret;
-    size_t len = 0;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
-                                                            (const unsigned char *) text, text_len));
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_PRINTABLE_STRING));
-
-    return ((int) len);
+    return (mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text, text_len));
 }
 
 int mbedtls_asn1_write_ia5_string(unsigned char **p, unsigned char *start,
                                   const char *text, size_t text_len) {
-    int ret;
-    size_t len = 0;
+    return (mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len));
+}
 
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
-                                                            (const unsigned char *) text, text_len));
+int mbedtls_asn1_write_named_bitstring(unsigned char **p,
+                                       unsigned char *start,
+                                       const unsigned char *buf,
+                                       size_t bits) {
+    size_t unused_bits, byte_len;
+    const unsigned char *cur_byte;
+    unsigned char cur_byte_shifted;
+    unsigned char bit;
 
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_IA5_STRING));
+    byte_len = (bits + 7) / 8;
+    unused_bits = (byte_len * 8) - bits;
 
-    return ((int) len);
+    /*
+     * Named bitstrings require that trailing 0s are excluded in the encoding
+     * of the bitstring. Trailing 0s are considered part of the 'unused' bits
+     * when encoding this value in the first content octet
+     */
+    if (bits != 0) {
+        cur_byte = buf + byte_len - 1;
+        cur_byte_shifted = *cur_byte >> unused_bits;
+
+        for (; ;) {
+            bit = cur_byte_shifted & 0x1;
+            cur_byte_shifted >>= 1;
+
+            if (bit != 0)
+                break;
+
+            bits--;
+            if (bits == 0)
+                break;
+
+            if (bits % 8 == 0)
+                cur_byte_shifted = *--cur_byte;
+        }
+    }
+
+    return (mbedtls_asn1_write_bitstring(p, start, buf, bits));
 }
 
 int mbedtls_asn1_write_bitstring(unsigned char **p, unsigned char *start,
                                  const unsigned char *buf, size_t bits) {
-    int ret;
-    size_t len = 0, size;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    size_t unused_bits, byte_len;
 
-    size = (bits / 8) + ((bits % 8) ? 1 : 0);
+    byte_len = (bits + 7) / 8;
+    unused_bits = (byte_len * 8) - bits;
 
-    // Calculate byte length
-    //
-    if (*p < start || (size_t)(*p - start) < size + 1)
+    if (*p < start || (size_t)(*p - start) < byte_len + 1)
         return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
 
-    len = size + 1;
-    (*p) -= size;
-    memcpy(*p, buf, size);
+    len = byte_len + 1;
 
-    // Write unused bits
-    //
-    *--(*p) = (unsigned char)(size * 8 - bits);
+    /* Write the bitstring. Ensure the unused bits are zeroed */
+    if (byte_len > 0) {
+        byte_len--;
+        *--(*p) = buf[byte_len] & ~((0x1 << unused_bits) - 1);
+        (*p) -= byte_len;
+        memcpy(*p, buf, byte_len);
+    }
+
+    /* Write unused bits */
+    *--(*p) = (unsigned char)unused_bits;
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_BIT_STRING));
@@ -300,7 +348,7 @@ int mbedtls_asn1_write_bitstring(unsigned char **p, unsigned char *start,
 
 int mbedtls_asn1_write_octet_string(unsigned char **p, unsigned char *start,
                                     const unsigned char *buf, size_t size) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, buf, size));
@@ -311,13 +359,32 @@ int mbedtls_asn1_write_octet_string(unsigned char **p, unsigned char *start,
     return ((int) len);
 }
 
-mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data **head,
-                                                       const char *oid, size_t oid_len,
-                                                       const unsigned char *val,
-                                                       size_t val_len) {
+
+/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
+ * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
+static mbedtls_asn1_named_data *asn1_find_named_data(
+    mbedtls_asn1_named_data *list,
+    const char *oid, size_t len) {
+    while (list != NULL) {
+        if (list->oid.len == len &&
+                memcmp(list->oid.p, oid, len) == 0) {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return (list);
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
+    mbedtls_asn1_named_data **head,
+    const char *oid, size_t oid_len,
+    const unsigned char *val,
+    size_t val_len) {
     mbedtls_asn1_named_data *cur;
 
-    if ((cur = mbedtls_asn1_find_named_data(*head, oid, oid_len)) == NULL) {
+    if ((cur = asn1_find_named_data(*head, oid, oid_len)) == NULL) {
         // Add new entry if not present yet based on OID
         //
         cur = (mbedtls_asn1_named_data *)mbedtls_calloc(1,
@@ -335,16 +402,21 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data *
         memcpy(cur->oid.p, oid, oid_len);
 
         cur->val.len = val_len;
-        cur->val.p = mbedtls_calloc(1, val_len);
-        if (cur->val.p == NULL) {
-            mbedtls_free(cur->oid.p);
-            mbedtls_free(cur);
-            return (NULL);
+        if (val_len != 0) {
+            cur->val.p = mbedtls_calloc(1, val_len);
+            if (cur->val.p == NULL) {
+                mbedtls_free(cur->oid.p);
+                mbedtls_free(cur);
+                return (NULL);
+            }
         }
 
         cur->next = *head;
         *head = cur;
-    } else if (cur->val.len < val_len) {
+    } else if (val_len == 0) {
+        mbedtls_free(cur->val.p);
+        cur->val.p = NULL;
+    } else if (cur->val.len != val_len) {
         /*
          * Enlarge existing value buffer if needed
          * Preserve old data until the allocation succeeded, to leave list in
diff --git a/common/mbedtls/asn1write.h b/common/mbedtls/asn1write.h
index 59c6d2f72..6a4ccff6f 100644
--- a/common/mbedtls/asn1write.h
+++ b/common/mbedtls/asn1write.h
@@ -4,212 +4,335 @@
  * \brief ASN.1 buffer writing functionality
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
 
-#include "asn1.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
-#define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
-            g += ret; } while( 0 )
+#include "mbedtls/asn1.h"
+
+#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if( ( ret = (f) ) < 0 )                         \
+            return( ret );                              \
+        else                                            \
+            (g) += ret;                                 \
+    } while( 0 )
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /**
- * \brief           Write a length field in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a length field in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param len       the length to write
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param len       The length value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_len(unsigned char **p, unsigned char *start, size_t len);
-
+int mbedtls_asn1_write_len(unsigned char **p, unsigned char *start,
+                           size_t len);
 /**
- * \brief           Write a ASN.1 tag in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an ASN.1 tag in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param tag       the tag to write
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The tag to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_tag(unsigned char **p, unsigned char *start,
                            unsigned char tag);
 
 /**
- * \brief           Write raw buffer data
- *                  Note: function works backwards in data buffer
+ * \brief           Write raw buffer data.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       data buffer to write
- * \param size      length of the data buffer
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The data buffer to write.
+ * \param size      The length of the data buffer.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_raw_buffer(unsigned char **p, unsigned char *start,
                                   const unsigned char *buf, size_t size);
 
 #if defined(MBEDTLS_BIGNUM_C)
 /**
- * \brief           Write a big number (MBEDTLS_ASN1_INTEGER) in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param X         the MPI to write
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param X         The MPI to write.
+ *                  It must be non-negative.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_mpi(unsigned char **p, unsigned char *start, const mbedtls_mpi *X);
+int mbedtls_asn1_write_mpi(unsigned char **p, unsigned char *start,
+                           const mbedtls_mpi *X);
 #endif /* MBEDTLS_BIGNUM_C */
 
 /**
- * \brief           Write a NULL tag (MBEDTLS_ASN1_NULL) with zero data in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_null(unsigned char **p, unsigned char *start);
 
 /**
- * \brief           Write an OID tag (MBEDTLS_ASN1_OID) and data in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param oid       the OID to write
- * \param oid_len   length of the OID
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID to write.
+ * \param oid_len   The length of the OID.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_oid(unsigned char **p, unsigned char *start,
                            const char *oid, size_t oid_len);
 
 /**
- * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param oid       the OID of the algorithm
- * \param oid_len   length of the OID
- * \param par_len   length of parameters, which must be already written.
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
  *                  If 0, NULL parameters are added
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_algorithm_identifier(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_algorithm_identifier(unsigned char **p,
+                                            unsigned char *start,
                                             const char *oid, size_t oid_len,
                                             size_t par_len);
 
 /**
- * \brief           Write a boolean tag (MBEDTLS_ASN1_BOOLEAN) and value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param boolean   0 or 1
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param boolean   The boolean value to write, either \c 0 or \c 1.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_bool(unsigned char **p, unsigned char *start, int boolean);
+int mbedtls_asn1_write_bool(unsigned char **p, unsigned char *start,
+                            int boolean);
 
 /**
- * \brief           Write an int tag (MBEDTLS_ASN1_INTEGER) and value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param val       the integer value
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
+ *                  It must be non-negative.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_int(unsigned char **p, unsigned char *start, int val);
 
 /**
- * \brief           Write a printable string tag (MBEDTLS_ASN1_PRINTABLE_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an enum tag (#MBEDTLS_ASN1_ENUMERATED) and value
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param text      the text to write
- * \param text_len  length of the text
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_printable_string(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_enum(unsigned char **p, unsigned char *start, int val);
+
+/**
+ * \brief           Write a string in ASN.1 format using a specific
+ *                  string encoding tag.
+
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The string encoding tag to write, e.g.
+ *                  #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_tagged_string(unsigned char **p, unsigned char *start,
+                                     int tag, const char *text,
+                                     size_t text_len);
+
+/**
+ * \brief           Write a string in ASN.1 format using the PrintableString
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_printable_string(unsigned char **p,
+                                        unsigned char *start,
                                         const char *text, size_t text_len);
 
 /**
- * \brief           Write an IA5 string tag (MBEDTLS_ASN1_IA5_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
+ *                  string encoding tag (#MBEDTLS_ASN1_UTF8_STRING).
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param text      the text to write
- * \param text_len  length of the text
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_utf8_string(unsigned char **p, unsigned char *start,
+                                   const char *text, size_t text_len);
+
+/**
+ * \brief           Write a string in ASN.1 format using the IA5String
+ *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_ia5_string(unsigned char **p, unsigned char *start,
                                   const char *text, size_t text_len);
 
 /**
- * \brief           Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       the bitstring
- * \param bits      the total number of bits in the bitstring
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_bitstring(unsigned char **p, unsigned char *start,
                                  const unsigned char *buf, size_t bits);
 
 /**
- * \brief           Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           This function writes a named bitstring tag
+ *                  (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       data buffer to write
- * \param size      length of the data buffer
+ *                  As stated in RFC 5280 Appendix B, trailing zeroes are
+ *                  omitted when encoding named bitstrings in DER.
  *
- * \return          the length written or a negative error code
+ * \note            This function works backwards within the data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer which is used for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_named_bitstring(unsigned char **p,
+                                       unsigned char *start,
+                                       const unsigned char *buf,
+                                       size_t bits);
+
+/**
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The buffer holding the data to write.
+ * \param size      The length of the data buffer \p buf.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_octet_string(unsigned char **p, unsigned char *start,
                                     const unsigned char *buf, size_t size);
@@ -220,15 +343,20 @@ int mbedtls_asn1_write_octet_string(unsigned char **p, unsigned char *start,
  *                  a new entry is added to the head of the list.
  *                  Warning: Destructive behaviour for the val data!
  *
- * \param list      Pointer to the location of the head of the list to seek
- *                  through (will be updated in case of a new entry)
- * \param oid       The OID to look for
- * \param oid_len   Size of the OID
- * \param val       Data to store (can be NULL if you want to fill it by hand)
- * \param val_len   Minimum length of the data buffer needed
+ * \param list      The pointer to the location of the head of the list to seek
+ *                  through (will be updated in case of a new entry).
+ * \param oid       The OID to look for.
+ * \param oid_len   The size of the OID.
+ * \param val       The associated data to store. If this is \c NULL,
+ *                  no data is copied to the new or existing buffer.
+ * \param val_len   The minimum length of the data buffer needed.
+ *                  If this is 0, do not allocate a buffer for the associated
+ *                  data.
+ *                  If the OID was already present, enlarge, shrink or free
+ *                  the existing buffer to fit \p val_len.
  *
- * \return      NULL if if there was a memory allocation error, or a pointer
- *              to the new / existing entry.
+ * \return          A pointer to the new / existing entry on success.
+ * \return          \c NULL if if there was a memory allocation error.
  */
 mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data **list,
                                                        const char *oid, size_t oid_len,
diff --git a/common/mbedtls/base64.c b/common/mbedtls/base64.c
index c917285b9..6f2834628 100644
--- a/common/mbedtls/base64.c
+++ b/common/mbedtls/base64.c
@@ -1,31 +1,23 @@
 /*
  *  RFC 1521 base64 encoding/decoding
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_BASE64_C)
 
@@ -71,6 +63,94 @@ static const unsigned char base64_dec_map[128] = {
 
 #define BASE64_SIZE_T_MAX   ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
 
+/*
+ * Constant flow conditional assignment to unsigned char
+ */
+static void mbedtls_base64_cond_assign_uchar(unsigned char *dest, const unsigned char *const src,
+                                             unsigned char condition) {
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* Generate bitmask from condition, mask will either be 0xFF or 0 */
+    unsigned char mask = (condition | -condition);
+    mask >>= 7;
+    mask = -mask;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    *dest = ((*src) & mask) | ((*dest) & ~mask);
+}
+
+/*
+ * Constant flow conditional assignment to uint_32
+ */
+static void mbedtls_base64_cond_assign_uint32(uint32_t *dest, const uint32_t src,
+                                              uint32_t condition) {
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* Generate bitmask from condition, mask will either be 0xFFFFFFFF or 0 */
+    uint32_t mask = (condition | -condition);
+    mask >>= 31;
+    mask = -mask;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    *dest = (src & mask) | ((*dest) & ~mask);
+}
+
+/*
+ * Constant flow check for equality
+ */
+static unsigned char mbedtls_base64_eq(size_t in_a, size_t in_b) {
+    size_t difference = in_a ^ in_b;
+
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    difference |= -difference;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /* cope with the varying size of size_t per platform */
+    difference >>= (sizeof(difference) * 8 - 1);
+
+    return (unsigned char)(1 ^ difference);
+}
+
+/*
+ * Constant flow lookup into table.
+ */
+static unsigned char mbedtls_base64_table_lookup(const unsigned char *const table,
+                                                 const size_t table_size, const size_t table_index) {
+    size_t i;
+    unsigned char result = 0;
+
+    for (i = 0; i < table_size; ++i) {
+        mbedtls_base64_cond_assign_uchar(&result, &table[i], mbedtls_base64_eq(i, table_index));
+    }
+
+    return result;
+}
+
 /*
  * Encode a buffer into base64 format
  */
@@ -106,21 +186,32 @@ int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
         C2 = *src++;
         C3 = *src++;
 
-        *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
-        *p++ = base64_enc_map[(((C1 &  3) << 4) + (C2 >> 4)) & 0x3F];
-        *p++ = base64_enc_map[(((C2 & 15) << 2) + (C3 >> 6)) & 0x3F];
-        *p++ = base64_enc_map[C3 & 0x3F];
+        *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                           ((C1 >> 2) & 0x3F));
+
+        *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                           ((((C1 &  3) << 4) + (C2 >> 4)) & 0x3F));
+
+        *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                           ((((C2 & 15) << 2) + (C3 >> 6)) & 0x3F));
+
+        *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                           (C3 & 0x3F));
     }
 
     if (i < slen) {
         C1 = *src++;
         C2 = ((i + 1) < slen) ? *src++ : 0;
 
-        *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
-        *p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
+        *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                           ((C1 >> 2) & 0x3F));
+
+        *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                           ((((C1 & 3) << 4) + (C2 >> 4)) & 0x3F));
 
         if ((i + 1) < slen)
-            *p++ = base64_enc_map[((C2 & 15) << 2) & 0x3F];
+            *p++ = mbedtls_base64_table_lookup(base64_enc_map, sizeof(base64_enc_map),
+                                               (((C2 & 15) << 2) & 0x3F));
         else *p++ = '=';
 
         *p++ = '=';
@@ -140,6 +231,7 @@ int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
     size_t i, n;
     uint32_t j, x;
     unsigned char *p;
+    unsigned char dec_map_lookup;
 
     /* First pass: check for validity and get output length */
     for (i = n = j = 0; i < slen; i++) {
@@ -168,10 +260,12 @@ int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
         if (src[i] == '=' && ++j > 2)
             return (MBEDTLS_ERR_BASE64_INVALID_CHARACTER);
 
-        if (src[i] > 127 || base64_dec_map[src[i]] == 127)
+        dec_map_lookup = mbedtls_base64_table_lookup(base64_dec_map, sizeof(base64_dec_map), src[i]);
+
+        if (src[i] > 127 || dec_map_lookup == 127)
             return (MBEDTLS_ERR_BASE64_INVALID_CHARACTER);
 
-        if (base64_dec_map[src[i]] < 64 && j != 0)
+        if (dec_map_lookup < 64 && j != 0)
             return (MBEDTLS_ERR_BASE64_INVALID_CHARACTER);
 
         n++;
@@ -198,8 +292,10 @@ int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
         if (*src == '\r' || *src == '\n' || *src == ' ')
             continue;
 
-        j -= (base64_dec_map[*src] == 64);
-        x  = (x << 6) | (base64_dec_map[*src] & 0x3F);
+        dec_map_lookup = mbedtls_base64_table_lookup(base64_dec_map, sizeof(base64_dec_map), *src);
+
+        mbedtls_base64_cond_assign_uint32(&j, j - 1, mbedtls_base64_eq(dec_map_lookup, 64));
+        x  = (x << 6) | (dec_map_lookup & 0x3F);
 
         if (++n == 4) {
             n = 0;
diff --git a/common/mbedtls/base64.h b/common/mbedtls/base64.h
index 02ca18a91..8940d73ca 100644
--- a/common/mbedtls/base64.h
+++ b/common/mbedtls/base64.h
@@ -4,28 +4,30 @@
  * \brief RFC 1521 base64 encoding/decoding
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
@@ -77,6 +79,7 @@ int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
 int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
                           const unsigned char *src, size_t slen);
 
+#if defined(MBEDTLS_SELF_TEST)
 /**
  * \brief          Checkup routine
  *
@@ -84,6 +87,8 @@ int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
  */
 int mbedtls_base64_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/bignum.c b/common/mbedtls/bignum.c
index 3084da5fe..7c0daebd3 100644
--- a/common/mbedtls/bignum.c
+++ b/common/mbedtls/bignum.c
@@ -1,24 +1,20 @@
 /*
  *  Multi-precision integer library
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -37,17 +33,14 @@
  *
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_BIGNUM_C)
 
 #include "mbedtls/bignum.h"
 #include "mbedtls/bn_mul.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -61,6 +54,11 @@
 #define mbedtls_free       free
 #endif
 
+#define MPI_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
+#define MPI_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #define ciL    (sizeof(mbedtls_mpi_uint))         /* chars in limb  */
 #define biL    (ciL << 3)               /* bits  in limb  */
 #define biH    (ciL << 2)               /* half limb size */
@@ -83,8 +81,7 @@ static void mbedtls_mpi_zeroize(mbedtls_mpi_uint *v, size_t n) {
  * Initialize one MPI
  */
 void mbedtls_mpi_init(mbedtls_mpi *X) {
-    if (X == NULL)
-        return;
+    MPI_VALIDATE(X != NULL);
 
     X->s = 1;
     X->n = 0;
@@ -113,6 +110,7 @@ void mbedtls_mpi_free(mbedtls_mpi *X) {
  */
 int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs) {
     mbedtls_mpi_uint *p;
+    MPI_VALIDATE_RET(X != NULL);
 
     if (nblimbs > MBEDTLS_MPI_MAX_LIMBS)
         return (MBEDTLS_ERR_MPI_ALLOC_FAILED);
@@ -141,10 +139,15 @@ int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs) {
 int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs) {
     mbedtls_mpi_uint *p;
     size_t i;
+    MPI_VALIDATE_RET(X != NULL);
 
-    /* Actually resize up in this case */
+    if (nblimbs > MBEDTLS_MPI_MAX_LIMBS)
+        return (MBEDTLS_ERR_MPI_ALLOC_FAILED);
+
+    /* Actually resize up if there are currently fewer than nblimbs limbs. */
     if (X->n <= nblimbs)
         return (mbedtls_mpi_grow(X, nblimbs));
+    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
 
     for (i = X->n - 1; i > 0; i--)
         if (X->p[i] != 0)
@@ -175,11 +178,13 @@ int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs) {
 int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y) {
     int ret = 0;
     size_t i;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(Y != NULL);
 
     if (X == Y)
         return (0);
 
-    if (Y->p == NULL) {
+    if (Y->n == 0) {
         mbedtls_mpi_free(X);
         return (0);
     }
@@ -209,12 +214,29 @@ cleanup:
  */
 void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y) {
     mbedtls_mpi T;
+    MPI_VALIDATE(X != NULL);
+    MPI_VALIDATE(Y != NULL);
 
     memcpy(&T,  X, sizeof(mbedtls_mpi));
     memcpy(X,  Y, sizeof(mbedtls_mpi));
     memcpy(Y, &T, sizeof(mbedtls_mpi));
 }
 
+/*
+ * Conditionally assign dest = src, without leaking information
+ * about whether the assignment was made or not.
+ * dest and src must be arrays of limbs of size n.
+ * assign must be 0 or 1.
+ */
+static void mpi_safe_cond_assign(size_t n,
+                                 mbedtls_mpi_uint *dest,
+                                 const mbedtls_mpi_uint *src,
+                                 unsigned char assign) {
+    size_t i;
+    for (i = 0; i < n; i++)
+        dest[i] = dest[i] * (1 - assign) + src[i] * assign;
+}
+
 /*
  * Conditionally assign X = Y, without leaking information
  * about whether the assignment was made or not.
@@ -223,6 +245,8 @@ void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y) {
 int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign) {
     int ret = 0;
     size_t i;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(Y != NULL);
 
     /* make sure assign is 0 or 1 in a time-constant manner */
     assign = (assign | (unsigned char) - assign) >> 7;
@@ -231,10 +255,9 @@ int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
 
     X->s = X->s * (1 - assign) + Y->s * assign;
 
-    for (i = 0; i < Y->n; i++)
-        X->p[i] = X->p[i] * (1 - assign) + Y->p[i] * assign;
+    mpi_safe_cond_assign(Y->n, X->p, Y->p, assign);
 
-    for (; i < X->n; i++)
+    for (i = Y->n; i < X->n; i++)
         X->p[i] *= (1 - assign);
 
 cleanup:
@@ -251,6 +274,8 @@ int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swa
     int ret, s;
     size_t i;
     mbedtls_mpi_uint tmp;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(Y != NULL);
 
     if (X == Y)
         return (0);
@@ -280,7 +305,8 @@ cleanup:
  * Set value from integer
  */
 int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MPI_VALIDATE_RET(X != NULL);
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
     memset(X->p, 0, X->n * ciL);
@@ -297,12 +323,18 @@ cleanup:
  * Get a specific bit
  */
 int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos) {
+    MPI_VALIDATE_RET(X != NULL);
+
     if (X->n * biL <= pos)
         return (0);
 
     return ((X->p[pos / biL] >> (pos % biL)) & 0x01);
 }
 
+/* Get a specific byte, without range checks. */
+#define GET_BYTE( X, i )                                \
+    ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
+
 /*
  * Set a bit to a specific value of 0 or 1
  */
@@ -310,6 +342,7 @@ int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val) {
     int ret = 0;
     size_t off = pos / biL;
     size_t idx = pos % biL;
+    MPI_VALIDATE_RET(X != NULL);
 
     if (val != 0 && val != 1)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
@@ -334,6 +367,7 @@ cleanup:
  */
 size_t mbedtls_mpi_lsb(const mbedtls_mpi *X) {
     size_t i, j, count = 0;
+    MBEDTLS_INTERNAL_VALIDATE_RET(X != NULL, 0);
 
     for (i = 0; i < X->n; i++)
         for (j = 0; j < biL; j++, count++)
@@ -404,10 +438,12 @@ static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c) {
  * Import from an ASCII string
  */
 int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, j, slen, n;
     mbedtls_mpi_uint d;
     mbedtls_mpi T;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(s != NULL);
 
     if (radix < 2 || radix > 16)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
@@ -462,25 +498,35 @@ cleanup:
 }
 
 /*
- * Helper to write the digits high-order first
+ * Helper to write the digits high-order first.
  */
-static int mpi_write_hlp(mbedtls_mpi *X, int radix, char **p) {
-    int ret;
+static int mpi_write_hlp(mbedtls_mpi *X, int radix,
+                         char **p, const size_t buflen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi_uint r;
+    size_t length = 0;
+    char *p_end = *p + buflen;
 
-    if (radix < 2 || radix > 16)
-        return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
+    do {
+        if (length >= buflen) {
+            return (MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL);
+        }
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
+        /*
+         * Write the residue in the current position, as an ASCII character.
+         */
+        if (r < 0xA)
+            *(--p_end) = (char)('0' + r);
+        else
+            *(--p_end) = (char)('A' + (r - 0xA));
 
-    if (mbedtls_mpi_cmp_int(X, 0) != 0)
-        MBEDTLS_MPI_CHK(mpi_write_hlp(X, radix, p));
+        length++;
+    } while (mbedtls_mpi_cmp_int(X, 0) != 0);
 
-    if (r < 10)
-        *(*p)++ = (char)(r + 0x30);
-    else
-        *(*p)++ = (char)(r + 0x37);
+    memmove(*p, p_end, length);
+    *p += length;
 
 cleanup:
 
@@ -496,19 +542,27 @@ int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
     size_t n;
     char *p;
     mbedtls_mpi T;
+    MPI_VALIDATE_RET(X    != NULL);
+    MPI_VALIDATE_RET(olen != NULL);
+    MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
 
     if (radix < 2 || radix > 16)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
 
-    n = mbedtls_mpi_bitlen(X);
-    if (radix >=  4) n >>= 1;
-    if (radix >= 16) n >>= 1;
-    /*
-     * Round up the buffer length to an even value to ensure that there is
-     * enough room for hexadecimal values that can be represented in an odd
-     * number of digits.
-     */
-    n += 3 + ((n + 1) & 1);
+    n = mbedtls_mpi_bitlen(X);   /* Number of bits necessary to present `n`. */
+    if (radix >=  4) n >>= 1;   /* Number of 4-adic digits necessary to present
+                                  * `n`. If radix > 4, this might be a strict
+                                  * overapproximation of the number of
+                                  * radix-adic digits needed to present `n`. */
+    if (radix >= 16) n >>= 1;   /* Number of hexadecimal digits necessary to
+                                  * present `n`. */
+
+    n += 1; /* Terminating null byte */
+    n += 1; /* Compensate for the divisions above, which round down `n`
+             * in case it's not even. */
+    n += 1; /* Potential '-'-sign. */
+    n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
+                     * which always uses an even number of hex-digits. */
 
     if (buflen < n) {
         *olen = n;
@@ -518,8 +572,10 @@ int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
     p = buf;
     mbedtls_mpi_init(&T);
 
-    if (X->s == -1)
+    if (X->s == -1) {
         *p++ = '-';
+        buflen--;
+    }
 
     if (radix == 16) {
         int c;
@@ -543,7 +599,7 @@ int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
         if (T.s == -1)
             T.s = 1;
 
-        MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p));
+        MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
     }
 
     *p++ = '\0';
@@ -570,6 +626,12 @@ int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin) {
      */
     char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
 
+    MPI_VALIDATE_RET(X   != NULL);
+    MPI_VALIDATE_RET(fin != NULL);
+
+    if (radix < 2 || radix > 16)
+        return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
+
     memset(s, 0, sizeof(s));
     if (fgets(s, sizeof(s) - 1, fin) == NULL)
         return (MBEDTLS_ERR_MPI_FILE_IO_ERROR);
@@ -593,13 +655,17 @@ int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin) {
  * Write X into an opened file (or stdout if fout == NULL)
  */
 int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n, slen, plen;
     /*
      * Buffer should have space for (short) label and decimal formatted MPI,
      * newline characters and '\0'
      */
     char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+    MPI_VALIDATE_RET(X != NULL);
+
+    if (radix < 2 || radix > 16)
+        return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
 
     memset(s, 0, sizeof(s));
 
@@ -625,12 +691,98 @@ cleanup:
 }
 #endif /* MBEDTLS_FS_IO */
 
+
+/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
+ * into the storage form used by mbedtls_mpi. */
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c(mbedtls_mpi_uint x) {
+    uint8_t i;
+    unsigned char *x_ptr;
+    mbedtls_mpi_uint tmp = 0;
+
+    for (i = 0, x_ptr = (unsigned char *) &x; i < ciL; i++, x_ptr++) {
+        tmp <<= CHAR_BIT;
+        tmp |= (mbedtls_mpi_uint) * x_ptr;
+    }
+
+    return (tmp);
+}
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host(mbedtls_mpi_uint x) {
+#if defined(__BYTE_ORDER__)
+
+    /* Nothing to do on bigendian systems. */
+#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
+    return (x);
+#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
+
+#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
+
+    /* For GCC and Clang, have builtins for byte swapping. */
+#if defined(__GNUC__) && defined(__GNUC_PREREQ)
+#if __GNUC_PREREQ(4,3)
+#define have_bswap
+#endif
+#endif
+
+#if defined(__clang__) && defined(__has_builtin)
+#if __has_builtin(__builtin_bswap32)  &&                 \
+    __has_builtin(__builtin_bswap64)
+#define have_bswap
+#endif
+#endif
+
+#if defined(have_bswap)
+    /* The compiler is hopefully able to statically evaluate this! */
+    switch (sizeof(mbedtls_mpi_uint)) {
+        case 4:
+            return (__builtin_bswap32(x));
+        case 8:
+            return (__builtin_bswap64(x));
+    }
+#endif
+#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
+#endif /* __BYTE_ORDER__ */
+
+    /* Fall back to C-based reordering if we don't know the byte order
+     * or we couldn't use a compiler-specific builtin. */
+    return (mpi_uint_bigendian_to_host_c(x));
+}
+
+static void mpi_bigendian_to_host(mbedtls_mpi_uint *const p, size_t limbs) {
+    mbedtls_mpi_uint *cur_limb_left;
+    mbedtls_mpi_uint *cur_limb_right;
+    if (limbs == 0)
+        return;
+
+    /*
+     * Traverse limbs and
+     * - adapt byte-order in each limb
+     * - swap the limbs themselves.
+     * For that, simultaneously traverse the limbs from left to right
+     * and from right to left, as long as the left index is not bigger
+     * than the right index (it's not a problem if limbs is odd and the
+     * indices coincide in the last iteration).
+     */
+    for (cur_limb_left = p, cur_limb_right = p + (limbs - 1);
+            cur_limb_left <= cur_limb_right;
+            cur_limb_left++, cur_limb_right--) {
+        mbedtls_mpi_uint tmp;
+        /* Note that if cur_limb_left == cur_limb_right,
+         * this code effectively swaps the bytes only once. */
+        tmp             = mpi_uint_bigendian_to_host(*cur_limb_left);
+        *cur_limb_left  = mpi_uint_bigendian_to_host(*cur_limb_right);
+        *cur_limb_right = tmp;
+    }
+}
+
 /*
- * Import X from unsigned binary data, big endian
+ * Import X from unsigned binary data, little endian
  */
-int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen) {
-    int ret;
-    size_t i, j;
+int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
+                               const unsigned char *buf, size_t buflen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
     size_t const limbs = CHARS_TO_LIMBS(buflen);
 
     /* Ensure that target MPI has exactly the necessary number of limbs */
@@ -642,29 +794,128 @@ int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buf
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
 
-    for (i = buflen, j = 0; i > 0; i--, j++)
-        X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3);
+    for (i = 0; i < buflen; i++)
+        X->p[i / ciL] |= ((mbedtls_mpi_uint) buf[i]) << ((i % ciL) << 3);
 
 cleanup:
 
+    /*
+     * This function is also used to import keys. However, wiping the buffers
+     * upon failure is not necessary because failure only can happen before any
+     * input is copied.
+     */
     return (ret);
 }
 
+/*
+ * Import X from unsigned binary data, big endian
+ */
+int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t const limbs    = CHARS_TO_LIMBS(buflen);
+    size_t const overhead = (limbs * ciL) - buflen;
+    unsigned char *Xp;
+
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if (X->n != limbs) {
+        mbedtls_mpi_free(X);
+        mbedtls_mpi_init(X);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, limbs));
+    }
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+    /* Avoid calling `memcpy` with NULL source argument,
+     * even if buflen is 0. */
+    if (buf != NULL) {
+        Xp = (unsigned char *) X->p;
+        memcpy(Xp + overhead, buf, buflen);
+
+        mpi_bigendian_to_host(X->p, limbs);
+    }
+
+cleanup:
+
+    /*
+     * This function is also used to import keys. However, wiping the buffers
+     * upon failure is not necessary because failure only can happen before any
+     * input is copied.
+     */
+    return (ret);
+}
+
+/*
+ * Export X into unsigned binary data, little endian
+ */
+int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
+                                unsigned char *buf, size_t buflen) {
+    size_t stored_bytes = X->n * ciL;
+    size_t bytes_to_copy;
+    size_t i;
+
+    if (stored_bytes < buflen) {
+        bytes_to_copy = stored_bytes;
+    } else {
+        bytes_to_copy = buflen;
+
+        /* The output buffer is smaller than the allocated size of X.
+         * However X may fit if its leading bytes are zero. */
+        for (i = bytes_to_copy; i < stored_bytes; i++) {
+            if (GET_BYTE(X, i) != 0)
+                return (MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL);
+        }
+    }
+
+    for (i = 0; i < bytes_to_copy; i++)
+        buf[i] = GET_BYTE(X, i);
+
+    if (stored_bytes < buflen) {
+        /* Write trailing 0 bytes */
+        memset(buf + stored_bytes, 0, buflen - stored_bytes);
+    }
+
+    return (0);
+}
+
 /*
  * Export X into unsigned binary data, big endian
  */
-int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf, size_t buflen) {
-    size_t i, j, n;
+int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
+                             unsigned char *buf, size_t buflen) {
+    size_t stored_bytes;
+    size_t bytes_to_copy;
+    unsigned char *p;
+    size_t i;
 
-    n = mbedtls_mpi_size(X);
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
 
-    if (buflen < n)
-        return (MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL);
+    stored_bytes = X->n * ciL;
 
-    memset(buf, 0, buflen);
+    if (stored_bytes < buflen) {
+        /* There is enough space in the output buffer. Write initial
+         * null bytes and record the position at which to start
+         * writing the significant bytes. In this case, the execution
+         * trace of this function does not depend on the value of the
+         * number. */
+        bytes_to_copy = stored_bytes;
+        p = buf + buflen - stored_bytes;
+        memset(buf, 0, buflen - stored_bytes);
+    } else {
+        /* The output buffer is smaller than the allocated size of X.
+         * However X may fit if its leading bytes are zero. */
+        bytes_to_copy = buflen;
+        p = buf;
+        for (i = bytes_to_copy; i < stored_bytes; i++) {
+            if (GET_BYTE(X, i) != 0)
+                return (MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL);
+        }
+    }
 
-    for (i = buflen - 1, j = 0; n > 0; i--, j++, n--)
-        buf[i] = (unsigned char)(X->p[j / ciL] >> ((j % ciL) << 3));
+    for (i = 0; i < bytes_to_copy; i++)
+        p[bytes_to_copy - i - 1] = GET_BYTE(X, i);
 
     return (0);
 }
@@ -673,9 +924,10 @@ int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf, size_t bu
  * Left-shift: X <<= count
  */
 int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, v0, t1;
     mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET(X != NULL);
 
     v0 = count / (biL);
     t1 = count & (biL - 1);
@@ -721,6 +973,7 @@ cleanup:
 int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count) {
     size_t i, v0, v1;
     mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET(X != NULL);
 
     v0 = count /  biL;
     v1 = count & (biL - 1);
@@ -759,6 +1012,8 @@ int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count) {
  */
 int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y) {
     size_t i, j;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(Y != NULL);
 
     for (i = X->n; i > 0; i--)
         if (X->p[i - 1] != 0)
@@ -787,6 +1042,8 @@ int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y) {
  */
 int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y) {
     size_t i, j;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(Y != NULL);
 
     for (i = X->n; i > 0; i--)
         if (X->p[i - 1] != 0)
@@ -813,12 +1070,111 @@ int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y) {
     return (0);
 }
 
+/** Decide if an integer is less than the other, without branches.
+ *
+ * \param x         First integer.
+ * \param y         Second integer.
+ *
+ * \return          1 if \p x is less than \p y, 0 otherwise
+ */
+static unsigned ct_lt_mpi_uint(const mbedtls_mpi_uint x,
+                               const mbedtls_mpi_uint y) {
+    mbedtls_mpi_uint ret;
+    mbedtls_mpi_uint cond;
+
+    /*
+     * Check if the most significant bits (MSB) of the operands are different.
+     */
+    cond = (x ^ y);
+    /*
+     * If the MSB are the same then the difference x-y will be negative (and
+     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+     */
+    ret = (x - y) & ~cond;
+    /*
+     * If the MSB are different, then the operand with the MSB of 1 is the
+     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+     * the MSB of y is 0.)
+     */
+    ret |= y & cond;
+
+
+    ret = ret >> (biL - 1);
+
+    return (unsigned) ret;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, const mbedtls_mpi *Y,
+                          unsigned *ret) {
+    size_t i;
+    /* The value of any of these variables is either 0 or 1 at all times. */
+    unsigned cond, done, X_is_negative, Y_is_negative;
+
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(Y != NULL);
+    MPI_VALIDATE_RET(ret != NULL);
+
+    if (X->n != Y->n)
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+    /*
+     * Set sign_N to 1 if N >= 0, 0 if N < 0.
+     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+     */
+    X_is_negative = (X->s & 2) >> 1;
+    Y_is_negative = (Y->s & 2) >> 1;
+
+    /*
+     * If the signs are different, then the positive operand is the bigger.
+     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+     * is false if X is positive (X_is_negative == 0).
+     */
+    cond = (X_is_negative ^ Y_is_negative);
+    *ret = cond & X_is_negative;
+
+    /*
+     * This is a constant-time function. We might have the result, but we still
+     * need to go through the loop. Record if we have the result already.
+     */
+    done = cond;
+
+    for (i = X->n; i > 0; i--) {
+        /*
+         * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
+         * X and Y are negative.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint(Y->p[i - 1], X->p[i - 1]);
+        *ret |= cond & (1 - done) & X_is_negative;
+        done |= cond;
+
+        /*
+         * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
+         * X and Y are positive.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint(X->p[i - 1], Y->p[i - 1]);
+        *ret |= cond & (1 - done) & (1 - X_is_negative);
+        done |= cond;
+    }
+
+    return (0);
+}
+
 /*
  * Compare signed values
  */
 int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z) {
     mbedtls_mpi Y;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET(X != NULL);
 
     *p  = (z < 0) ? -z : z;
     Y.s = (z < 0) ? -1 : 1;
@@ -832,9 +1188,12 @@ int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z) {
  * Unsigned addition: X = |A| + |B|  (HAC 14.7)
  */
 int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, j;
     mbedtls_mpi_uint *o, *p, c, tmp;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
     if (X == B) {
         const mbedtls_mpi *T = A;
@@ -888,10 +1247,24 @@ cleanup:
     return (ret);
 }
 
-/*
- * Helper for mbedtls_mpi subtraction
+/**
+ * Helper for mbedtls_mpi subtraction.
+ *
+ * Calculate d - s where d and s have the same size.
+ * This function operates modulo (2^ciL)^n and returns the carry
+ * (1 if there was a wraparound, i.e. if `d < s`, and 0 otherwise).
+ *
+ * \param n             Number of limbs of \p d and \p s.
+ * \param[in,out] d     On input, the left operand.
+ *                      On output, the result of the subtraction:
+ * \param[in] s         The right operand.
+ *
+ * \return              1 if `d < s`.
+ *                      0 if `d >= s`.
  */
-static void mpi_sub_hlp(size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d) {
+static mbedtls_mpi_uint mpi_sub_hlp(size_t n,
+                                    mbedtls_mpi_uint *d,
+                                    const mbedtls_mpi_uint *s) {
     size_t i;
     mbedtls_mpi_uint c, z;
 
@@ -902,24 +1275,20 @@ static void mpi_sub_hlp(size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d) {
         *d -= *s;
     }
 
-    while (c != 0) {
-        z = (*d < c);
-        *d -= c;
-        c = z;
-        d++;
-    }
+    return (c);
 }
 
 /*
- * Unsigned subtraction: X = |A| - |B|  (HAC 14.9)
+ * Unsigned subtraction: X = |A| - |B|  (HAC 14.9, 14.10)
  */
 int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) {
     mbedtls_mpi TB;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n;
-
-    if (mbedtls_mpi_cmp_abs(A, B) < 0)
-        return (MBEDTLS_ERR_MPI_NEGATIVE_VALUE);
+    mbedtls_mpi_uint carry;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
     mbedtls_mpi_init(&TB);
 
@@ -941,8 +1310,25 @@ int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     for (n = B->n; n > 0; n--)
         if (B->p[n - 1] != 0)
             break;
+    if (n > A->n) {
+        /* B >= (2^ciL)^n > A */
+        ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+        goto cleanup;
+    }
 
-    mpi_sub_hlp(n, B->p, X->p);
+    carry = mpi_sub_hlp(n, X->p, B->p);
+    if (carry != 0) {
+        /* Propagate the carry to the first nonzero limb of X. */
+        for (; n < X->n && X->p[n] == 0; n++)
+            --X->p[n];
+        /* If we ran out of space for the carry, it means that the result
+         * is negative. */
+        if (n == X->n) {
+            ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+            goto cleanup;
+        }
+        --X->p[n];
+    }
 
 cleanup:
 
@@ -955,8 +1341,12 @@ cleanup:
  * Signed addition: X = A + B
  */
 int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret, s = A->s;
+    int ret, s;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
+    s = A->s;
     if (A->s * B->s < 0) {
         if (mbedtls_mpi_cmp_abs(A, B) >= 0) {
             MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
@@ -979,8 +1369,12 @@ cleanup:
  * Signed subtraction: X = A - B
  */
 int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret, s = A->s;
+    int ret, s;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
+    s = A->s;
     if (A->s * B->s > 0) {
         if (mbedtls_mpi_cmp_abs(A, B) >= 0) {
             MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
@@ -1005,6 +1399,8 @@ cleanup:
 int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b) {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
 
     p[0] = (b < 0) ? -b : b;
     _B.s = (b < 0) ? -1 : 1;
@@ -1020,6 +1416,8 @@ int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b
 int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b) {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
 
     p[0] = (b < 0) ? -b : b;
     _B.s = (b < 0) ? -1 : 1;
@@ -1100,9 +1498,12 @@ void mpi_mul_hlp(size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi
  * Baseline multiplication: X = A * B  (HAC 14.12)
  */
 int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, j;
     mbedtls_mpi TA, TB;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
     mbedtls_mpi_init(&TA);
     mbedtls_mpi_init(&TB);
@@ -1140,6 +1541,8 @@ cleanup:
 int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b) {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
 
     _B.s = 1;
     _B.n = 1;
@@ -1244,10 +1647,14 @@ static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
 /*
  * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
  */
-int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret;
+int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, n, t, k;
     mbedtls_mpi X, Y, Z, T1, T2;
+    mbedtls_mpi_uint TP2[3];
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
     if (mbedtls_mpi_cmp_int(B, 0) == 0)
         return (MBEDTLS_ERR_MPI_DIVISION_BY_ZERO);
@@ -1256,7 +1663,16 @@ int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, co
     mbedtls_mpi_init(&Y);
     mbedtls_mpi_init(&Z);
     mbedtls_mpi_init(&T1);
-    mbedtls_mpi_init(&T2);
+    /*
+     * Avoid dynamic memory allocations for constant-size T2.
+     *
+     * T2 is used for comparison only and the 3 limbs are assigned explicitly,
+     * so nobody increase the size of the MPI and we're safe to use an on-stack
+     * buffer.
+     */
+    T2.s = 1;
+    T2.n = sizeof(TP2) / sizeof(*TP2);
+    T2.p = TP2;
 
     if (mbedtls_mpi_cmp_abs(A, B) < 0) {
         if (Q != NULL) MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
@@ -1271,7 +1687,6 @@ int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, co
     MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z,  0));
     MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, 2));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T2, 3));
 
     k = mbedtls_mpi_bitlen(&Y) % biL;
     if (k < biL - 1) {
@@ -1298,6 +1713,10 @@ int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, co
                                                  Y.p[t], NULL);
         }
 
+        T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
+        T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
+        T2.p[2] = X.p[i];
+
         Z.p[i - t - 1]++;
         do {
             Z.p[i - t - 1]--;
@@ -1306,11 +1725,6 @@ int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, co
             T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
             T1.p[1] = Y.p[t];
             MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T2, 0));
-            T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
-            T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
-            T2.p[2] = X.p[i];
         } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
 
         MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
@@ -1345,7 +1759,7 @@ cleanup:
     mbedtls_mpi_free(&Y);
     mbedtls_mpi_free(&Z);
     mbedtls_mpi_free(&T1);
-    mbedtls_mpi_free(&T2);
+    mbedtls_platform_zeroize(TP2, sizeof(TP2));
 
     return (ret);
 }
@@ -1353,9 +1767,12 @@ cleanup:
 /*
  * Division by int: A = Q * b + R
  */
-int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b) {
+int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,
+                        const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b) {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET(A != NULL);
 
     p[0] = (b < 0) ? -b : b;
     _B.s = (b < 0) ? -1 : 1;
@@ -1369,7 +1786,10 @@ int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mb
  * Modulo: R = A mod B
  */
 int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MPI_VALIDATE_RET(R != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
     if (mbedtls_mpi_cmp_int(B, 0) < 0)
         return (MBEDTLS_ERR_MPI_NEGATIVE_VALUE);
@@ -1393,6 +1813,8 @@ cleanup:
 int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b) {
     size_t i;
     mbedtls_mpi_uint x, y, z;
+    MPI_VALIDATE_RET(r != NULL);
+    MPI_VALIDATE_RET(A != NULL);
 
     if (b == 0)
         return (MBEDTLS_ERR_MPI_DIVISION_BY_ZERO);
@@ -1456,17 +1878,33 @@ static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N) {
     *mm = ~x + 1;
 }
 
-/*
- * Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
+/** Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
+ *
+ * \param[in,out]   A   One of the numbers to multiply.
+ *                      It must have at least as many limbs as N
+ *                      (A->n >= N->n), and any limbs beyond n are ignored.
+ *                      On successful completion, A contains the result of
+ *                      the multiplication A * B * R^-1 mod N where
+ *                      R = (2^ciL)^n.
+ * \param[in]       B   One of the numbers to multiply.
+ *                      It must be nonzero and must not have more limbs than N
+ *                      (B->n <= N->n).
+ * \param[in]       N   The modulo. N must be odd.
+ * \param           mm  The value calculated by `mpi_montg_init(&mm, N)`.
+ *                      This is -N^-1 mod 2^ciL.
+ * \param[in,out]   T   A bignum for temporary storage.
+ *                      It must be at least twice the limb size of N plus 2
+ *                      (T->n >= 2 * (N->n + 1)).
+ *                      Its initial content is unused and
+ *                      its final content is indeterminate.
+ *                      Note that unlike the usual convention in the library
+ *                      for `const mbedtls_mpi*`, the content of T can change.
  */
-static int mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
-                       const mbedtls_mpi *T) {
+static void mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+                        const mbedtls_mpi *T) {
     size_t i, n, m;
     mbedtls_mpi_uint u0, u1, *d;
 
-    if (T->n < N->n + 1 || T->p == NULL)
-        return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
-
     memset(T->p, 0, T->n * ciL);
 
     d = T->p;
@@ -1487,48 +1925,72 @@ static int mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *
         d[n + 1] = 0;
     }
 
-    memcpy(A->p, d, (n + 1) * ciL);
+    /* At this point, d is either the desired result or the desired result
+     * plus N. We now potentially subtract N, avoiding leaking whether the
+     * subtraction is performed through side channels. */
 
-    if (mbedtls_mpi_cmp_abs(A, N) >= 0)
-        mpi_sub_hlp(n, N->p, A->p);
-    else
-        /* prevent timing attacks */
-        mpi_sub_hlp(n, A->p, T->p);
-
-    return (0);
+    /* Copy the n least significant limbs of d to A, so that
+     * A = d if d < N (recall that N has n limbs). */
+    memcpy(A->p, d, n * ciL);
+    /* If d >= N then we want to set A to d - N. To prevent timing attacks,
+     * do the calculation without using conditional tests. */
+    /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
+    d[n] += 1;
+    d[n] -= mpi_sub_hlp(n, d, N->p);
+    /* If d0 < N then d < (2^biL)^n
+     * so d[n] == 0 and we want to keep A as it is.
+     * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
+     * so d[n] == 1 and we want to set A to the result of the subtraction
+     * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
+     * This exactly corresponds to a conditional assignment. */
+    mpi_safe_cond_assign(n, A->p, d, (unsigned char) d[n]);
 }
 
 /*
  * Montgomery reduction: A = A * R^-1 mod N
+ *
+ * See mpi_montmul() regarding constraints and guarantees on the parameters.
  */
-static int mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint mm, const mbedtls_mpi *T) {
+static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
+                        mbedtls_mpi_uint mm, const mbedtls_mpi *T) {
     mbedtls_mpi_uint z = 1;
     mbedtls_mpi U;
 
     U.n = U.s = (int) z;
     U.p = &z;
 
-    return (mpi_montmul(A, &U, N, mm, T));
+    mpi_montmul(A, &U, N, mm, T);
 }
 
 /*
  * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
  */
-int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR) {
-    int ret;
+int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *E, const mbedtls_mpi *N,
+                        mbedtls_mpi *_RR) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t wbits, wsize, one = 1;
     size_t i, j, nblimbs;
     size_t bufsize, nbits;
     mbedtls_mpi_uint ei, mm, state;
-    mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
+    mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
     int neg;
 
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(E != NULL);
+    MPI_VALIDATE_RET(N != NULL);
+
     if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
 
     if (mbedtls_mpi_cmp_int(E, 0) < 0)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
 
+    if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||
+            mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS)
+        return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
+
     /*
      * Init temps and window size
      */
@@ -1543,8 +2005,10 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     wsize = (i > 671) ? 6 : (i > 239) ? 5 :
             (i >  79) ? 4 : (i >  23) ? 3 : 1;
 
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
     if (wsize > MBEDTLS_MPI_WINDOW_SIZE)
         wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
 
     j = N->n + 1;
     MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
@@ -1582,13 +2046,13 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     else
         MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A));
 
-    MBEDTLS_MPI_CHK(mpi_montmul(&W[1], &RR, N, mm, &T));
+    mpi_montmul(&W[1], &RR, N, mm, &T);
 
     /*
      * X = R^2 * R^-1 mod N = R mod N
      */
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &RR));
-    MBEDTLS_MPI_CHK(mpi_montred(X, N, mm, &T));
+    mpi_montred(X, N, mm, &T);
 
     if (wsize > 1) {
         /*
@@ -1600,7 +2064,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
         MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1]));
 
         for (i = 0; i < wsize - 1; i++)
-            MBEDTLS_MPI_CHK(mpi_montmul(&W[j], &W[j], N, mm, &T));
+            mpi_montmul(&W[j], &W[j], N, mm, &T);
 
         /*
          * W[i] = W[i - 1] * W[1]
@@ -1609,7 +2073,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
             MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1));
             MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1]));
 
-            MBEDTLS_MPI_CHK(mpi_montmul(&W[i], &W[1], N, mm, &T));
+            mpi_montmul(&W[i], &W[1], N, mm, &T);
         }
     }
 
@@ -1643,7 +2107,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
             /*
              * out of window, square X
              */
-            MBEDTLS_MPI_CHK(mpi_montmul(X, X, N, mm, &T));
+            mpi_montmul(X, X, N, mm, &T);
             continue;
         }
 
@@ -1660,12 +2124,12 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
              * X = X^wsize R^-1 mod N
              */
             for (i = 0; i < wsize; i++)
-                MBEDTLS_MPI_CHK(mpi_montmul(X, X, N, mm, &T));
+                mpi_montmul(X, X, N, mm, &T);
 
             /*
              * X = X * W[wbits] R^-1 mod N
              */
-            MBEDTLS_MPI_CHK(mpi_montmul(X, &W[wbits], N, mm, &T));
+            mpi_montmul(X, &W[wbits], N, mm, &T);
 
             state--;
             nbits = 0;
@@ -1677,18 +2141,18 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
      * process the remaining bits
      */
     for (i = 0; i < nbits; i++) {
-        MBEDTLS_MPI_CHK(mpi_montmul(X, X, N, mm, &T));
+        mpi_montmul(X, X, N, mm, &T);
 
         wbits <<= 1;
 
         if ((wbits & (one << wsize)) != 0)
-            MBEDTLS_MPI_CHK(mpi_montmul(X, &W[1], N, mm, &T));
+            mpi_montmul(X, &W[1], N, mm, &T);
     }
 
     /*
      * X = A^E * R * R^-1 mod N = A^E mod N
      */
-    MBEDTLS_MPI_CHK(mpi_montred(X, N, mm, &T));
+    mpi_montred(X, N, mm, &T);
 
     if (neg && E->n != 0 && (E->p[0] & 1) != 0) {
         X->s = -1;
@@ -1714,11 +2178,14 @@ cleanup:
  * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
  */
 int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t lz, lzt;
-    mbedtls_mpi TG, TA, TB;
+    mbedtls_mpi TA, TB;
+
+    MPI_VALIDATE_RET(G != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(B != NULL);
 
-    mbedtls_mpi_init(&TG);
     mbedtls_mpi_init(&TA);
     mbedtls_mpi_init(&TB);
 
@@ -1754,7 +2221,6 @@ int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
 
 cleanup:
 
-    mbedtls_mpi_free(&TG);
     mbedtls_mpi_free(&TA);
     mbedtls_mpi_free(&TB);
 
@@ -1771,17 +2237,28 @@ cleanup:
 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng) {
-    int ret;
-    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t const limbs = CHARS_TO_LIMBS(size);
+    size_t const overhead = (limbs * ciL) - size;
+    unsigned char *Xp;
 
-    if (size > MBEDTLS_MPI_MAX_SIZE)
-        return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
+    MPI_VALIDATE_RET(X     != NULL);
+    MPI_VALIDATE_RET(f_rng != NULL);
 
-    MBEDTLS_MPI_CHK(f_rng(p_rng, buf, size));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(X, buf, size));
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if (X->n != limbs) {
+        mbedtls_mpi_free(X);
+        mbedtls_mpi_init(X);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, limbs));
+    }
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+    Xp = (unsigned char *) X->p;
+    MBEDTLS_MPI_CHK(f_rng(p_rng, Xp + overhead, size));
+
+    mpi_bigendian_to_host(X->p, limbs);
 
 cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
     return (ret);
 }
 
@@ -1789,8 +2266,11 @@ cleanup:
  * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
  */
 int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+    MPI_VALIDATE_RET(X != NULL);
+    MPI_VALIDATE_RET(A != NULL);
+    MPI_VALIDATE_RET(N != NULL);
 
     if (mbedtls_mpi_cmp_int(N, 1) <= 0)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
@@ -1941,13 +2421,16 @@ cleanup:
 /*
  * Miller-Rabin pseudo-primality test  (HAC 4.24)
  */
-static int mpi_miller_rabin(const mbedtls_mpi *X,
+static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng) {
     int ret, count;
-    size_t i, j, k, n, s;
+    size_t i, j, k, s;
     mbedtls_mpi W, R, T, A, RR;
 
+    MPI_VALIDATE_RET(X     != NULL);
+    MPI_VALIDATE_RET(f_rng != NULL);
+
     mbedtls_mpi_init(&W);
     mbedtls_mpi_init(&R);
     mbedtls_mpi_init(&T);
@@ -1963,26 +2446,10 @@ static int mpi_miller_rabin(const mbedtls_mpi *X,
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
     MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
 
-    i = mbedtls_mpi_bitlen(X);
-    /*
-     * HAC, table 4.4
-     */
-    n = ((i >= 1300) ?  2 : (i >=  850) ?  3 :
-         (i >=  650) ?  4 : (i >=  350) ?  8 :
-         (i >=  250) ? 12 : (i >=  150) ? 18 : 27);
-
-    for (i = 0; i < n; i++) {
+    for (i = 0; i < rounds; i++) {
         /*
          * pick a random A, 1 < A < |X| - 1
          */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
-
-        if (mbedtls_mpi_cmp_mpi(&A, &W) >= 0) {
-            j = mbedtls_mpi_bitlen(&A) - mbedtls_mpi_bitlen(&W);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&A, j + 1));
-        }
-        A.p[0] |= 3;
-
         count = 0;
         do {
             MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
@@ -1990,11 +2457,12 @@ static int mpi_miller_rabin(const mbedtls_mpi *X,
             j = mbedtls_mpi_bitlen(&A);
             k = mbedtls_mpi_bitlen(&W);
             if (j > k) {
-                MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&A, j - k));
+                A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
             }
 
             if (count++ > 30) {
-                return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+                goto cleanup;
             }
 
         } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||
@@ -2046,11 +2514,13 @@ cleanup:
 /*
  * Pseudo-primality test: small factors, then Miller-Rabin
  */
-int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
-                         int (*f_rng)(void *, unsigned char *, size_t),
-                         void *p_rng) {
-    int ret;
+int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi XX;
+    MPI_VALIDATE_RET(X     != NULL);
+    MPI_VALIDATE_RET(f_rng != NULL);
 
     XX.s = 1;
     XX.n = X->n;
@@ -2070,17 +2540,36 @@ int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
         return (ret);
     }
 
-    return (mpi_miller_rabin(&XX, f_rng, p_rng));
+    return (mpi_miller_rabin(&XX, rounds, f_rng, p_rng));
 }
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/*
+ * Pseudo-primality test, error probability 2^-80
+ */
+int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng) {
+    MPI_VALIDATE_RET(X     != NULL);
+    MPI_VALIDATE_RET(f_rng != NULL);
+
+    /*
+     * In the past our key generation aimed for an error rate of at most
+     * 2^-80. Since this function is deprecated, aim for the same certainty
+     * here as well.
+     */
+    return (mbedtls_mpi_is_prime_ext(X, 40, f_rng, p_rng));
+}
+#endif
+
 /*
  * Prime number generation
  *
- * If dh_flag is 0 and nbits is at least 1024, then the procedure
- * follows the RSA probably-prime generation method of FIPS 186-4.
- * NB. FIPS 186-4 only allows the specific bit lengths of 1024 and 1536.
+ * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
+ * be either 1024 bits or 1536 bits long, and flags must contain
+ * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
  */
-int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
+int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
                           int (*f_rng)(void *, unsigned char *, size_t),
                           void *p_rng) {
 #ifdef MBEDTLS_HAVE_INT64
@@ -2092,9 +2581,13 @@ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
 #endif
     int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
     size_t k, n;
+    int rounds;
     mbedtls_mpi_uint r;
     mbedtls_mpi Y;
 
+    MPI_VALIDATE_RET(X     != NULL);
+    MPI_VALIDATE_RET(f_rng != NULL);
+
     if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS)
         return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
 
@@ -2102,6 +2595,24 @@ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
 
     n = BITS_TO_LIMBS(nbits);
 
+    if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
+        /*
+         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+         */
+        rounds = ((nbits >= 1300) ?  2 : (nbits >=  850) ?  3 :
+                  (nbits >=  650) ?  4 : (nbits >=  350) ?  8 :
+                  (nbits >=  250) ? 12 : (nbits >=  150) ? 18 : 27);
+    } else {
+        /*
+         * 2^-100 error probability, number of rounds computed based on HAC,
+         * fact 4.48
+         */
+        rounds = ((nbits >= 1450) ?  4 : (nbits >=  1150) ?  5 :
+                  (nbits >= 1000) ?  6 : (nbits >=   850) ?  7 :
+                  (nbits >=  750) ?  8 : (nbits >=   500) ? 13 :
+                  (nbits >=  250) ? 28 : (nbits >=   150) ? 40 : 51);
+    }
+
     while (1) {
         MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
         /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
@@ -2111,8 +2622,8 @@ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
         if (k > nbits) MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
         X->p[0] |= 1;
 
-        if (dh_flag == 0) {
-            ret = mbedtls_mpi_is_prime(X, f_rng, p_rng);
+        if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
+            ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
 
             if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE)
                 goto cleanup;
@@ -2142,8 +2653,10 @@ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
                  */
                 if ((ret = mpi_check_small_factors(X)) == 0 &&
                         (ret = mpi_check_small_factors(&Y)) == 0 &&
-                        (ret = mpi_miller_rabin(X, f_rng, p_rng)) == 0 &&
-                        (ret = mpi_miller_rabin(&Y, f_rng, p_rng)) == 0)
+                        (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
+                        == 0 &&
+                        (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
+                        == 0)
                     goto cleanup;
 
                 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE)
@@ -2327,7 +2840,7 @@ int mbedtls_mpi_self_test(int verbose) {
 cleanup:
 
     if (ret != 0 && verbose != 0)
-        mbedtls_printf("Unexpected error, return code = %08X\n", ret);
+        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
 
     mbedtls_mpi_free(&A);
     mbedtls_mpi_free(&E);
diff --git a/common/mbedtls/bignum.h b/common/mbedtls/bignum.h
index d7319c99c..aa1aed00f 100644
--- a/common/mbedtls/bignum.h
+++ b/common/mbedtls/bignum.h
@@ -4,30 +4,26 @@
  * \brief Multi-precision integer library
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_BIGNUM_H
 #define MBEDTLS_BIGNUM_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -48,7 +44,12 @@
 #define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
 #define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010  /**< Memory allocation failed. */
 
-#define MBEDTLS_MPI_CHK(f) do { if( ( ret = f ) != 0 ) goto cleanup; } while( 0 )
+#define MBEDTLS_MPI_CHK(f)       \
+    do                           \
+    {                            \
+        if( ( ret = (f) ) != 0 ) \
+            goto cleanup;        \
+    } while( 0 )
 
 /*
  * Maximum size MPIs are allowed to grow to in number of limbs.
@@ -60,12 +61,12 @@
  * Maximum window size used for modular exponentiation. Default: 6
  * Minimum value: 1. Maximum value: 6.
  *
- * Result is an array of ( 2 << MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
  * for the sliding window calculation. (So 64 by default)
  *
  * Reduction in size, reduces speed.
  */
-#define MBEDTLS_MPI_WINDOW_SIZE                           6        /**< Maximum windows size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE                           6        /**< Maximum window size used. */
 #endif /* !MBEDTLS_MPI_WINDOW_SIZE */
 
 #if !defined(MBEDTLS_MPI_MAX_SIZE)
@@ -126,7 +127,8 @@ typedef uint64_t mbedtls_mpi_uint;
         defined(__ppc64__) || defined(__powerpc64__)  || \
         defined(__ia64__)  || defined(__alpha__)      || \
         ( defined(__sparc__) && defined(__arch64__) ) || \
-        defined(__s390x__) || defined(__mips64) )
+        defined(__s390x__) || defined(__mips64)       || \
+        defined(__aarch64__) )
 #if !defined(MBEDTLS_HAVE_INT64)
 #define MBEDTLS_HAVE_INT64
 #endif /* MBEDTLS_HAVE_INT64 */
@@ -180,103 +182,122 @@ extern "C" {
  * \brief          MPI structure
  */
 typedef struct mbedtls_mpi {
-    int s;              /*!<  integer sign      */
+    int s;              /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
     size_t n;           /*!<  total # of limbs  */
     mbedtls_mpi_uint *p;          /*!<  pointer to limbs  */
 }
 mbedtls_mpi;
 
 /**
- * \brief           Initialize one MPI (make internal references valid)
- *                  This just makes it ready to be set or freed,
+ * \brief           Initialize an MPI context.
+ *
+ *                  This makes the MPI ready to be set or freed,
  *                  but does not define a value for the MPI.
  *
- * \param X         One MPI to initialize.
+ * \param X         The MPI context to initialize. This must not be \c NULL.
  */
 void mbedtls_mpi_init(mbedtls_mpi *X);
 
 /**
- * \brief          Unallocate one MPI
+ * \brief          This function frees the components of an MPI context.
  *
- * \param X        One MPI to unallocate.
+ * \param X        The MPI context to be cleared. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is
+ *                 not \c NULL, it must point to an initialized MPI.
  */
 void mbedtls_mpi_free(mbedtls_mpi *X);
 
 /**
- * \brief          Enlarge to the specified number of limbs
+ * \brief          Enlarge an MPI to the specified number of limbs.
  *
- *                 This function does nothing if the MPI is already large enough.
+ * \note           This function does nothing if the MPI is
+ *                 already large enough.
  *
- * \param X        MPI to grow
- * \param nblimbs  The target number of limbs
+ * \param X        The MPI to grow. It must be initialized.
+ * \param nblimbs  The target number of limbs.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs);
 
 /**
- * \brief          Resize down, keeping at least the specified number of limbs
+ * \brief          This function resizes an MPI downwards, keeping at least the
+ *                 specified number of limbs.
  *
  *                 If \c X is smaller than \c nblimbs, it is resized up
  *                 instead.
  *
- * \param X        MPI to shrink
- * \param nblimbs  The minimum number of limbs to keep
+ * \param X        The MPI to shrink. This must point to an initialized MPI.
+ * \param nblimbs  The minimum number of limbs to keep.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
  *                 (this can only happen when resizing up).
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs);
 
 /**
- * \brief          Copy the contents of Y into X
+ * \brief          Make a copy of an MPI.
  *
- * \param X        Destination MPI. It is enlarged if necessary.
- * \param Y        Source MPI.
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param Y        The source MPI. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \note           The limb-buffer in the destination MPI is enlarged
+ *                 if necessary to hold the value in the source MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y);
 
 /**
- * \brief          Swap the contents of X and Y
+ * \brief          Swap the contents of two MPIs.
  *
- * \param X        First MPI value
- * \param Y        Second MPI value
+ * \param X        The first MPI. It must be initialized.
+ * \param Y        The second MPI. It must be initialized.
  */
 void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y);
 
 /**
- * \brief          Safe conditional assignement X = Y if assign is 1
+ * \brief          Perform a safe conditional copy of MPI which doesn't
+ *                 reveal whether the condition was true or not.
  *
- * \param X        MPI to conditionally assign to
- * \param Y        Value to be assigned
- * \param assign   1: perform the assignment, 0: keep X's original value
- *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ * \param X        The MPI to conditionally assign to. This must point
+ *                 to an initialized MPI.
+ * \param Y        The MPI to be assigned from. This must point to an
+ *                 initialized MPI.
+ * \param assign   The condition deciding whether to perform the
+ *                 assignment or not. Possible values:
+ *                 * \c 1: Perform the assignment `X = Y`.
+ *                 * \c 0: Keep the original value of \p X.
  *
  * \note           This function is equivalent to
- *                      if( assign ) mbedtls_mpi_copy( X, Y );
+ *                      `if( assign ) mbedtls_mpi_copy( X, Y );`
  *                 except that it avoids leaking any information about whether
  *                 the assignment was done or not (the above code may leak
  *                 information through branch prediction and/or memory access
  *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign);
 
 /**
- * \brief          Safe conditional swap X <-> Y if swap is 1
+ * \brief          Perform a safe conditional swap which doesn't
+ *                 reveal whether the condition was true or not.
  *
- * \param X        First mbedtls_mpi value
- * \param Y        Second mbedtls_mpi value
- * \param assign   1: perform the swap, 0: keep X and Y's original values
- *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ * \param X        The first MPI. This must be initialized.
+ * \param Y        The second MPI. This must be initialized.
+ * \param assign   The condition deciding whether to perform
+ *                 the swap or not. Possible values:
+ *                 * \c 1: Swap the values of \p X and \p Y.
+ *                 * \c 0: Keep the original values of \p X and \p Y.
  *
  * \note           This function is equivalent to
  *                      if( assign ) mbedtls_mpi_swap( X, Y );
@@ -284,415 +305,564 @@ int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
  *                 the assignment was done or not (the above code may leak
  *                 information through branch prediction and/or memory access
  *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ *
  */
 int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign);
 
 /**
- * \brief          Set value from integer
+ * \brief          Store integer value in MPI.
  *
- * \param X        MPI to set
- * \param z        Value to use
+ * \param X        The MPI to set. This must be initialized.
+ * \param z        The value to use.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z);
 
 /**
- * \brief          Get a specific bit from X
+ * \brief          Get a specific bit from an MPI.
  *
- * \param X        MPI to use
- * \param pos      Zero-based index of the bit in X
+ * \param X        The MPI to query. This must be initialized.
+ * \param pos      Zero-based index of the bit to query.
  *
- * \return         Either a 0 or a 1
+ * \return         \c 0 or \c 1 on success, depending on whether bit \c pos
+ *                 of \c X is unset or set.
+ * \return         A negative error code on failure.
  */
 int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos);
 
 /**
- * \brief          Set a bit of X to a specific value of 0 or 1
+ * \brief          Modify a specific bit in an MPI.
  *
- * \note           Will grow X if necessary to set a bit to 1 in a not yet
- *                 existing limb. Will not grow if bit should be set to 0
+ * \note           This function will grow the target MPI if necessary to set a
+ *                 bit to \c 1 in a not yet existing limb. It will not grow if
+ *                 the bit should be set to \c 0.
  *
- * \param X        MPI to use
- * \param pos      Zero-based index of the bit in X
- * \param val      The value to set the bit to (0 or 1)
+ * \param X        The MPI to modify. This must be initialized.
+ * \param pos      Zero-based index of the bit to modify.
+ * \param val      The desired value of bit \c pos: \c 0 or \c 1.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if val is not 0 or 1
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val);
 
 /**
- * \brief          Return the number of zero-bits before the least significant
- *                 '1' bit
+ * \brief          Return the number of bits of value \c 0 before the
+ *                 least significant bit of value \c 1.
  *
- * Note: Thus also the zero-based index of the least significant '1' bit
+ * \note           This is the same as the zero-based index of
+ *                 the least significant bit of value \c 1.
  *
- * \param X        MPI to use
+ * \param X        The MPI to query.
+ *
+ * \return         The number of bits of value \c 0 before the least significant
+ *                 bit of value \c 1 in \p X.
  */
 size_t mbedtls_mpi_lsb(const mbedtls_mpi *X);
 
 /**
  * \brief          Return the number of bits up to and including the most
- *                 significant '1' bit'
+ *                 significant bit of value \c 1.
  *
- * Note: Thus also the one-based index of the most significant '1' bit
+ * * \note         This is same as the one-based index of the most
+ *                 significant bit of value \c 1.
  *
- * \param X        MPI to use
+ * \param X        The MPI to query. This must point to an initialized MPI.
+ *
+ * \return         The number of bits up to and including the most
+ *                 significant bit of value \c 1.
  */
 size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X);
 
 /**
- * \brief          Return the total size in bytes
+ * \brief          Return the total size of an MPI value in bytes.
  *
- * \param X        MPI to use
+ * \param X        The MPI to use. This must point to an initialized MPI.
+ *
+ * \note           The value returned by this function may be less than
+ *                 the number of bytes used to store \p X internally.
+ *                 This happens if and only if there are trailing bytes
+ *                 of value zero.
+ *
+ * \return         The least number of bytes capable of storing
+ *                 the absolute value of \p X.
  */
 size_t mbedtls_mpi_size(const mbedtls_mpi *X);
 
 /**
- * \brief          Import from an ASCII string
+ * \brief          Import an MPI from an ASCII string.
  *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param s        Null-terminated string buffer
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the input string.
+ * \param s        Null-terminated string buffer.
  *
- * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s);
 
 /**
- * \brief          Export into an ASCII string
+ * \brief          Export an MPI to an ASCII string.
  *
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param buf      Buffer to write the string to
- * \param buflen   Length of buf
- * \param olen     Length of the string written, including final NUL byte
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the output string.
+ * \param buf      The buffer to write the string to. This must be writable
+ *                 buffer of length \p buflen Bytes.
+ * \param buflen   The available size in Bytes of \p buf.
+ * \param olen     The address at which to store the length of the string
+ *                 written, including the  final \c NULL byte. This must
+ *                 not be \c NULL.
  *
- * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code.
- *                 *olen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
+ * \note           You can call this function with `buflen == 0` to obtain the
+ *                 minimum required buffer size in `*olen`.
  *
- * \note           Call this function with buflen = 0 to obtain the
- *                 minimum required buffer size in *olen.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
+ *                 is too small to hold the value of \p X in the desired base.
+ *                 In this case, `*olen` is nonetheless updated to contain the
+ *                 size of \p buf required for a successful call.
+ * \return         Another negative error code on different kinds of failure.
  */
 int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
                              char *buf, size_t buflen, size_t *olen);
 
 #if defined(MBEDTLS_FS_IO)
 /**
- * \brief          Read MPI from a line in an opened file
+ * \brief          Read an MPI from a line in an opened file.
  *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param fin      Input file handle
- *
- * \return         0 if successful, MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if
- *                 the file read buffer is too small or a
- *                 MBEDTLS_ERR_MPI_XXX error code
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the string representation used
+ *                 in the source line.
+ * \param fin      The input file handle to use. This must not be \c NULL.
  *
  * \note           On success, this function advances the file stream
  *                 to the end of the current line or to EOF.
  *
- *                 The function returns 0 on an empty line.
+ *                 The function returns \c 0 on an empty line.
  *
  *                 Leading whitespaces are ignored, as is a
- *                 '0x' prefix for radix 16.
+ *                 '0x' prefix for radix \c 16.
  *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
+ *                 is too small.
+ * \return         Another negative error code on failure.
  */
 int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin);
 
 /**
- * \brief          Write X into an opened file, or stdout if fout is NULL
+ * \brief          Export an MPI into an opened file.
  *
- * \param p        Prefix, can be NULL
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param fout     Output file handle (can be NULL)
+ * \param p        A string prefix to emit prior to the MPI data.
+ *                 For example, this might be a label, or "0x" when
+ *                 printing in base \c 16. This may be \c NULL if no prefix
+ *                 is needed.
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base to be used in the emitted string.
+ * \param fout     The output file handle. This may be \c NULL, in which case
+ *                 the output is written to \c stdout.
  *
- * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
- *
- * \note           Set fout == NULL to print X on the console.
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout);
+int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X,
+                           int radix, FILE *fout);
 #endif /* MBEDTLS_FS_IO */
 
 /**
- * \brief          Import X from unsigned binary data, big endian
+ * \brief          Import an MPI from unsigned big endian binary data.
  *
- * \param X        Destination MPI
- * \param buf      Input buffer
- * \param buflen   Input buffer size
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p p in Bytes.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen);
+int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf,
+                            size_t buflen);
+
+/**
+ * \brief          Import X from unsigned binary data, little endian
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p p in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
+                               const unsigned char *buf, size_t buflen);
 
 /**
  * \brief          Export X into unsigned binary data, big endian.
  *                 Always fills the whole buffer, which will start with zeros
  *                 if the number is smaller.
  *
- * \param X        Source MPI
- * \param buf      Output buffer
- * \param buflen   Output buffer size
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if buf isn't large enough
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf, size_t buflen);
+int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf,
+                             size_t buflen);
 
 /**
- * \brief          Left-shift: X <<= count
+ * \brief          Export X into unsigned binary data, little endian.
+ *                 Always fills the whole buffer, which will end with zeros
+ *                 if the number is smaller.
  *
- * \param X        MPI to shift
- * \param count    Amount to shift
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
+                                unsigned char *buf, size_t buflen);
+
+/**
+ * \brief          Perform a left-shift on an MPI: X <<= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
 int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count);
 
 /**
- * \brief          Right-shift: X >>= count
+ * \brief          Perform a right-shift on an MPI: X >>= count
  *
- * \param X        MPI to shift
- * \param count    Amount to shift
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
 int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count);
 
 /**
- * \brief          Compare unsigned values
+ * \brief          Compare the absolute values of two MPIs.
  *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
  *
- * \return         1 if |X| is greater than |Y|,
- *                -1 if |X| is lesser  than |Y| or
- *                 0 if |X| is equal to |Y|
+ * \return         \c 1 if `|X|` is greater than `|Y|`.
+ * \return         \c -1 if `|X|` is lesser than `|Y|`.
+ * \return         \c 0 if `|X|` is equal to `|Y|`.
  */
 int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y);
 
 /**
- * \brief          Compare signed values
+ * \brief          Compare two MPIs.
  *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
  *
- * \return         1 if X is greater than Y,
- *                -1 if X is lesser  than Y or
- *                 0 if X is equal to Y
+ * \return         \c 1 if \p X is greater than \p Y.
+ * \return         \c -1 if \p X is lesser than \p Y.
+ * \return         \c 0 if \p X is equal to \p Y.
  */
 int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y);
 
 /**
- * \brief          Compare signed values
+ * \brief          Check if an MPI is less than the other in constant time.
  *
- * \param X        Left-hand MPI
- * \param z        The integer value to compare to
+ * \param X        The left-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as Y.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as X.
+ * \param ret      The result of the comparison:
+ *                 \c 1 if \p X is less than \p Y.
+ *                 \c 0 if \p X is greater than or equal to \p Y.
  *
- * \return         1 if X is greater than z,
- *                -1 if X is lesser  than z or
- *                 0 if X is equal to z
+ * \return         0 on success.
+ * \return         MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of
+ *                 the two input MPIs is not the same.
+ */
+int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, const mbedtls_mpi *Y,
+                          unsigned *ret);
+
+/**
+ * \brief          Compare an MPI with an integer.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param z        The integer value to compare \p X to.
+ *
+ * \return         \c 1 if \p X is greater than \p z.
+ * \return         \c -1 if \p X is lesser than \p z.
+ * \return         \c 0 if \p X is equal to \p z.
  */
 int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z);
 
 /**
- * \brief          Unsigned addition: X = |A| + |B|
+ * \brief          Perform an unsigned addition of MPIs: X = |A| + |B|
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Unsigned subtraction: X = |A| - |B|
+ * \brief          Perform an unsigned subtraction of MPIs: X = |A| - |B|
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B is greater than A
  */
-int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Signed addition: X = A + B
+ * \brief          Perform a signed addition of MPIs: X = A + B
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Signed subtraction: X = A - B
+ * \brief          Perform a signed subtraction of MPIs: X = A - B
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Signed addition: X = A + b
+ * \brief          Perform a signed addition of an MPI and an integer: X = A + b
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to add
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param b        The second summand.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b);
+int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
 
 /**
- * \brief          Signed subtraction: X = A - b
+ * \brief          Perform a signed subtraction of an MPI and an integer:
+ *                 X = A - b
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to subtract
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param b        The subtrahend.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b);
+int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
 
 /**
- * \brief          Baseline multiplication: X = A * B
+ * \brief          Perform a multiplication of two MPIs: X = A * B
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param B        The second factor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
  */
-int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Baseline multiplication: X = A * b
+ * \brief          Perform a multiplication of an MPI with an unsigned integer:
+ *                 X = A * b
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The unsigned integer value to multiply with
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param b        The second factor.
  *
- * \note           b is unsigned
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
  */
-int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b);
+int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        mbedtls_mpi_uint b);
 
 /**
- * \brief          Division by mbedtls_mpi: A = Q * B + R
+ * \brief          Perform a division with remainder of two MPIs:
+ *                 A = Q * B + R
  *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param B        The divisor. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0
- *
- * \note           Either Q or R can be NULL.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Division by int: A = Q * b + R
+ * \brief          Perform a division with remainder of an MPI by an integer:
+ *                 A = Q * b + R
  *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param b        The divisor.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0
- *
- * \note           Either Q or R can be NULL.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b);
+int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
 
 /**
- * \brief          Modulo: R = A mod B
+ * \brief          Perform a modular reduction. R = A mod B
  *
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param R        The destination MPI for the residue value.
+ *                 This must point to an initialized MPI.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPI.
+ * \param B        The base of the modular reduction.
+ *                 This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0,
- *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B < 0
  */
-int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
 
 /**
- * \brief          Modulo: r = A mod b
+ * \brief          Perform a modular reduction with respect to an integer.
+ *                 r = A mod b
  *
- * \param r        Destination mbedtls_mpi_uint
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
+ * \param r        The address at which to store the residue.
+ *                 This must not be \c NULL.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPi.
+ * \param b        The integer base of the modular reduction.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0,
- *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if b < 0
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b);
+int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
 
 /**
- * \brief          Sliding-window exponentiation: X = A^E mod N
+ * \brief          Perform a sliding-window exponentiation: X = A^E mod N
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param E        Exponent MPI
- * \param N        Modular MPI
- * \param _RR      Speed-up MPI used for recalculations
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * \param E        The exponent MPI. This must point to an initialized MPI.
+ * \param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * \param _RR      A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI. If it hasn't been used after
+ *                 the call to mbedtls_mpi_init(), this function will compute
+ *                 the helper value and store it in \p _RR for reuse on
+ *                 subsequent calls to this function. Otherwise, the function
+ *                 will assume that \p _RR holds the helper value set by a
+ *                 previous call to mbedtls_mpi_exp_mod(), and reuse it.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is negative or even or
- *                 if E is negative
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * \return         Another negative error code on different kinds of failures.
  *
- * \note           _RR is used to avoid re-computing R*R mod N across
- *                 multiple calls, which speeds up things a bit. It can
- *                 be set to NULL if the extra performance is unneeded.
  */
-int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR);
+int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *E, const mbedtls_mpi *N,
+                        mbedtls_mpi *_RR);
 
 /**
- * \brief          Fill an MPI X with size bytes of random
+ * \brief          Fill an MPI with a number of random bytes.
  *
- * \param X        Destination MPI
- * \param size     Size in bytes
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param size     The number of random bytes to generate.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on failure.
  *
- * \note           The bytes obtained from the PRNG are interpreted
+ * \note           The bytes obtained from the RNG are interpreted
  *                 as a big-endian representation of an MPI; this can
  *                 be relevant in applications like deterministic ECDSA.
  */
@@ -701,64 +871,135 @@ int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
                             void *p_rng);
 
 /**
- * \brief          Greatest common divisor: G = gcd(A, B)
+ * \brief          Compute the greatest common divisor: G = gcd(A, B)
  *
- * \param G        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param G        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first operand. This must point to an initialized MPI.
+ * \param B        The second operand. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B);
+int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A,
+                    const mbedtls_mpi *B);
 
 /**
- * \brief          Modular inverse: X = A^-1 mod N
+ * \brief          Compute the modular inverse: X = A^-1 mod N
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param N        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The MPI to calculate the modular inverse of. This must point
+ *                 to an initialized MPI.
+ * \param N        The base of the modular inversion. This must point to an
+ *                 initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is <= 1,
-                   MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
+ *                 or equal to one.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse
+ *                 with respect to \p N.
  */
-int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N);
+int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *N);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Perform a Miller-Rabin primality test with error
+ *                 probability of 2<sup>-80</sup>.
+ *
+ * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
+ *                 specifying the number of Miller-Rabin rounds.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use a
+ *                 context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
+                                            int (*f_rng)(void *, unsigned char *, size_t),
+                                            void *p_rng);
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
 /**
- * \brief          Miller-Rabin primality test
+ * \brief          Miller-Rabin primality test.
  *
- * \param X        MPI to check
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
+ * \warning        If \p X is potentially generated by an adversary, for example
+ *                 when validating cryptographic parameters that you didn't
+ *                 generate yourself and that are supposed to be prime, then
+ *                 \p rounds should be at least the half of the security
+ *                 strength of the cryptographic algorithm. On the other hand,
+ *                 if \p X is chosen uniformly or non-adversially (as is the
+ *                 case when mbedtls_mpi_gen_prime calls this function), then
+ *                 \p rounds can be much lower.
  *
- * \return         0 if successful (probably prime),
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if X is not prime
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param rounds   The number of bases to perform the Miller-Rabin primality
+ *                 test for. The probability of returning 0 on a composite is
+ *                 at most 2<sup>-2*\p rounds</sup>.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
  */
-int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
-                         int (*f_rng)(void *, unsigned char *, size_t),
-                         void *p_rng);
+int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+/**
+ * \brief Flags for mbedtls_mpi_gen_prime()
+ *
+ * Each of these flags is a constraint on the result X returned by
+ * mbedtls_mpi_gen_prime().
+ */
+typedef enum {
+    MBEDTLS_MPI_GEN_PRIME_FLAG_DH =      0x0001, /**< (X-1)/2 is prime too */
+    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
+} mbedtls_mpi_gen_prime_flag_t;
 
 /**
- * \brief          Prime number generation
+ * \brief          Generate a prime number.
  *
- * \param X        Destination MPI
- * \param nbits    Required size of X in bits
- *                 ( 3 <= nbits <= MBEDTLS_MPI_MAX_BITS )
- * \param dh_flag  If 1, then (X-1)/2 will be prime too
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
+ * \param X        The destination MPI to store the generated prime in.
+ *                 This must point to an initialized MPi.
+ * \param nbits    The required size of the destination MPI in bits.
+ *                 This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ * \param flags    A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
  *
- * \return         0 if successful (probably prime),
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
+ * \return         \c 0 if successful, in which case \p X holds a
+ *                 probably prime number.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
+ *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
  */
-int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
+int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
                           int (*f_rng)(void *, unsigned char *, size_t),
                           void *p_rng);
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -766,6 +1007,8 @@ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int dh_flag,
  */
 int mbedtls_mpi_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/blowfish.c b/common/mbedtls/blowfish.c
index e81d9fd19..6f46b6514 100644
--- a/common/mbedtls/blowfish.c
+++ b/common/mbedtls/blowfish.c
@@ -1,24 +1,20 @@
 /*
  *  Blowfish implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The Blowfish block cipher was designed by Bruce Schneier in 1993.
@@ -27,11 +23,7 @@
  *
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_BLOWFISH_C)
 
@@ -42,27 +34,33 @@
 
 #if !defined(MBEDTLS_BLOWFISH_ALT)
 
+/* Parameter validation macros */
+#define BLOWFISH_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA )
+#define BLOWFISH_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 /*
  * 32-bit integer manipulation macros (big endian)
  */
 #ifndef GET_UINT32_BE
 #define GET_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-              | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 3]       );            \
-    }
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
 #endif
 
 #ifndef PUT_UINT32_BE
 #define PUT_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-    }
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
 #endif
 
 static const uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2] = {
@@ -149,6 +147,7 @@ static void blowfish_dec(mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *
 }
 
 void mbedtls_blowfish_init(mbedtls_blowfish_context *ctx) {
+    BLOWFISH_VALIDATE(ctx != NULL);
     memset(ctx, 0, sizeof(mbedtls_blowfish_context));
 }
 
@@ -162,14 +161,18 @@ void mbedtls_blowfish_free(mbedtls_blowfish_context *ctx) {
 /*
  * Blowfish key schedule
  */
-int mbedtls_blowfish_setkey(mbedtls_blowfish_context *ctx, const unsigned char *key,
+int mbedtls_blowfish_setkey(mbedtls_blowfish_context *ctx,
+                            const unsigned char *key,
                             unsigned int keybits) {
     unsigned int i, j, k;
     uint32_t data, datal, datar;
+    BLOWFISH_VALIDATE_RET(ctx != NULL);
+    BLOWFISH_VALIDATE_RET(key != NULL);
 
-    if (keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS || keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS ||
-            (keybits % 8)) {
-        return (MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH);
+    if (keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS    ||
+            keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS    ||
+            keybits % 8 != 0) {
+        return (MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA);
     }
 
     keybits >>= 3;
@@ -217,6 +220,11 @@ int mbedtls_blowfish_crypt_ecb(mbedtls_blowfish_context *ctx,
                                const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
                                unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE]) {
     uint32_t X0, X1;
+    BLOWFISH_VALIDATE_RET(ctx != NULL);
+    BLOWFISH_VALIDATE_RET(mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                          mode == MBEDTLS_BLOWFISH_DECRYPT);
+    BLOWFISH_VALIDATE_RET(input  != NULL);
+    BLOWFISH_VALIDATE_RET(output != NULL);
 
     GET_UINT32_BE(X0, input,  0);
     GET_UINT32_BE(X1, input,  4);
@@ -245,6 +253,12 @@ int mbedtls_blowfish_crypt_cbc(mbedtls_blowfish_context *ctx,
                                unsigned char *output) {
     int i;
     unsigned char temp[MBEDTLS_BLOWFISH_BLOCKSIZE];
+    BLOWFISH_VALIDATE_RET(ctx != NULL);
+    BLOWFISH_VALIDATE_RET(mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                          mode == MBEDTLS_BLOWFISH_DECRYPT);
+    BLOWFISH_VALIDATE_RET(iv != NULL);
+    BLOWFISH_VALIDATE_RET(length == 0 || input  != NULL);
+    BLOWFISH_VALIDATE_RET(length == 0 || output != NULL);
 
     if (length % MBEDTLS_BLOWFISH_BLOCKSIZE)
         return (MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH);
@@ -293,7 +307,19 @@ int mbedtls_blowfish_crypt_cfb64(mbedtls_blowfish_context *ctx,
                                  const unsigned char *input,
                                  unsigned char *output) {
     int c;
-    size_t n = *iv_off;
+    size_t n;
+
+    BLOWFISH_VALIDATE_RET(ctx != NULL);
+    BLOWFISH_VALIDATE_RET(mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                          mode == MBEDTLS_BLOWFISH_DECRYPT);
+    BLOWFISH_VALIDATE_RET(iv     != NULL);
+    BLOWFISH_VALIDATE_RET(iv_off != NULL);
+    BLOWFISH_VALIDATE_RET(length == 0 || input  != NULL);
+    BLOWFISH_VALIDATE_RET(length == 0 || output != NULL);
+
+    n = *iv_off;
+    if (n >= 8)
+        return (MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA);
 
     if (mode == MBEDTLS_BLOWFISH_DECRYPT) {
         while (length--) {
@@ -335,7 +361,17 @@ int mbedtls_blowfish_crypt_ctr(mbedtls_blowfish_context *ctx,
                                const unsigned char *input,
                                unsigned char *output) {
     int c, i;
-    size_t n = *nc_off;
+    size_t n;
+    BLOWFISH_VALIDATE_RET(ctx != NULL);
+    BLOWFISH_VALIDATE_RET(nonce_counter != NULL);
+    BLOWFISH_VALIDATE_RET(stream_block  != NULL);
+    BLOWFISH_VALIDATE_RET(nc_off != NULL);
+    BLOWFISH_VALIDATE_RET(length == 0 || input  != NULL);
+    BLOWFISH_VALIDATE_RET(length == 0 || output != NULL);
+
+    n = *nc_off;
+    if (n >= 8)
+        return (MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA);
 
     while (length--) {
         if (n == 0) {
diff --git a/common/mbedtls/blowfish.h b/common/mbedtls/blowfish.h
index 6c18cdcf2..456a5c31a 100644
--- a/common/mbedtls/blowfish.h
+++ b/common/mbedtls/blowfish.h
@@ -4,30 +4,26 @@
  * \brief Blowfish block cipher
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_BLOWFISH_H
 #define MBEDTLS_BLOWFISH_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -35,6 +31,8 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "mbedtls/platform_util.h"
+
 #define MBEDTLS_BLOWFISH_ENCRYPT     1
 #define MBEDTLS_BLOWFISH_DECRYPT     0
 #define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
@@ -42,9 +40,16 @@
 #define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
 #define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
 
-#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH                -0x0016  /**< Invalid key length. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0016 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016 /**< Bad input data. */
+
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
 #define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
-#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH              -0x0018  /**< Invalid data input length. */
 
 #ifdef __cplusplus
 extern "C" {
@@ -68,40 +73,53 @@ mbedtls_blowfish_context;
 #endif /* MBEDTLS_BLOWFISH_ALT */
 
 /**
- * \brief          Initialize Blowfish context
+ * \brief          Initialize a Blowfish context.
  *
- * \param ctx      Blowfish context to be initialized
+ * \param ctx      The Blowfish context to be initialized.
+ *                 This must not be \c NULL.
  */
 void mbedtls_blowfish_init(mbedtls_blowfish_context *ctx);
 
 /**
- * \brief          Clear Blowfish context
+ * \brief          Clear a Blowfish context.
  *
- * \param ctx      Blowfish context to be cleared
+ * \param ctx      The Blowfish context to be cleared.
+ *                 This may be \c NULL, in which case this function
+ *                 returns immediately. If it is not \c NULL, it must
+ *                 point to an initialized Blowfish context.
  */
 void mbedtls_blowfish_free(mbedtls_blowfish_context *ctx);
 
 /**
- * \brief          Blowfish key schedule
+ * \brief          Perform a Blowfish key schedule operation.
  *
- * \param ctx      Blowfish context to be initialized
- * \param key      encryption key
- * \param keybits  must be between 32 and 448 bits
+ * \param ctx      The Blowfish context to perform the key schedule on.
+ * \param key      The encryption key. This must be a readable buffer of
+ *                 length \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be between
+ *                 \c 32 and \c 448 and a multiple of \c 8.
  *
- * \return         0 if successful, or MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_setkey(mbedtls_blowfish_context *ctx, const unsigned char *key,
                             unsigned int keybits);
 
 /**
- * \brief          Blowfish-ECB block encryption/decryption
+ * \brief          Perform a Blowfish-ECB block encryption/decryption operation.
  *
- * \param ctx      Blowfish context
- * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param input    8-byte input block
- * \param output   8-byte output block
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 8 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 8 Bytes.
  *
- * \return         0 if successful
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_ecb(mbedtls_blowfish_context *ctx,
                                int mode,
@@ -110,9 +128,7 @@ int mbedtls_blowfish_crypt_ecb(mbedtls_blowfish_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief          Blowfish-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (8 bytes)
+ * \brief          Perform a Blowfish-CBC buffer encryption/decryption operation.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -122,15 +138,22 @@ int mbedtls_blowfish_crypt_ecb(mbedtls_blowfish_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      Blowfish context
- * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be
+ *                 multiple of \c 8.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 8 Bytes. It is updated by this function.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_cbc(mbedtls_blowfish_context *ctx,
                                int mode,
@@ -142,7 +165,7 @@ int mbedtls_blowfish_crypt_cbc(mbedtls_blowfish_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief          Blowfish CFB buffer encryption/decryption.
+ * \brief          Perform a Blowfish CFB buffer encryption/decryption operation.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -152,15 +175,25 @@ int mbedtls_blowfish_crypt_cbc(mbedtls_blowfish_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      Blowfish context
- * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in the initialiation vector.
+ *                 The value pointed to must be smaller than \c 8 Bytes.
+ *                 It is updated by this function to support the aforementioned
+ *                 streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of size \c 8 Bytes. It is updated after use.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
  *
- * \return         0 if successful
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_cfb64(mbedtls_blowfish_context *ctx,
                                  int mode,
@@ -173,7 +206,7 @@ int mbedtls_blowfish_crypt_cfb64(mbedtls_blowfish_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief               Blowfish-CTR buffer encryption/decryption
+ * \brief      Perform a Blowfish-CTR buffer encryption/decryption operation.
  *
  * \warning    You must never reuse a nonce value with the same key. Doing so
  *             would void the encryption for the two messages encrypted with
@@ -216,18 +249,24 @@ int mbedtls_blowfish_crypt_cfb64(mbedtls_blowfish_context *ctx,
  *             content must not be written to insecure storage and should be
  *             securely discarded as soon as it's no longer needed.
  *
- * \param ctx           Blowfish context
- * \param length        The length of the data
+ * \param ctx           The Blowfish context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data in Bytes.
  * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 64-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
+ *                      within current cipher stream). The offset pointer
+ *                      should be \c 0 at the start of a stream and must be
+ *                      smaller than \c 8. It is updated by this function.
+ * \param nonce_counter The 64-bit nonce and counter. This must point to a
+ *                      read/write buffer of length \c 8 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must point to
+ *                      a read/write buffer of length \c 8 Bytes.
+ * \param input         The input data. This must be a readable buffer of
+ *                      length \p length Bytes.
+ * \param output        The output data. This must be a writable buffer of
+ *                      length \p length Bytes.
  *
- * \return         0 if successful
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_ctr(mbedtls_blowfish_context *ctx,
                                size_t length,
diff --git a/common/mbedtls/bn_mul.h b/common/mbedtls/bn_mul.h
index 7efbeedd4..8fa9d9125 100644
--- a/common/mbedtls/bn_mul.h
+++ b/common/mbedtls/bn_mul.h
@@ -4,24 +4,20 @@
  * \brief Multi-precision integer library
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *      Multiply source vector [s] with b, add result
@@ -40,7 +36,13 @@
 #ifndef MBEDTLS_BN_MUL_H
 #define MBEDTLS_BN_MUL_H
 
-#include "bignum.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/bignum.h"
 
 #if defined(MBEDTLS_HAVE_ASM)
 
@@ -62,109 +64,109 @@
 
 #define MULADDC_INIT                        \
     asm(                                    \
-                                            "movl   %%ebx, %0           \n\t"   \
-                                            "movl   %5, %%esi           \n\t"   \
-                                            "movl   %6, %%edi           \n\t"   \
-                                            "movl   %7, %%ecx           \n\t"   \
-                                            "movl   %8, %%ebx           \n\t"
+        "movl   %%ebx, %0           \n\t"   \
+        "movl   %5, %%esi           \n\t"   \
+        "movl   %6, %%edi           \n\t"   \
+        "movl   %7, %%ecx           \n\t"   \
+        "movl   %8, %%ebx           \n\t"
 
 #define MULADDC_CORE                        \
-    "lodsl                      \n\t"   \
-    "mull   %%ebx               \n\t"   \
-    "addl   %%ecx,   %%eax      \n\t"   \
-    "adcl   $0,      %%edx      \n\t"   \
-    "addl   (%%edi), %%eax      \n\t"   \
-    "adcl   $0,      %%edx      \n\t"   \
-    "movl   %%edx,   %%ecx      \n\t"   \
-    "stosl                      \n\t"
+        "lodsl                      \n\t"   \
+        "mull   %%ebx               \n\t"   \
+        "addl   %%ecx,   %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "addl   (%%edi), %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "movl   %%edx,   %%ecx      \n\t"   \
+        "stosl                      \n\t"
 
 #if defined(MBEDTLS_HAVE_SSE2)
 
 #define MULADDC_HUIT                            \
-    "movd     %%ecx,     %%mm1      \n\t"   \
-    "movd     %%ebx,     %%mm0      \n\t"   \
-    "movd     (%%edi),   %%mm3      \n\t"   \
-    "paddq    %%mm3,     %%mm1      \n\t"   \
-    "movd     (%%esi),   %%mm2      \n\t"   \
-    "pmuludq  %%mm0,     %%mm2      \n\t"   \
-    "movd     4(%%esi),  %%mm4      \n\t"   \
-    "pmuludq  %%mm0,     %%mm4      \n\t"   \
-    "movd     8(%%esi),  %%mm6      \n\t"   \
-    "pmuludq  %%mm0,     %%mm6      \n\t"   \
-    "movd     12(%%esi), %%mm7      \n\t"   \
-    "pmuludq  %%mm0,     %%mm7      \n\t"   \
-    "paddq    %%mm2,     %%mm1      \n\t"   \
-    "movd     4(%%edi),  %%mm3      \n\t"   \
-    "paddq    %%mm4,     %%mm3      \n\t"   \
-    "movd     8(%%edi),  %%mm5      \n\t"   \
-    "paddq    %%mm6,     %%mm5      \n\t"   \
-    "movd     12(%%edi), %%mm4      \n\t"   \
-    "paddq    %%mm4,     %%mm7      \n\t"   \
-    "movd     %%mm1,     (%%edi)    \n\t"   \
-    "movd     16(%%esi), %%mm2      \n\t"   \
-    "pmuludq  %%mm0,     %%mm2      \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "movd     20(%%esi), %%mm4      \n\t"   \
-    "pmuludq  %%mm0,     %%mm4      \n\t"   \
-    "paddq    %%mm3,     %%mm1      \n\t"   \
-    "movd     24(%%esi), %%mm6      \n\t"   \
-    "pmuludq  %%mm0,     %%mm6      \n\t"   \
-    "movd     %%mm1,     4(%%edi)   \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "movd     28(%%esi), %%mm3      \n\t"   \
-    "pmuludq  %%mm0,     %%mm3      \n\t"   \
-    "paddq    %%mm5,     %%mm1      \n\t"   \
-    "movd     16(%%edi), %%mm5      \n\t"   \
-    "paddq    %%mm5,     %%mm2      \n\t"   \
-    "movd     %%mm1,     8(%%edi)   \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "paddq    %%mm7,     %%mm1      \n\t"   \
-    "movd     20(%%edi), %%mm5      \n\t"   \
-    "paddq    %%mm5,     %%mm4      \n\t"   \
-    "movd     %%mm1,     12(%%edi)  \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "paddq    %%mm2,     %%mm1      \n\t"   \
-    "movd     24(%%edi), %%mm5      \n\t"   \
-    "paddq    %%mm5,     %%mm6      \n\t"   \
-    "movd     %%mm1,     16(%%edi)  \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "paddq    %%mm4,     %%mm1      \n\t"   \
-    "movd     28(%%edi), %%mm5      \n\t"   \
-    "paddq    %%mm5,     %%mm3      \n\t"   \
-    "movd     %%mm1,     20(%%edi)  \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "paddq    %%mm6,     %%mm1      \n\t"   \
-    "movd     %%mm1,     24(%%edi)  \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "paddq    %%mm3,     %%mm1      \n\t"   \
-    "movd     %%mm1,     28(%%edi)  \n\t"   \
-    "addl     $32,       %%edi      \n\t"   \
-    "addl     $32,       %%esi      \n\t"   \
-    "psrlq    $32,       %%mm1      \n\t"   \
-    "movd     %%mm1,     %%ecx      \n\t"
+        "movd     %%ecx,     %%mm1      \n\t"   \
+        "movd     %%ebx,     %%mm0      \n\t"   \
+        "movd     (%%edi),   %%mm3      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     (%%esi),   %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "movd     4(%%esi),  %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "movd     8(%%esi),  %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     12(%%esi), %%mm7      \n\t"   \
+        "pmuludq  %%mm0,     %%mm7      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     4(%%edi),  %%mm3      \n\t"   \
+        "paddq    %%mm4,     %%mm3      \n\t"   \
+        "movd     8(%%edi),  %%mm5      \n\t"   \
+        "paddq    %%mm6,     %%mm5      \n\t"   \
+        "movd     12(%%edi), %%mm4      \n\t"   \
+        "paddq    %%mm4,     %%mm7      \n\t"   \
+        "movd     %%mm1,     (%%edi)    \n\t"   \
+        "movd     16(%%esi), %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     20(%%esi), %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     24(%%esi), %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     %%mm1,     4(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     28(%%esi), %%mm3      \n\t"   \
+        "pmuludq  %%mm0,     %%mm3      \n\t"   \
+        "paddq    %%mm5,     %%mm1      \n\t"   \
+        "movd     16(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm2      \n\t"   \
+        "movd     %%mm1,     8(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm7,     %%mm1      \n\t"   \
+        "movd     20(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm4      \n\t"   \
+        "movd     %%mm1,     12(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     24(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm6      \n\t"   \
+        "movd     %%mm1,     16(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm4,     %%mm1      \n\t"   \
+        "movd     28(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm3      \n\t"   \
+        "movd     %%mm1,     20(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm6,     %%mm1      \n\t"   \
+        "movd     %%mm1,     24(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     %%mm1,     28(%%edi)  \n\t"   \
+        "addl     $32,       %%edi      \n\t"   \
+        "addl     $32,       %%esi      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     %%mm1,     %%ecx      \n\t"
 
 #define MULADDC_STOP                    \
-    "emms                   \n\t"   \
-    "movl   %4, %%ebx       \n\t"   \
-    "movl   %%ecx, %1       \n\t"   \
-    "movl   %%edi, %2       \n\t"   \
-    "movl   %%esi, %3       \n\t"   \
-    : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        "emms                   \n\t"   \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
         : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-              : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
-            );
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
 
 #else
 
 #define MULADDC_STOP                    \
-    "movl   %4, %%ebx       \n\t"   \
-    "movl   %%ecx, %1       \n\t"   \
-    "movl   %%edi, %2       \n\t"   \
-    "movl   %%esi, %3       \n\t"   \
-    : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
         : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-              : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
-            );
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
 #endif /* SSE2 */
 #endif /* i386 */
 
@@ -172,98 +174,122 @@
 
 #define MULADDC_INIT                        \
     asm(                                    \
-                                            "xorq   %%r8, %%r8          \n\t"
+        "xorq   %%r8, %%r8\n"
 
 #define MULADDC_CORE                        \
-    "movq   (%%rsi), %%rax      \n\t"   \
-    "mulq   %%rbx               \n\t"   \
-    "addq   $8,      %%rsi      \n\t"   \
-    "addq   %%rcx,   %%rax      \n\t"   \
-    "movq   %%r8,    %%rcx      \n\t"   \
-    "adcq   $0,      %%rdx      \n\t"   \
-    "nop                        \n\t"   \
-    "addq   %%rax,   (%%rdi)    \n\t"   \
-    "adcq   %%rdx,   %%rcx      \n\t"   \
-    "addq   $8,      %%rdi      \n\t"
+        "movq   (%%rsi), %%rax\n"           \
+        "mulq   %%rbx\n"                    \
+        "addq   $8, %%rsi\n"                \
+        "addq   %%rcx, %%rax\n"             \
+        "movq   %%r8, %%rcx\n"              \
+        "adcq   $0, %%rdx\n"                \
+        "nop    \n"                         \
+        "addq   %%rax, (%%rdi)\n"           \
+        "adcq   %%rdx, %%rcx\n"             \
+        "addq   $8, %%rdi\n"
 
 #define MULADDC_STOP                        \
-    : "+c" (c), "+D" (d), "+S" (s)      \
+        : "+c" (c), "+D" (d), "+S" (s)      \
         : "b" (b)                           \
-              : "rax", "rdx", "r8"                \
-            );
+        : "rax", "rdx", "r8"                \
+    );
 
 #endif /* AMD64 */
 
+#if defined(__aarch64__)
+
+#define MULADDC_INIT                \
+    asm(
+
+#define MULADDC_CORE                \
+        "ldr x4, [%2], #8   \n\t"   \
+        "ldr x5, [%1]       \n\t"   \
+        "mul x6, x4, %3     \n\t"   \
+        "umulh x7, x4, %3   \n\t"   \
+        "adds x5, x5, x6    \n\t"   \
+        "adc x7, x7, xzr    \n\t"   \
+        "adds x5, x5, %0    \n\t"   \
+        "adc %0, x7, xzr    \n\t"   \
+        "str x5, [%1], #8   \n\t"
+
+#define MULADDC_STOP                        \
+         : "+r" (c),  "+r" (d), "+r" (s)    \
+         : "r" (b)                          \
+         : "x4", "x5", "x6", "x7", "cc"     \
+    );
+
+#endif /* Aarch64 */
+
 #if defined(__mc68020__) || defined(__mcpu32__)
 
 #define MULADDC_INIT                    \
     asm(                                \
-                                        "movl   %3, %%a2        \n\t"   \
-                                        "movl   %4, %%a3        \n\t"   \
-                                        "movl   %5, %%d3        \n\t"   \
-                                        "movl   %6, %%d2        \n\t"   \
-                                        "moveq  #0, %%d0        \n\t"
+        "movl   %3, %%a2        \n\t"   \
+        "movl   %4, %%a3        \n\t"   \
+        "movl   %5, %%d3        \n\t"   \
+        "movl   %6, %%d2        \n\t"   \
+        "moveq  #0, %%d0        \n\t"
 
 #define MULADDC_CORE                    \
-    "movel  %%a2@+, %%d1    \n\t"   \
-    "mulul  %%d2, %%d4:%%d1 \n\t"   \
-    "addl   %%d3, %%d1      \n\t"   \
-    "addxl  %%d0, %%d4      \n\t"   \
-    "moveq  #0,   %%d3      \n\t"   \
-    "addl   %%d1, %%a3@+    \n\t"   \
-    "addxl  %%d4, %%d3      \n\t"
+        "movel  %%a2@+, %%d1    \n\t"   \
+        "mulul  %%d2, %%d4:%%d1 \n\t"   \
+        "addl   %%d3, %%d1      \n\t"   \
+        "addxl  %%d0, %%d4      \n\t"   \
+        "moveq  #0,   %%d3      \n\t"   \
+        "addl   %%d1, %%a3@+    \n\t"   \
+        "addxl  %%d4, %%d3      \n\t"
 
 #define MULADDC_STOP                    \
-    "movl   %%d3, %0        \n\t"   \
-    "movl   %%a3, %1        \n\t"   \
-    "movl   %%a2, %2        \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "movl   %%d3, %0        \n\t"   \
+        "movl   %%a3, %1        \n\t"   \
+        "movl   %%a2, %2        \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
-            );
+        : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
+    );
 
 #define MULADDC_HUIT                        \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-    "addxl  %%d3,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d4       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-    "addxl  %%d4,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d3       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-    "addxl  %%d3,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d4       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-    "addxl  %%d4,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d3       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-    "addxl  %%d3,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d4       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-    "addxl  %%d4,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d3       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-    "addxl  %%d3,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d4       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "movel  %%a2@+,  %%d1       \n\t"   \
-    "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-    "addxl  %%d4,    %%d1       \n\t"   \
-    "addxl  %%d0,    %%d3       \n\t"   \
-    "addl   %%d1,    %%a3@+     \n\t"   \
-    "addxl  %%d0,    %%d3       \n\t"
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"
 
 #endif /* MC68000 */
 
@@ -273,70 +299,70 @@
 
 #define MULADDC_INIT                        \
     asm(                                    \
-                                            "ld     r3, %3              \n\t"   \
-                                            "ld     r4, %4              \n\t"   \
-                                            "ld     r5, %5              \n\t"   \
-                                            "ld     r6, %6              \n\t"   \
-                                            "addi   r3, r3, -8          \n\t"   \
-                                            "addi   r4, r4, -8          \n\t"   \
-                                            "addic  r5, r5,  0          \n\t"
+        "ld     r3, %3              \n\t"   \
+        "ld     r4, %4              \n\t"   \
+        "ld     r5, %5              \n\t"   \
+        "ld     r6, %6              \n\t"   \
+        "addi   r3, r3, -8          \n\t"   \
+        "addi   r4, r4, -8          \n\t"   \
+        "addic  r5, r5,  0          \n\t"
 
 #define MULADDC_CORE                        \
-    "ldu    r7, 8(r3)           \n\t"   \
-    "mulld  r8, r7, r6          \n\t"   \
-    "mulhdu r9, r7, r6          \n\t"   \
-    "adde   r8, r8, r5          \n\t"   \
-    "ld     r7, 8(r4)           \n\t"   \
-    "addze  r5, r9              \n\t"   \
-    "addc   r8, r8, r7          \n\t"   \
-    "stdu   r8, 8(r4)           \n\t"
+        "ldu    r7, 8(r3)           \n\t"   \
+        "mulld  r8, r7, r6          \n\t"   \
+        "mulhdu r9, r7, r6          \n\t"   \
+        "adde   r8, r8, r5          \n\t"   \
+        "ld     r7, 8(r4)           \n\t"   \
+        "addze  r5, r9              \n\t"   \
+        "addc   r8, r8, r7          \n\t"   \
+        "stdu   r8, 8(r4)           \n\t"
 
 #define MULADDC_STOP                        \
-    "addze  r5, r5              \n\t"   \
-    "addi   r4, r4, 8           \n\t"   \
-    "addi   r3, r3, 8           \n\t"   \
-    "std    r5, %0              \n\t"   \
-    "std    r4, %1              \n\t"   \
-    "std    r3, %2              \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "addze  r5, r5              \n\t"   \
+        "addi   r4, r4, 8           \n\t"   \
+        "addi   r3, r3, 8           \n\t"   \
+        "std    r5, %0              \n\t"   \
+        "std    r4, %1              \n\t"   \
+        "std    r3, %2              \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-            );
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
 
 
 #else /* __MACH__ && __APPLE__ */
 
 #define MULADDC_INIT                        \
     asm(                                    \
-                                            "ld     %%r3, %3            \n\t"   \
-                                            "ld     %%r4, %4            \n\t"   \
-                                            "ld     %%r5, %5            \n\t"   \
-                                            "ld     %%r6, %6            \n\t"   \
-                                            "addi   %%r3, %%r3, -8      \n\t"   \
-                                            "addi   %%r4, %%r4, -8      \n\t"   \
-                                            "addic  %%r5, %%r5,  0      \n\t"
+        "ld     %%r3, %3            \n\t"   \
+        "ld     %%r4, %4            \n\t"   \
+        "ld     %%r5, %5            \n\t"   \
+        "ld     %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -8      \n\t"   \
+        "addi   %%r4, %%r4, -8      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
 
 #define MULADDC_CORE                        \
-    "ldu    %%r7, 8(%%r3)       \n\t"   \
-    "mulld  %%r8, %%r7, %%r6    \n\t"   \
-    "mulhdu %%r9, %%r7, %%r6    \n\t"   \
-    "adde   %%r8, %%r8, %%r5    \n\t"   \
-    "ld     %%r7, 8(%%r4)       \n\t"   \
-    "addze  %%r5, %%r9          \n\t"   \
-    "addc   %%r8, %%r8, %%r7    \n\t"   \
-    "stdu   %%r8, 8(%%r4)       \n\t"
+        "ldu    %%r7, 8(%%r3)       \n\t"   \
+        "mulld  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhdu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "ld     %%r7, 8(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stdu   %%r8, 8(%%r4)       \n\t"
 
 #define MULADDC_STOP                        \
-    "addze  %%r5, %%r5          \n\t"   \
-    "addi   %%r4, %%r4, 8       \n\t"   \
-    "addi   %%r3, %%r3, 8       \n\t"   \
-    "std    %%r5, %0            \n\t"   \
-    "std    %%r4, %1            \n\t"   \
-    "std    %%r3, %2            \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 8       \n\t"   \
+        "addi   %%r3, %%r3, 8       \n\t"   \
+        "std    %%r5, %0            \n\t"   \
+        "std    %%r4, %1            \n\t"   \
+        "std    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-            );
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
 
 #endif /* __MACH__ && __APPLE__ */
 
@@ -346,69 +372,69 @@
 
 #define MULADDC_INIT                    \
     asm(                                \
-                                        "lwz    r3, %3          \n\t"   \
-                                        "lwz    r4, %4          \n\t"   \
-                                        "lwz    r5, %5          \n\t"   \
-                                        "lwz    r6, %6          \n\t"   \
-                                        "addi   r3, r3, -4      \n\t"   \
-                                        "addi   r4, r4, -4      \n\t"   \
-                                        "addic  r5, r5,  0      \n\t"
+        "lwz    r3, %3          \n\t"   \
+        "lwz    r4, %4          \n\t"   \
+        "lwz    r5, %5          \n\t"   \
+        "lwz    r6, %6          \n\t"   \
+        "addi   r3, r3, -4      \n\t"   \
+        "addi   r4, r4, -4      \n\t"   \
+        "addic  r5, r5,  0      \n\t"
 
 #define MULADDC_CORE                    \
-    "lwzu   r7, 4(r3)       \n\t"   \
-    "mullw  r8, r7, r6      \n\t"   \
-    "mulhwu r9, r7, r6      \n\t"   \
-    "adde   r8, r8, r5      \n\t"   \
-    "lwz    r7, 4(r4)       \n\t"   \
-    "addze  r5, r9          \n\t"   \
-    "addc   r8, r8, r7      \n\t"   \
-    "stwu   r8, 4(r4)       \n\t"
+        "lwzu   r7, 4(r3)       \n\t"   \
+        "mullw  r8, r7, r6      \n\t"   \
+        "mulhwu r9, r7, r6      \n\t"   \
+        "adde   r8, r8, r5      \n\t"   \
+        "lwz    r7, 4(r4)       \n\t"   \
+        "addze  r5, r9          \n\t"   \
+        "addc   r8, r8, r7      \n\t"   \
+        "stwu   r8, 4(r4)       \n\t"
 
 #define MULADDC_STOP                    \
-    "addze  r5, r5          \n\t"   \
-    "addi   r4, r4, 4       \n\t"   \
-    "addi   r3, r3, 4       \n\t"   \
-    "stw    r5, %0          \n\t"   \
-    "stw    r4, %1          \n\t"   \
-    "stw    r3, %2          \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "addze  r5, r5          \n\t"   \
+        "addi   r4, r4, 4       \n\t"   \
+        "addi   r3, r3, 4       \n\t"   \
+        "stw    r5, %0          \n\t"   \
+        "stw    r4, %1          \n\t"   \
+        "stw    r3, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-            );
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
 
 #else /* __MACH__ && __APPLE__ */
 
 #define MULADDC_INIT                        \
     asm(                                    \
-                                            "lwz    %%r3, %3            \n\t"   \
-                                            "lwz    %%r4, %4            \n\t"   \
-                                            "lwz    %%r5, %5            \n\t"   \
-                                            "lwz    %%r6, %6            \n\t"   \
-                                            "addi   %%r3, %%r3, -4      \n\t"   \
-                                            "addi   %%r4, %%r4, -4      \n\t"   \
-                                            "addic  %%r5, %%r5,  0      \n\t"
+        "lwz    %%r3, %3            \n\t"   \
+        "lwz    %%r4, %4            \n\t"   \
+        "lwz    %%r5, %5            \n\t"   \
+        "lwz    %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -4      \n\t"   \
+        "addi   %%r4, %%r4, -4      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
 
 #define MULADDC_CORE                        \
-    "lwzu   %%r7, 4(%%r3)       \n\t"   \
-    "mullw  %%r8, %%r7, %%r6    \n\t"   \
-    "mulhwu %%r9, %%r7, %%r6    \n\t"   \
-    "adde   %%r8, %%r8, %%r5    \n\t"   \
-    "lwz    %%r7, 4(%%r4)       \n\t"   \
-    "addze  %%r5, %%r9          \n\t"   \
-    "addc   %%r8, %%r8, %%r7    \n\t"   \
-    "stwu   %%r8, 4(%%r4)       \n\t"
+        "lwzu   %%r7, 4(%%r3)       \n\t"   \
+        "mullw  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhwu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "lwz    %%r7, 4(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stwu   %%r8, 4(%%r4)       \n\t"
 
 #define MULADDC_STOP                        \
-    "addze  %%r5, %%r5          \n\t"   \
-    "addi   %%r4, %%r4, 4       \n\t"   \
-    "addi   %%r3, %%r3, 4       \n\t"   \
-    "stw    %%r5, %0            \n\t"   \
-    "stw    %%r4, %1            \n\t"   \
-    "stw    %%r3, %2            \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 4       \n\t"   \
+        "addi   %%r3, %%r3, 4       \n\t"   \
+        "stw    %%r5, %0            \n\t"   \
+        "stw    %%r4, %1            \n\t"   \
+        "stw    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-            );
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
 
 #endif /* __MACH__ && __APPLE__ */
 
@@ -423,65 +449,65 @@
 
 #define MULADDC_INIT                                    \
     asm(                                                \
-                                                        "ldx     %3, %%o0               \n\t"   \
-                                                        "ldx     %4, %%o1               \n\t"   \
-                                                        "ld      %5, %%o2               \n\t"   \
-                                                        "ld      %6, %%o3               \n\t"
+                "ldx     %3, %%o0               \n\t"   \
+                "ldx     %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
 
 #define MULADDC_CORE                                    \
-    "ld      [%%o0], %%o4           \n\t"   \
-    "inc     4, %%o0                \n\t"   \
-    "ld      [%%o1], %%o5           \n\t"   \
-    "umul    %%o3, %%o4, %%o4       \n\t"   \
-    "addcc   %%o4, %%o2, %%o4       \n\t"   \
-    "rd      %%y, %%g1              \n\t"   \
-    "addx    %%g1, 0, %%g1          \n\t"   \
-    "addcc   %%o4, %%o5, %%o4       \n\t"   \
-    "st      %%o4, [%%o1]           \n\t"   \
-    "addx    %%g1, 0, %%o2          \n\t"   \
-    "inc     4, %%o1                \n\t"
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
 
 #define MULADDC_STOP                            \
-    "st      %%o2, %0               \n\t"   \
-    "stx     %%o1, %1               \n\t"   \
-    "stx     %%o0, %2               \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)          \
+                "st      %%o2, %0               \n\t"   \
+                "stx     %%o1, %1               \n\t"   \
+                "stx     %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
         : "m" (s), "m" (d), "m" (c), "m" (b)    \
-              : "g1", "o0", "o1", "o2", "o3", "o4",   \
-            "o5"                                  \
-            );
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
 
 #else /* __sparc64__ */
 
 #define MULADDC_INIT                                    \
     asm(                                                \
-                                                        "ld      %3, %%o0               \n\t"   \
-                                                        "ld      %4, %%o1               \n\t"   \
-                                                        "ld      %5, %%o2               \n\t"   \
-                                                        "ld      %6, %%o3               \n\t"
+                "ld      %3, %%o0               \n\t"   \
+                "ld      %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
 
 #define MULADDC_CORE                                    \
-    "ld      [%%o0], %%o4           \n\t"   \
-    "inc     4, %%o0                \n\t"   \
-    "ld      [%%o1], %%o5           \n\t"   \
-    "umul    %%o3, %%o4, %%o4       \n\t"   \
-    "addcc   %%o4, %%o2, %%o4       \n\t"   \
-    "rd      %%y, %%g1              \n\t"   \
-    "addx    %%g1, 0, %%g1          \n\t"   \
-    "addcc   %%o4, %%o5, %%o4       \n\t"   \
-    "st      %%o4, [%%o1]           \n\t"   \
-    "addx    %%g1, 0, %%o2          \n\t"   \
-    "inc     4, %%o1                \n\t"
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
 
 #define MULADDC_STOP                                    \
-    "st      %%o2, %0               \n\t"   \
-    "st      %%o1, %1               \n\t"   \
-    "st      %%o0, %2               \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)          \
+                "st      %%o2, %0               \n\t"   \
+                "st      %%o1, %1               \n\t"   \
+                "st      %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
         : "m" (s), "m" (d), "m" (c), "m" (b)    \
-              : "g1", "o0", "o1", "o2", "o3", "o4",   \
-            "o5"                                  \
-            );
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
 
 #endif /* __sparc64__ */
 #endif /* __sparc__ */
@@ -490,49 +516,49 @@
 
 #define MULADDC_INIT                    \
     asm(                                \
-                                        "lwi   r3,   %3         \n\t"   \
-                                        "lwi   r4,   %4         \n\t"   \
-                                        "lwi   r5,   %5         \n\t"   \
-                                        "lwi   r6,   %6         \n\t"   \
-                                        "andi  r7,   r6, 0xffff \n\t"   \
-                                        "bsrli r6,   r6, 16     \n\t"
+        "lwi   r3,   %3         \n\t"   \
+        "lwi   r4,   %4         \n\t"   \
+        "lwi   r5,   %5         \n\t"   \
+        "lwi   r6,   %6         \n\t"   \
+        "andi  r7,   r6, 0xffff \n\t"   \
+        "bsrli r6,   r6, 16     \n\t"
 
 #define MULADDC_CORE                    \
-    "lhui  r8,   r3,   0    \n\t"   \
-    "addi  r3,   r3,   2    \n\t"   \
-    "lhui  r9,   r3,   0    \n\t"   \
-    "addi  r3,   r3,   2    \n\t"   \
-    "mul   r10,  r9,  r6    \n\t"   \
-    "mul   r11,  r8,  r7    \n\t"   \
-    "mul   r12,  r9,  r7    \n\t"   \
-    "mul   r13,  r8,  r6    \n\t"   \
-    "bsrli  r8, r10,  16    \n\t"   \
-    "bsrli  r9, r11,  16    \n\t"   \
-    "add   r13, r13,  r8    \n\t"   \
-    "add   r13, r13,  r9    \n\t"   \
-    "bslli r10, r10,  16    \n\t"   \
-    "bslli r11, r11,  16    \n\t"   \
-    "add   r12, r12, r10    \n\t"   \
-    "addc  r13, r13,  r0    \n\t"   \
-    "add   r12, r12, r11    \n\t"   \
-    "addc  r13, r13,  r0    \n\t"   \
-    "lwi   r10,  r4,   0    \n\t"   \
-    "add   r12, r12, r10    \n\t"   \
-    "addc  r13, r13,  r0    \n\t"   \
-    "add   r12, r12,  r5    \n\t"   \
-    "addc   r5, r13,  r0    \n\t"   \
-    "swi   r12,  r4,   0    \n\t"   \
-    "addi   r4,  r4,   4    \n\t"
+        "lhui  r8,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "lhui  r9,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "mul   r10,  r9,  r6    \n\t"   \
+        "mul   r11,  r8,  r7    \n\t"   \
+        "mul   r12,  r9,  r7    \n\t"   \
+        "mul   r13,  r8,  r6    \n\t"   \
+        "bsrli  r8, r10,  16    \n\t"   \
+        "bsrli  r9, r11,  16    \n\t"   \
+        "add   r13, r13,  r8    \n\t"   \
+        "add   r13, r13,  r9    \n\t"   \
+        "bslli r10, r10,  16    \n\t"   \
+        "bslli r11, r11,  16    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12, r11    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "lwi   r10,  r4,   0    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12,  r5    \n\t"   \
+        "addc   r5, r13,  r0    \n\t"   \
+        "swi   r12,  r4,   0    \n\t"   \
+        "addi   r4,  r4,   4    \n\t"
 
 #define MULADDC_STOP                    \
-    "swi   r5,   %0         \n\t"   \
-    "swi   r4,   %1         \n\t"   \
-    "swi   r3,   %2         \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "swi   r5,   %0         \n\t"   \
+        "swi   r4,   %1         \n\t"   \
+        "swi   r3,   %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "r3", "r4", "r5", "r6", "r7", "r8",       \
-            "r9", "r10", "r11", "r12", "r13"          \
-            );
+        : "r3", "r4", "r5", "r6", "r7", "r8",       \
+          "r9", "r10", "r11", "r12", "r13"          \
+    );
 
 #endif /* MicroBlaze */
 
@@ -540,36 +566,35 @@
 
 #define MULADDC_INIT                            \
     asm(                                        \
-                                                "ld.a   %%a2, %3                \n\t"   \
-                                                "ld.a   %%a3, %4                \n\t"   \
-                                                "ld.w   %%d4, %5                \n\t"   \
-                                                "ld.w   %%d1, %6                \n\t"   \
-                                                "xor    %%d5, %%d5              \n\t"
+        "ld.a   %%a2, %3                \n\t"   \
+        "ld.a   %%a3, %4                \n\t"   \
+        "ld.w   %%d4, %5                \n\t"   \
+        "ld.w   %%d1, %6                \n\t"   \
+        "xor    %%d5, %%d5              \n\t"
 
 #define MULADDC_CORE                            \
-    "ld.w   %%d0,   [%%a2+]         \n\t"   \
-    "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
-    "ld.w   %%d0,   [%%a3]          \n\t"   \
-    "addx   %%d2,    %%d2,  %%d0    \n\t"   \
-    "addc   %%d3,    %%d3,    0     \n\t"   \
-    "mov    %%d4,    %%d3           \n\t"   \
-    "st.w  [%%a3+],  %%d2           \n\t"
+        "ld.w   %%d0,   [%%a2+]         \n\t"   \
+        "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
+        "ld.w   %%d0,   [%%a3]          \n\t"   \
+        "addx   %%d2,    %%d2,  %%d0    \n\t"   \
+        "addc   %%d3,    %%d3,    0     \n\t"   \
+        "mov    %%d4,    %%d3           \n\t"   \
+        "st.w  [%%a3+],  %%d2           \n\t"
 
 #define MULADDC_STOP                            \
-    "st.w   %0, %%d4                \n\t"   \
-    "st.a   %1, %%a3                \n\t"   \
-    "st.a   %2, %%a2                \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)          \
+        "st.w   %0, %%d4                \n\t"   \
+        "st.a   %1, %%a3                \n\t"   \
+        "st.a   %2, %%a2                \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
         : "m" (s), "m" (d), "m" (c), "m" (b)    \
-              : "d0", "d1", "e2", "d4", "a2", "a3"    \
-            );
+        : "d0", "d1", "e2", "d4", "a2", "a3"    \
+    );
 
 #endif /* TriCore */
 
 /*
- * gcc -O0 by default uses r7 for the frame pointer, so it complains about our
- * use of r7 below, unless -fomit-frame-pointer is passed. Unfortunately,
- * passing that option is not easy when building with yotta.
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
  *
  * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
  * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
@@ -588,84 +613,102 @@
 
 #define MULADDC_INIT                                    \
     asm(                                                \
-                                                        "ldr    r0, %3                      \n\t"   \
-                                                        "ldr    r1, %4                      \n\t"   \
-                                                        "ldr    r2, %5                      \n\t"   \
-                                                        "ldr    r3, %6                      \n\t"   \
-                                                        "lsr    r7, r3, #16                 \n\t"   \
-                                                        "mov    r9, r7                      \n\t"   \
-                                                        "lsl    r7, r3, #16                 \n\t"   \
-                                                        "lsr    r7, r7, #16                 \n\t"   \
-                                                        "mov    r8, r7                      \n\t"
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"   \
+            "lsr    r7, r3, #16                 \n\t"   \
+            "mov    r9, r7                      \n\t"   \
+            "lsl    r7, r3, #16                 \n\t"   \
+            "lsr    r7, r7, #16                 \n\t"   \
+            "mov    r8, r7                      \n\t"
 
 #define MULADDC_CORE                                    \
-    "ldmia  r0!, {r6}                   \n\t"   \
-    "lsr    r7, r6, #16                 \n\t"   \
-    "lsl    r6, r6, #16                 \n\t"   \
-    "lsr    r6, r6, #16                 \n\t"   \
-    "mov    r4, r8                      \n\t"   \
-    "mul    r4, r6                      \n\t"   \
-    "mov    r3, r9                      \n\t"   \
-    "mul    r6, r3                      \n\t"   \
-    "mov    r5, r9                      \n\t"   \
-    "mul    r5, r7                      \n\t"   \
-    "mov    r3, r8                      \n\t"   \
-    "mul    r7, r3                      \n\t"   \
-    "lsr    r3, r6, #16                 \n\t"   \
-    "add    r5, r5, r3                  \n\t"   \
-    "lsr    r3, r7, #16                 \n\t"   \
-    "add    r5, r5, r3                  \n\t"   \
-    "add    r4, r4, r2                  \n\t"   \
-    "mov    r2, #0                      \n\t"   \
-    "adc    r5, r2                      \n\t"   \
-    "lsl    r3, r6, #16                 \n\t"   \
-    "add    r4, r4, r3                  \n\t"   \
-    "adc    r5, r2                      \n\t"   \
-    "lsl    r3, r7, #16                 \n\t"   \
-    "add    r4, r4, r3                  \n\t"   \
-    "adc    r5, r2                      \n\t"   \
-    "ldr    r3, [r1]                    \n\t"   \
-    "add    r4, r4, r3                  \n\t"   \
-    "adc    r2, r5                      \n\t"   \
-    "stmia  r1!, {r4}                   \n\t"
+            "ldmia  r0!, {r6}                   \n\t"   \
+            "lsr    r7, r6, #16                 \n\t"   \
+            "lsl    r6, r6, #16                 \n\t"   \
+            "lsr    r6, r6, #16                 \n\t"   \
+            "mov    r4, r8                      \n\t"   \
+            "mul    r4, r6                      \n\t"   \
+            "mov    r3, r9                      \n\t"   \
+            "mul    r6, r3                      \n\t"   \
+            "mov    r5, r9                      \n\t"   \
+            "mul    r5, r7                      \n\t"   \
+            "mov    r3, r8                      \n\t"   \
+            "mul    r7, r3                      \n\t"   \
+            "lsr    r3, r6, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "lsr    r3, r7, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "add    r4, r4, r2                  \n\t"   \
+            "mov    r2, #0                      \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r6, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r7, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "ldr    r3, [r1]                    \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r2, r5                      \n\t"   \
+            "stmia  r1!, {r4}                   \n\t"
 
 #define MULADDC_STOP                                    \
-    "str    r2, %0                      \n\t"   \
-    "str    r1, %1                      \n\t"   \
-    "str    r0, %2                      \n\t"   \
-    : "=m" (c),  "=m" (d), "=m" (s)        \
-        : "m" (s), "m" (d), "m" (c), "m" (b)   \
-              : "r0", "r1", "r2", "r3", "r4", "r5",  \
-            "r6", "r7", "r8", "r9", "cc"         \
-            );
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "r8", "r9", "cc"         \
+         );
+
+#elif (__ARM_ARCH >= 6) && \
+    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+
+#define MULADDC_INIT                            \
+    asm(
+
+#define MULADDC_CORE                            \
+            "ldr    r0, [%0], #4        \n\t"   \
+            "ldr    r1, [%1]            \n\t"   \
+            "umaal  r1, %2, %3, r0      \n\t"   \
+            "str    r1, [%1], #4        \n\t"
+
+#define MULADDC_STOP                            \
+         : "=r" (s),  "=r" (d), "=r" (c)        \
+         : "r" (b), "0" (s), "1" (d), "2" (c)   \
+         : "r0", "r1", "memory"                 \
+         );
 
 #else
 
 #define MULADDC_INIT                                    \
     asm(                                                \
-                                                        "ldr    r0, %3                      \n\t"   \
-                                                        "ldr    r1, %4                      \n\t"   \
-                                                        "ldr    r2, %5                      \n\t"   \
-                                                        "ldr    r3, %6                      \n\t"
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"
 
 #define MULADDC_CORE                                    \
-    "ldr    r4, [r0], #4                \n\t"   \
-    "mov    r5, #0                      \n\t"   \
-    "ldr    r6, [r1]                    \n\t"   \
-    "umlal  r2, r5, r3, r4              \n\t"   \
-    "adds   r7, r6, r2                  \n\t"   \
-    "adc    r2, r5, #0                  \n\t"   \
-    "str    r7, [r1], #4                \n\t"
+            "ldr    r4, [r0], #4                \n\t"   \
+            "mov    r5, #0                      \n\t"   \
+            "ldr    r6, [r1]                    \n\t"   \
+            "umlal  r2, r5, r3, r4              \n\t"   \
+            "adds   r7, r6, r2                  \n\t"   \
+            "adc    r2, r5, #0                  \n\t"   \
+            "str    r7, [r1], #4                \n\t"
 
 #define MULADDC_STOP                                    \
-    "str    r2, %0                      \n\t"   \
-    "str    r1, %1                      \n\t"   \
-    "str    r0, %2                      \n\t"   \
-    : "=m" (c),  "=m" (d), "=m" (s)        \
-        : "m" (s), "m" (d), "m" (c), "m" (b)   \
-              : "r0", "r1", "r2", "r3", "r4", "r5",  \
-            "r6", "r7", "cc"                     \
-            );
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "cc"                     \
+         );
 
 #endif /* Thumb */
 
@@ -675,69 +718,69 @@
 
 #define MULADDC_INIT                    \
     asm(                                \
-                                        "ldq    $1, %3          \n\t"   \
-                                        "ldq    $2, %4          \n\t"   \
-                                        "ldq    $3, %5          \n\t"   \
-                                        "ldq    $4, %6          \n\t"
+        "ldq    $1, %3          \n\t"   \
+        "ldq    $2, %4          \n\t"   \
+        "ldq    $3, %5          \n\t"   \
+        "ldq    $4, %6          \n\t"
 
 #define MULADDC_CORE                    \
-    "ldq    $6,  0($1)      \n\t"   \
-    "addq   $1,  8, $1      \n\t"   \
-    "mulq   $6, $4, $7      \n\t"   \
-    "umulh  $6, $4, $6      \n\t"   \
-    "addq   $7, $3, $7      \n\t"   \
-    "cmpult $7, $3, $3      \n\t"   \
-    "ldq    $5,  0($2)      \n\t"   \
-    "addq   $7, $5, $7      \n\t"   \
-    "cmpult $7, $5, $5      \n\t"   \
-    "stq    $7,  0($2)      \n\t"   \
-    "addq   $2,  8, $2      \n\t"   \
-    "addq   $6, $3, $3      \n\t"   \
-    "addq   $5, $3, $3      \n\t"
+        "ldq    $6,  0($1)      \n\t"   \
+        "addq   $1,  8, $1      \n\t"   \
+        "mulq   $6, $4, $7      \n\t"   \
+        "umulh  $6, $4, $6      \n\t"   \
+        "addq   $7, $3, $7      \n\t"   \
+        "cmpult $7, $3, $3      \n\t"   \
+        "ldq    $5,  0($2)      \n\t"   \
+        "addq   $7, $5, $7      \n\t"   \
+        "cmpult $7, $5, $5      \n\t"   \
+        "stq    $7,  0($2)      \n\t"   \
+        "addq   $2,  8, $2      \n\t"   \
+        "addq   $6, $3, $3      \n\t"   \
+        "addq   $5, $3, $3      \n\t"
 
 #define MULADDC_STOP                                    \
-    "stq    $3, %0          \n\t"   \
-    "stq    $2, %1          \n\t"   \
-    "stq    $1, %2          \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)              \
+        "stq    $3, %0          \n\t"   \
+        "stq    $2, %1          \n\t"   \
+        "stq    $1, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
         : "m" (s), "m" (d), "m" (c), "m" (b)        \
-              : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
-            );
+        : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
+    );
 #endif /* Alpha */
 
 #if defined(__mips__) && !defined(__mips64)
 
 #define MULADDC_INIT                    \
     asm(                                \
-                                        "lw     $10, %3         \n\t"   \
-                                        "lw     $11, %4         \n\t"   \
-                                        "lw     $12, %5         \n\t"   \
-                                        "lw     $13, %6         \n\t"
+        "lw     $10, %3         \n\t"   \
+        "lw     $11, %4         \n\t"   \
+        "lw     $12, %5         \n\t"   \
+        "lw     $13, %6         \n\t"
 
 #define MULADDC_CORE                    \
-    "lw     $14, 0($10)     \n\t"   \
-    "multu  $13, $14        \n\t"   \
-    "addi   $10, $10, 4     \n\t"   \
-    "mflo   $14             \n\t"   \
-    "mfhi   $9              \n\t"   \
-    "addu   $14, $12, $14   \n\t"   \
-    "lw     $15, 0($11)     \n\t"   \
-    "sltu   $12, $14, $12   \n\t"   \
-    "addu   $15, $14, $15   \n\t"   \
-    "sltu   $14, $15, $14   \n\t"   \
-    "addu   $12, $12, $9    \n\t"   \
-    "sw     $15, 0($11)     \n\t"   \
-    "addu   $12, $12, $14   \n\t"   \
-    "addi   $11, $11, 4     \n\t"
+        "lw     $14, 0($10)     \n\t"   \
+        "multu  $13, $14        \n\t"   \
+        "addi   $10, $10, 4     \n\t"   \
+        "mflo   $14             \n\t"   \
+        "mfhi   $9              \n\t"   \
+        "addu   $14, $12, $14   \n\t"   \
+        "lw     $15, 0($11)     \n\t"   \
+        "sltu   $12, $14, $12   \n\t"   \
+        "addu   $15, $14, $15   \n\t"   \
+        "sltu   $14, $15, $14   \n\t"   \
+        "addu   $12, $12, $9    \n\t"   \
+        "sw     $15, 0($11)     \n\t"   \
+        "addu   $12, $12, $14   \n\t"   \
+        "addi   $11, $11, 4     \n\t"
 
 #define MULADDC_STOP                    \
-    "sw     $12, %0         \n\t"   \
-    "sw     $11, %1         \n\t"   \
-    "sw     $10, %2         \n\t"   \
-    : "=m" (c), "=m" (d), "=m" (s)                      \
+        "sw     $12, %0         \n\t"   \
+        "sw     $11, %1         \n\t"   \
+        "sw     $10, %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)                      \
         : "m" (s), "m" (d), "m" (c), "m" (b)                \
-              : "$9", "$10", "$11", "$12", "$13", "$14", "$15"    \
-            );
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+    );
 
 #endif /* MIPS */
 #endif /* GNUC */
@@ -849,9 +892,9 @@
 #if defined(MBEDTLS_HAVE_UDBL)
 
 #define MULADDC_INIT                    \
-    {                                       \
-        mbedtls_t_udbl r;                           \
-        mbedtls_mpi_uint r0, r1;
+{                                       \
+    mbedtls_t_udbl r;                           \
+    mbedtls_mpi_uint r0, r1;
 
 #define MULADDC_CORE                    \
     r   = *(s++) * (mbedtls_t_udbl) b;          \
@@ -862,15 +905,15 @@
     c = r1; *(d++) = r0;
 
 #define MULADDC_STOP                    \
-    }
+}
 
 #else
 #define MULADDC_INIT                    \
-    {                                       \
-        mbedtls_mpi_uint s0, s1, b0, b1;              \
-        mbedtls_mpi_uint r0, r1, rx, ry;              \
-        b0 = ( b << biH ) >> biH;           \
-        b1 = ( b >> biH );
+{                                       \
+    mbedtls_mpi_uint s0, s1, b0, b1;              \
+    mbedtls_mpi_uint r0, r1, rx, ry;              \
+    b0 = ( b << biH ) >> biH;           \
+    b1 = ( b >> biH );
 
 #define MULADDC_CORE                    \
     s0 = ( *s << biH ) >> biH;          \
@@ -887,7 +930,7 @@
     c = r1; *(d++) = r0;
 
 #define MULADDC_STOP                    \
-    }
+}
 
 #endif /* C (generic)  */
 #endif /* C (longlong) */
diff --git a/common/mbedtls/camellia.c b/common/mbedtls/camellia.c
index bb4169ab4..7b49f9aae 100644
--- a/common/mbedtls/camellia.c
+++ b/common/mbedtls/camellia.c
@@ -1,24 +1,20 @@
 /*
  *  Camellia implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
@@ -27,11 +23,7 @@
  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_CAMELLIA_C)
 
@@ -51,27 +43,33 @@
 
 #if !defined(MBEDTLS_CAMELLIA_ALT)
 
+/* Parameter validation macros */
+#define CAMELLIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
+#define CAMELLIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 /*
  * 32-bit integer manipulation macros (big endian)
  */
 #ifndef GET_UINT32_BE
 #define GET_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-              | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 3]       );            \
-    }
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
 #endif
 
 #ifndef PUT_UINT32_BE
 #define PUT_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-    }
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
 #endif
 
 static const unsigned char SIGMA_CHARS[6][8] = {
@@ -267,41 +265,41 @@ static const signed char transposes[2][20] = {
 
 /* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
 #define ROTL(DEST, SRC, SHIFT)                                      \
-    {                                                                   \
-        (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
-        (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
-        (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
-        (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
-    }
+{                                                                   \
+    (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
+    (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
+    (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
+    (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
+}
 
 #define FL(XL, XR, KL, KR)                                          \
-    {                                                                   \
-        (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
-        (XL) = ((XR) | (KR)) ^ (XL);                                    \
-    }
+{                                                                   \
+    (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
+    (XL) = ((XR) | (KR)) ^ (XL);                                    \
+}
 
 #define FLInv(YL, YR, KL, KR)                                       \
-    {                                                                   \
-        (YL) = ((YR) | (KR)) ^ (YL);                                    \
-        (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
-    }
+{                                                                   \
+    (YL) = ((YR) | (KR)) ^ (YL);                                    \
+    (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
+}
 
 #define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
-    {                                                           \
-        TK[0] = KC[(OFFSET) * 4 + 0];                           \
-        TK[1] = KC[(OFFSET) * 4 + 1];                           \
-        TK[2] = KC[(OFFSET) * 4 + 2];                           \
-        TK[3] = KC[(OFFSET) * 4 + 3];                           \
-        \
-        for( i = 1; i <= 4; i++ )                               \
-            if( shifts[(INDEX)][(OFFSET)][i -1] )               \
-                ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
-        \
-        for( i = 0; i < 20; i++ )                               \
-            if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
-                RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
-            }                                                   \
-    }
+{                                                           \
+    TK[0] = KC[(OFFSET) * 4 + 0];                           \
+    TK[1] = KC[(OFFSET) * 4 + 1];                           \
+    TK[2] = KC[(OFFSET) * 4 + 2];                           \
+    TK[3] = KC[(OFFSET) * 4 + 3];                           \
+                                                            \
+    for( i = 1; i <= 4; i++ )                               \
+        if( shifts[(INDEX)][(OFFSET)][i -1] )               \
+            ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
+                                                            \
+    for( i = 0; i < 20; i++ )                               \
+        if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
+            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
+        }                                                   \
+}
 
 static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
                              uint32_t z[2]) {
@@ -328,6 +326,7 @@ static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
 }
 
 void mbedtls_camellia_init(mbedtls_camellia_context *ctx) {
+    CAMELLIA_VALIDATE(ctx != NULL);
     memset(ctx, 0, sizeof(mbedtls_camellia_context));
 }
 
@@ -341,7 +340,8 @@ void mbedtls_camellia_free(mbedtls_camellia_context *ctx) {
 /*
  * Camellia key schedule (encryption)
  */
-int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx, const unsigned char *key,
+int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
                                 unsigned int keybits) {
     int idx;
     size_t i;
@@ -351,6 +351,9 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx, const unsigned ch
     uint32_t KC[16];
     uint32_t TK[20];
 
+    CAMELLIA_VALIDATE_RET(ctx != NULL);
+    CAMELLIA_VALIDATE_RET(key != NULL);
+
     RK = ctx->rk;
 
     memset(t, 0, 64);
@@ -367,7 +370,7 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx, const unsigned ch
             idx = 1;
             break;
         default :
-            return (MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH);
+            return (MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA);
     }
 
     for (i = 0; i < keybits / 8; ++i)
@@ -451,13 +454,16 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx, const unsigned ch
 /*
  * Camellia key schedule (decryption)
  */
-int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx, const unsigned char *key,
+int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
                                 unsigned int keybits) {
     int idx, ret;
     size_t i;
     mbedtls_camellia_context cty;
     uint32_t *RK;
     uint32_t *SK;
+    CAMELLIA_VALIDATE_RET(ctx != NULL);
+    CAMELLIA_VALIDATE_RET(key != NULL);
 
     mbedtls_camellia_init(&cty);
 
@@ -503,6 +509,11 @@ int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
                                unsigned char output[16]) {
     int NR;
     uint32_t *RK, X[4];
+    CAMELLIA_VALIDATE_RET(ctx != NULL);
+    CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                          mode == MBEDTLS_CAMELLIA_DECRYPT);
+    CAMELLIA_VALIDATE_RET(input  != NULL);
+    CAMELLIA_VALIDATE_RET(output != NULL);
 
     ((void) mode);
 
@@ -567,6 +578,12 @@ int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
                                unsigned char *output) {
     int i;
     unsigned char temp[16];
+    CAMELLIA_VALIDATE_RET(ctx != NULL);
+    CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                          mode == MBEDTLS_CAMELLIA_DECRYPT);
+    CAMELLIA_VALIDATE_RET(iv != NULL);
+    CAMELLIA_VALIDATE_RET(length == 0 || input  != NULL);
+    CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
 
     if (length % 16)
         return (MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH);
@@ -615,7 +632,18 @@ int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
                                   const unsigned char *input,
                                   unsigned char *output) {
     int c;
-    size_t n = *iv_off;
+    size_t n;
+    CAMELLIA_VALIDATE_RET(ctx != NULL);
+    CAMELLIA_VALIDATE_RET(mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                          mode == MBEDTLS_CAMELLIA_DECRYPT);
+    CAMELLIA_VALIDATE_RET(iv     != NULL);
+    CAMELLIA_VALIDATE_RET(iv_off != NULL);
+    CAMELLIA_VALIDATE_RET(length == 0 || input  != NULL);
+    CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
+
+    n = *iv_off;
+    if (n >= 16)
+        return (MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA);
 
     if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
         while (length--) {
@@ -657,7 +685,17 @@ int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
                                const unsigned char *input,
                                unsigned char *output) {
     int c, i;
-    size_t n = *nc_off;
+    size_t n;
+    CAMELLIA_VALIDATE_RET(ctx != NULL);
+    CAMELLIA_VALIDATE_RET(nonce_counter != NULL);
+    CAMELLIA_VALIDATE_RET(stream_block  != NULL);
+    CAMELLIA_VALIDATE_RET(nc_off != NULL);
+    CAMELLIA_VALIDATE_RET(length == 0 || input  != NULL);
+    CAMELLIA_VALIDATE_RET(length == 0 || output != NULL);
+
+    n = *nc_off;
+    if (n >= 16)
+        return (MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA);
 
     while (length--) {
         if (n == 0) {
diff --git a/common/mbedtls/camellia.h b/common/mbedtls/camellia.h
index 561606e57..38154f81a 100644
--- a/common/mbedtls/camellia.h
+++ b/common/mbedtls/camellia.h
@@ -4,30 +4,26 @@
  * \brief Camellia block cipher
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_CAMELLIA_H
 #define MBEDTLS_CAMELLIA_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -35,11 +31,20 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "mbedtls/platform_util.h"
+
 #define MBEDTLS_CAMELLIA_ENCRYPT     1
 #define MBEDTLS_CAMELLIA_DECRYPT     0
 
-#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH           -0x0024  /**< Invalid key length. */
-#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH         -0x0026  /**< Invalid data input length. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0024 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024 /**< Bad input data. */
+
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
 #define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
 
 #ifdef __cplusplus
@@ -64,52 +69,68 @@ mbedtls_camellia_context;
 #endif /* MBEDTLS_CAMELLIA_ALT */
 
 /**
- * \brief          Initialize CAMELLIA context
+ * \brief          Initialize a CAMELLIA context.
  *
- * \param ctx      CAMELLIA context to be initialized
+ * \param ctx      The CAMELLIA context to be initialized.
+ *                 This must not be \c NULL.
  */
 void mbedtls_camellia_init(mbedtls_camellia_context *ctx);
 
 /**
- * \brief          Clear CAMELLIA context
+ * \brief          Clear a CAMELLIA context.
  *
- * \param ctx      CAMELLIA context to be cleared
+ * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
+ *                 in which case this function returns immediately. If it is not
+ *                 \c NULL, it must be initialized.
  */
 void mbedtls_camellia_free(mbedtls_camellia_context *ctx);
 
 /**
- * \brief          CAMELLIA key schedule (encryption)
+ * \brief          Perform a CAMELLIA key schedule operation for encryption.
  *
- * \param ctx      CAMELLIA context to be initialized
- * \param key      encryption key
- * \param keybits  must be 128, 192 or 256
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The encryption key to use. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
  *
- * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx, const unsigned char *key,
+int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
                                 unsigned int keybits);
 
 /**
- * \brief          CAMELLIA key schedule (decryption)
+ * \brief          Perform a CAMELLIA key schedule operation for decryption.
  *
- * \param ctx      CAMELLIA context to be initialized
- * \param key      decryption key
- * \param keybits  must be 128, 192 or 256
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
  *
- * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx, const unsigned char *key,
+int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
                                 unsigned int keybits);
 
 /**
- * \brief          CAMELLIA-ECB block encryption/decryption
+ * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
  *
- * \param ctx      CAMELLIA context
- * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 16 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 16 Bytes.
  *
- * \return         0 if successful
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
                                int mode,
@@ -118,9 +139,7 @@ int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief          CAMELLIA-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (16 bytes)
+ * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -130,15 +149,22 @@ int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      CAMELLIA context
- * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length in Bytes of the input data \p input.
+ *                 This must be a multiple of \c 16 Bytes.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated to allow streaming
+ *                 use as explained above.
+ * \param input    The buffer holding the input data. This must point to a
+ *                 readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must point to a
+ *                 writable buffer of length \p length Bytes.
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
                                int mode,
@@ -150,11 +176,14 @@ int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief          CAMELLIA-CFB128 buffer encryption/decryption
+ * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ *                 operation.
  *
- * Note: Due to the nature of CFB you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and CAMELLIE_DECRYPT.
+ * \note           Due to the nature of CFB mode, you should use the same
+ *                 key for both encryption and decryption. In particular, calls
+ *                 to this function should be preceded by a key-schedule via
+ *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -164,16 +193,24 @@ int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      CAMELLIA context
- * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length of the input data \p input. Any value is allowed.
+ * \param iv_off   The current offset in the IV. This must be smaller
+ *                 than \c 16 Bytes. It is updated after this call to allow
+ *                 the aforementioned streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated after this call to
+ *                 allow the aforementioned streaming usage.
+ * \param input    The buffer holding the input data. This must be a readable
+ *                 buffer of size \p length Bytes.
+ * \param output   The buffer to hold the output data. This must be a writable
+ *                 buffer of length \p length Bytes.
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
                                   int mode,
@@ -186,11 +223,13 @@ int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief               CAMELLIA-CTR buffer encryption/decryption
+ * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
  *
- * Note: Due to the nature of CTR you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT.
+ * *note       Due to the nature of CTR mode, you should use the same
+ *             key for both encryption and decryption. In particular, calls
+ *             to this function should be preceded by a key-schedule via
+ *             mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
  *
  * \warning    You must never reuse a nonce value with the same key. Doing so
  *             would void the encryption for the two messages encrypted with
@@ -213,41 +252,49 @@ int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
  *             per-message nonce, handled by yourself, and the second one
  *             updated by this function internally.
  *
- *             For example, you might reserve the first 12 bytes for the
- *             per-message nonce, and the last 4 bytes for internal use. In that
- *             case, before calling this function on a new message you need to
- *             set the first 12 bytes of \p nonce_counter to your chosen nonce
- *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
- *             stream_block to be ignored). That way, you can encrypt at most
- *             2**96 messages of up to 2**32 blocks each with the same key.
+ *             For example, you might reserve the first \c 12 Bytes for the
+ *             per-message nonce, and the last \c 4 Bytes for internal use.
+ *             In that case, before calling this function on a new message you
+ *             need to set the first \c 12 Bytes of \p nonce_counter to your
+ *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
+ *             (which will cause \p stream_block to be ignored). That way, you
+ *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
+ *             each  with the same key.
  *
  *             The per-message nonce (or information sufficient to reconstruct
- *             it) needs to be communicated with the ciphertext and must be unique.
- *             The recommended way to ensure uniqueness is to use a message
- *             counter. An alternative is to generate random nonces, but this
- *             limits the number of messages that can be securely encrypted:
- *             for example, with 96-bit random nonces, you should not encrypt
- *             more than 2**32 messages with the same key.
+ *             it) needs to be communicated with the ciphertext and must be
+ *             unique. The recommended way to ensure uniqueness is to use a
+ *             message counter. An alternative is to generate random nonces,
+ *             but this limits the number of messages that can be securely
+ *             encrypted: for example, with 96-bit random nonces, you should
+ *             not encrypt more than 2**32 messages with the same key.
  *
  *             Note that for both stategies, sizes are measured in blocks and
- *             that a CAMELLIA block is 16 bytes.
+ *             that a CAMELLIA block is \c 16 Bytes.
  *
  * \warning    Upon return, \p stream_block contains sensitive data. Its
  *             content must not be written to insecure storage and should be
  *             securely discarded as soon as it's no longer needed.
  *
- * \param ctx           CAMELLIA context
- * \param length        The length of the data
- * \param nc_off        The offset in the current stream_block (for resuming
+ * \param ctx           The CAMELLIA context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data \p input in Bytes.
+ *                      Any value is allowed.
+ * \param nc_off        The offset in the current \p stream_block (for resuming
  *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 128-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
+ *                      should be \c 0 at the start of a stream. It is updated
+ *                      at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ *                      buffer of length \c 16 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must be a
+ *                      read/write buffer of length \c 16 Bytes.
+ * \param input         The input data stream. This must be a readable buffer of
+ *                      size \p length Bytes.
+ * \param output        The output data stream. This must be a writable buffer
+ *                      of size \p length Bytes.
  *
- * \return         0 if successful
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
  */
 int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
                                size_t length,
@@ -258,6 +305,8 @@ int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
                                unsigned char *output);
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -265,6 +314,8 @@ int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
  */
 int mbedtls_camellia_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/ccm.c b/common/mbedtls/ccm.c
new file mode 100644
index 000000000..789446f46
--- /dev/null
+++ b/common/mbedtls/ccm.c
@@ -0,0 +1,530 @@
+/*
+ *  NIST SP800-38C compliant CCM implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CCM_C)
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_CCM_ALT)
+
+#define CCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
+#define CCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CCM_ENCRYPT 0
+#define CCM_DECRYPT 1
+
+/*
+ * Initialize context
+ */
+void mbedtls_ccm_init(mbedtls_ccm_context *ctx) {
+    CCM_VALIDATE(ctx != NULL);
+    memset(ctx, 0, sizeof(mbedtls_ccm_context));
+}
+
+int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    CCM_VALIDATE_RET(ctx != NULL);
+    CCM_VALIDATE_RET(key != NULL);
+
+    cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
+                                                  MBEDTLS_MODE_ECB);
+    if (cipher_info == NULL)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    if (cipher_info->block_size != 16)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0)
+        return (ret);
+
+    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+                                     MBEDTLS_ENCRYPT)) != 0) {
+        return (ret);
+    }
+
+    return (0);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ccm_free(mbedtls_ccm_context *ctx) {
+    if (ctx == NULL)
+        return;
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ccm_context));
+}
+
+/*
+ * Macros for common operations.
+ * Results in smaller compiled code than static inline functions.
+ */
+
+/*
+ * Update the CBC-MAC state in y using a block in b
+ * (Always using b as the source helps the compiler optimise a bit better.)
+ */
+#define UPDATE_CBC_MAC                                                      \
+    for( i = 0; i < 16; i++ )                                               \
+        y[i] ^= b[i];                                                       \
+                                                                            \
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
+        return( ret );
+
+/*
+ * Encrypt or decrypt a partial block with CTR
+ * Warning: using b for temporary storage! src and dst must not be b!
+ * This avoids allocating one more 16 bytes buffer while allowing src == dst.
+ */
+#define CTR_CRYPT( dst, src, len  )                                            \
+    do                                                                  \
+    {                                                                   \
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr,       \
+                                           16, b, &olen ) ) != 0 )      \
+        {                                                               \
+            return( ret );                                              \
+        }                                                               \
+                                                                        \
+        for( i = 0; i < (len); i++ )                                    \
+            (dst)[i] = (src)[i] ^ b[i];                                 \
+    } while( 0 )
+
+/*
+ * Authenticated encryption or decryption
+ */
+static int ccm_auth_crypt(mbedtls_ccm_context *ctx, int mode, size_t length,
+                          const unsigned char *iv, size_t iv_len,
+                          const unsigned char *add, size_t add_len,
+                          const unsigned char *input, unsigned char *output,
+                          unsigned char *tag, size_t tag_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char i;
+    unsigned char q;
+    size_t len_left, olen;
+    unsigned char b[16];
+    unsigned char y[16];
+    unsigned char ctr[16];
+    const unsigned char *src;
+    unsigned char *dst;
+
+    /*
+     * Check length requirements: SP800-38C A.1
+     * Additional requirement: a < 2^16 - 2^8 to simplify the code.
+     * 'length' checked later (when writing it to the first block)
+     *
+     * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
+     */
+    if (tag_len == 2 || tag_len > 16 || tag_len % 2 != 0)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    /* Also implies q is within bounds */
+    if (iv_len < 7 || iv_len > 13)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    if (add_len >= 0xFF00)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    q = 16 - 1 - (unsigned char) iv_len;
+
+    /*
+     * First block B_0:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       length
+     *
+     * With flags as (bits):
+     * 7        0
+     * 6        add present?
+     * 5 .. 3   (t - 2) / 2
+     * 2 .. 0   q - 1
+     */
+    b[0] = 0;
+    b[0] |= (add_len > 0) << 6;
+    b[0] |= ((tag_len - 2) / 2) << 3;
+    b[0] |= q - 1;
+
+    memcpy(b + 1, iv, iv_len);
+
+    for (i = 0, len_left = length; i < q; i++, len_left >>= 8)
+        b[15 - i] = (unsigned char)(len_left & 0xFF);
+
+    if (len_left > 0)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+
+    /* Start CBC-MAC with first block */
+    memset(y, 0, 16);
+    UPDATE_CBC_MAC;
+
+    /*
+     * If there is additional data, update CBC-MAC with
+     * add_len, add, 0 (padding to a block boundary)
+     */
+    if (add_len > 0) {
+        size_t use_len;
+        len_left = add_len;
+        src = add;
+
+        memset(b, 0, 16);
+        b[0] = (unsigned char)((add_len >> 8) & 0xFF);
+        b[1] = (unsigned char)((add_len) & 0xFF);
+
+        use_len = len_left < 16 - 2 ? len_left : 16 - 2;
+        memcpy(b + 2, src, use_len);
+        len_left -= use_len;
+        src += use_len;
+
+        UPDATE_CBC_MAC;
+
+        while (len_left > 0) {
+            use_len = len_left > 16 ? 16 : len_left;
+
+            memset(b, 0, 16);
+            memcpy(b, src, use_len);
+            UPDATE_CBC_MAC;
+
+            len_left -= use_len;
+            src += use_len;
+        }
+    }
+
+    /*
+     * Prepare counter block for encryption:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       counter (initially 1)
+     *
+     * With flags as (bits):
+     * 7 .. 3   0
+     * 2 .. 0   q - 1
+     */
+    ctr[0] = q - 1;
+    memcpy(ctr + 1, iv, iv_len);
+    memset(ctr + 1 + iv_len, 0, q);
+    ctr[15] = 1;
+
+    /*
+     * Authenticate and {en,de}crypt the message.
+     *
+     * The only difference between encryption and decryption is
+     * the respective order of authentication and {en,de}cryption.
+     */
+    len_left = length;
+    src = input;
+    dst = output;
+
+    while (len_left > 0) {
+        size_t use_len = len_left > 16 ? 16 : len_left;
+
+        if (mode == CCM_ENCRYPT) {
+            memset(b, 0, 16);
+            memcpy(b, src, use_len);
+            UPDATE_CBC_MAC;
+        }
+
+        CTR_CRYPT(dst, src, use_len);
+
+        if (mode == CCM_DECRYPT) {
+            memset(b, 0, 16);
+            memcpy(b, dst, use_len);
+            UPDATE_CBC_MAC;
+        }
+
+        dst += use_len;
+        src += use_len;
+        len_left -= use_len;
+
+        /*
+         * Increment counter.
+         * No need to check for overflow thanks to the length check above.
+         */
+        for (i = 0; i < q; i++)
+            if (++ctr[15 - i] != 0)
+                break;
+    }
+
+    /*
+     * Authentication: reset counter and crypt/mask internal tag
+     */
+    for (i = 0; i < q; i++)
+        ctr[15 - i] = 0;
+
+    CTR_CRYPT(y, y, 16);
+    memcpy(tag, y, tag_len);
+
+    return (0);
+}
+
+/*
+ * Authenticated encryption
+ */
+int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                     const unsigned char *iv, size_t iv_len,
+                                     const unsigned char *add, size_t add_len,
+                                     const unsigned char *input, unsigned char *output,
+                                     unsigned char *tag, size_t tag_len) {
+    CCM_VALIDATE_RET(ctx != NULL);
+    CCM_VALIDATE_RET(iv != NULL);
+    CCM_VALIDATE_RET(add_len == 0 || add != NULL);
+    CCM_VALIDATE_RET(length == 0 || input != NULL);
+    CCM_VALIDATE_RET(length == 0 || output != NULL);
+    CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
+    return (ccm_auth_crypt(ctx, CCM_ENCRYPT, length, iv, iv_len,
+                           add, add_len, input, output, tag, tag_len));
+}
+
+int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                const unsigned char *iv, size_t iv_len,
+                                const unsigned char *add, size_t add_len,
+                                const unsigned char *input, unsigned char *output,
+                                unsigned char *tag, size_t tag_len) {
+    CCM_VALIDATE_RET(ctx != NULL);
+    CCM_VALIDATE_RET(iv != NULL);
+    CCM_VALIDATE_RET(add_len == 0 || add != NULL);
+    CCM_VALIDATE_RET(length == 0 || input != NULL);
+    CCM_VALIDATE_RET(length == 0 || output != NULL);
+    CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
+    if (tag_len == 0)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    return (mbedtls_ccm_star_encrypt_and_tag(ctx, length, iv, iv_len, add,
+                                             add_len, input, output, tag, tag_len));
+}
+
+/*
+ * Authenticated decryption
+ */
+int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                                  const unsigned char *iv, size_t iv_len,
+                                  const unsigned char *add, size_t add_len,
+                                  const unsigned char *input, unsigned char *output,
+                                  const unsigned char *tag, size_t tag_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char check_tag[16];
+    unsigned char i;
+    int diff;
+
+    CCM_VALIDATE_RET(ctx != NULL);
+    CCM_VALIDATE_RET(iv != NULL);
+    CCM_VALIDATE_RET(add_len == 0 || add != NULL);
+    CCM_VALIDATE_RET(length == 0 || input != NULL);
+    CCM_VALIDATE_RET(length == 0 || output != NULL);
+    CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
+
+    if ((ret = ccm_auth_crypt(ctx, CCM_DECRYPT, length,
+                              iv, iv_len, add, add_len,
+                              input, output, check_tag, tag_len)) != 0) {
+        return (ret);
+    }
+
+    /* Check tag in "constant-time" */
+    for (diff = 0, i = 0; i < tag_len; i++)
+        diff |= tag[i] ^ check_tag[i];
+
+    if (diff != 0) {
+        mbedtls_platform_zeroize(output, length);
+        return (MBEDTLS_ERR_CCM_AUTH_FAILED);
+    }
+
+    return (0);
+}
+
+int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                             const unsigned char *iv, size_t iv_len,
+                             const unsigned char *add, size_t add_len,
+                             const unsigned char *input, unsigned char *output,
+                             const unsigned char *tag, size_t tag_len) {
+    CCM_VALIDATE_RET(ctx != NULL);
+    CCM_VALIDATE_RET(iv != NULL);
+    CCM_VALIDATE_RET(add_len == 0 || add != NULL);
+    CCM_VALIDATE_RET(length == 0 || input != NULL);
+    CCM_VALIDATE_RET(length == 0 || output != NULL);
+    CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
+
+    if (tag_len == 0)
+        return (MBEDTLS_ERR_CCM_BAD_INPUT);
+
+    return (mbedtls_ccm_star_auth_decrypt(ctx, length, iv, iv_len, add,
+                                          add_len, input, output, tag, tag_len));
+}
+#endif /* !MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * Examples 1 to 3 from SP800-38C Appendix C
+ */
+
+#define NB_TESTS 3
+#define CCM_SELFTEST_PT_MAX_LEN 24
+#define CCM_SELFTEST_CT_MAX_LEN 32
+/*
+ * The data is the same for all tests, only the used length changes
+ */
+static const unsigned char key_test_data[] = {
+    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+};
+
+static const unsigned char iv_test_data[] = {
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b
+};
+
+static const unsigned char ad_test_data[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+};
+
+static const size_t iv_len_test_data [NB_TESTS] = { 7, 8,  12 };
+static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
+static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
+static const size_t tag_len_test_data[NB_TESTS] = { 4, 6,  8  };
+
+static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
+    {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
+    {
+        0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
+        0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
+        0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd
+    },
+    {
+        0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
+        0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
+        0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
+        0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51
+    }
+};
+
+int mbedtls_ccm_self_test(int verbose) {
+    mbedtls_ccm_context ctx;
+    /*
+     * Some hardware accelerators require the input and output buffers
+     * would be in RAM, because the flash is not accessible.
+     * Use buffers on the stack to hold the test vectors data.
+     */
+    unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
+    unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
+    size_t i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_ccm_init(&ctx);
+
+    if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
+                           8 * sizeof key_test_data) != 0) {
+        if (verbose != 0)
+            mbedtls_printf("  CCM: setup failed");
+
+        return (1);
+    }
+
+    for (i = 0; i < NB_TESTS; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  CCM-AES #%u: ", (unsigned int) i + 1);
+
+        memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
+        memset(ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN);
+        memcpy(plaintext, msg_test_data, msg_len_test_data[i]);
+
+        ret = mbedtls_ccm_encrypt_and_tag(&ctx, msg_len_test_data[i],
+                                          iv_test_data, iv_len_test_data[i],
+                                          ad_test_data, add_len_test_data[i],
+                                          plaintext, ciphertext,
+                                          ciphertext + msg_len_test_data[i],
+                                          tag_len_test_data[i]);
+
+        if (ret != 0 ||
+                memcmp(ciphertext, res_test_data[i],
+                       msg_len_test_data[i] + tag_len_test_data[i]) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed\n");
+
+            return (1);
+        }
+        memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
+
+        ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len_test_data[i],
+                                       iv_test_data, iv_len_test_data[i],
+                                       ad_test_data, add_len_test_data[i],
+                                       ciphertext, plaintext,
+                                       ciphertext + msg_len_test_data[i],
+                                       tag_len_test_data[i]);
+
+        if (ret != 0 ||
+                memcmp(plaintext, msg_test_data, msg_len_test_data[i]) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed\n");
+
+            return (1);
+        }
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    mbedtls_ccm_free(&ctx);
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_CCM_C */
diff --git a/common/mbedtls/ccm.h b/common/mbedtls/ccm.h
new file mode 100644
index 000000000..b54ea081a
--- /dev/null
+++ b/common/mbedtls/ccm.h
@@ -0,0 +1,307 @@
+/**
+ * \file ccm.h
+ *
+ * \brief This file provides an API for the CCM authenticated encryption
+ *        mode for block ciphers.
+ *
+ * CCM combines Counter mode encryption with CBC-MAC authentication
+ * for 128-bit block ciphers.
+ *
+ * Input to CCM includes the following elements:
+ * <ul><li>Payload - data that is both authenticated and encrypted.</li>
+ * <li>Associated data (Adata) - data that is authenticated but not
+ * encrypted, For example, a header.</li>
+ * <li>Nonce - A unique value that is assigned to the payload and the
+ * associated data.</li></ul>
+ *
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ *
+ * Definition of CCM*:
+ * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
+ * Integer representation is fixed most-significant-octet-first order and
+ * the representation of octets is most-significant-bit-first order. This is
+ * consistent with RFC 3610.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_CCM_H
+#define MBEDTLS_CCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/cipher.h"
+
+#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
+#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CCM_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The CCM context-type definition. The CCM context is passed
+ *           to the APIs called.
+ */
+typedef struct mbedtls_ccm_context {
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+}
+mbedtls_ccm_context;
+
+#else  /* MBEDTLS_CCM_ALT */
+#include "ccm_alt.h"
+#endif /* MBEDTLS_CCM_ALT */
+
+/**
+ * \brief           This function initializes the specified CCM context,
+ *                  to make references valid, and prepare the context
+ *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
+ *
+ * \param ctx       The CCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ccm_init(mbedtls_ccm_context *ctx);
+
+/**
+ * \brief           This function initializes the CCM context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The CCM context to initialize. This must be an initialized
+ *                  context.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must not be \c NULL.
+ * \param keybits   The key size in bits. This must be acceptable by the cipher.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits);
+
+/**
+ * \brief   This function releases and clears the specified CCM context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The CCM context to clear. If this is \c NULL, the function
+ *                  has no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_ccm_free(mbedtls_ccm_context *ctx);
+
+/**
+ * \brief           This function encrypts a buffer using CCM.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. If \p add_len is greater than
+ *                  zero, \p add must be a readable buffer of at least that
+ *                  length.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than `2^16 - 2^8`.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  writable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                const unsigned char *iv, size_t iv_len,
+                                const unsigned char *add, size_t add_len,
+                                const unsigned char *input, unsigned char *output,
+                                unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function encrypts a buffer using CCM*.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be encoded into the \p iv passed to
+ *                  this function.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  writable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is no
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                     const unsigned char *iv, size_t iv_len,
+                                     const unsigned char *add, size_t add_len,
+                                     const unsigned char *input, unsigned char *output,
+                                     unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function performs a CCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer
+ *                  of at least that \p add_len Bytes..
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success. This indicates that the message is authentic.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                             const unsigned char *iv, size_t iv_len,
+                             const unsigned char *add, size_t add_len,
+                             const unsigned char *input, unsigned char *output,
+                             const unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function performs a CCM* authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be decoded from \p iv and passed to
+ *                  this function as \p tag_len. (\p tag needs to be adjusted
+ *                  accordingly.)
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least that \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field in Bytes.
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is nos
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                                  const unsigned char *iv, size_t iv_len,
+                                  const unsigned char *add, size_t add_len,
+                                  const unsigned char *input, unsigned char *output,
+                                  const unsigned char *tag, size_t tag_len);
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The CCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ccm_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CCM_H */
diff --git a/common/mbedtls/certs.c b/common/mbedtls/certs.c
index 6df61d24e..71f1da5ca 100644
--- a/common/mbedtls/certs.c
+++ b/common/mbedtls/certs.c
@@ -1,355 +1,1679 @@
 /*
  *  X.509 test certificates
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #include "mbedtls/certs.h"
 
 #if defined(MBEDTLS_CERTS_C)
 
-#if defined(MBEDTLS_ECDSA_C)
-#define TEST_CA_CRT_EC                                                  \
-    "-----BEGIN CERTIFICATE-----\r\n"                                       \
-    "MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n"  \
-    "Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n"  \
-    "QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n"  \
-    "Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n"  \
-    "QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n"  \
-    "ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n"  \
-    "aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n"  \
-    "JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n"  \
-    "NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n"  \
-    "AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n"  \
-    "CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n"  \
-    "t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n"  \
-    "uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n"                                  \
+/*
+ * Test CA Certificates
+ *
+ * We define test CA certificates for each choice of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ *
+ */
+
+/* This is taken from tests/data_files/test-ca2.crt */
+/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */
+#define TEST_CA_CRT_EC_PEM                                                 \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICBDCCAYigAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n" \
+    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+    "IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE\r\n" \
+    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+    "IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO\r\n" \
+    "4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK\r\n" \
+    "6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1AwTjAMBgNVHRMEBTADAQH/\r\n" \
+    "MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSdbSAk\r\n" \
+    "SQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMFHKrjAPpHB0BN1a\r\n" \
+    "LH8TwcJ3vh0AxeKZj30mRdOKBmg/jLS3rU3g8VQBHpn8sOTTBwIxANxPO5AerimZ\r\n" \
+    "hCjMe0d4CTHf1gFZMF70+IqEP+o5VHsIp2Cqvflb0VGWFC5l9a4cQg==\r\n"         \
     "-----END CERTIFICATE-----\r\n"
-const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
-const size_t mbedtls_test_ca_crt_ec_len = sizeof(mbedtls_test_ca_crt_ec);
+/* END FILE */
 
-const char mbedtls_test_ca_key_ec[] =
-    "-----BEGIN EC PRIVATE KEY-----\r\n"
-    "Proc-Type: 4,ENCRYPTED\r\n"
-    "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"
-    "\r\n"
-    "IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n"
-    "ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n"
-    "UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
-    "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
-    "-----END EC PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_ca_key_ec_len = sizeof(mbedtls_test_ca_key_ec);
+/* This is generated from tests/data_files/test-ca2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca2.crt.der */
+#define TEST_CA_CRT_EC_DER {                                                 \
+  0x30, 0x82, 0x02, 0x04, 0x30, 0x82, 0x01, 0x88, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,    \
+  0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,    \
+  0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,    \
+  0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,    \
+  0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50,    \
+  0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74,    \
+  0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39,    \
+  0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x17,    \
+  0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30,    \
+  0x30, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,    \
+  0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,    \
+  0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50,    \
+  0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74,    \
+  0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07,    \
+  0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04,    \
+  0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37,    \
+  0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e,    \
+  0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4,    \
+  0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc,    \
+  0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf,    \
+  0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca,    \
+  0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75,    \
+  0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20,    \
+  0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0c,    \
+  0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,    \
+  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d,    \
+  0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc,    \
+  0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x1f, 0x06, 0x03, 0x55,    \
+  0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24,    \
+  0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9,    \
+  0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,    \
+  0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02,    \
+  0x30, 0x51, 0xca, 0xae, 0x30, 0x0f, 0xa4, 0x70, 0x74, 0x04, 0xdd, 0x5a,    \
+  0x2c, 0x7f, 0x13, 0xc1, 0xc2, 0x77, 0xbe, 0x1d, 0x00, 0xc5, 0xe2, 0x99,    \
+  0x8f, 0x7d, 0x26, 0x45, 0xd3, 0x8a, 0x06, 0x68, 0x3f, 0x8c, 0xb4, 0xb7,    \
+  0xad, 0x4d, 0xe0, 0xf1, 0x54, 0x01, 0x1e, 0x99, 0xfc, 0xb0, 0xe4, 0xd3,    \
+  0x07, 0x02, 0x31, 0x00, 0xdc, 0x4f, 0x3b, 0x90, 0x1e, 0xae, 0x29, 0x99,    \
+  0x84, 0x28, 0xcc, 0x7b, 0x47, 0x78, 0x09, 0x31, 0xdf, 0xd6, 0x01, 0x59,    \
+  0x30, 0x5e, 0xf4, 0xf8, 0x8a, 0x84, 0x3f, 0xea, 0x39, 0x54, 0x7b, 0x08,    \
+  0xa7, 0x60, 0xaa, 0xbd, 0xf9, 0x5b, 0xd1, 0x51, 0x96, 0x14, 0x2e, 0x65,    \
+  0xf5, 0xae, 0x1c, 0x42                                                     \
+}
+/* END FILE */
 
-const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
-const size_t mbedtls_test_ca_pwd_ec_len = sizeof(mbedtls_test_ca_pwd_ec) - 1;
+/* This is taken from tests/data_files/test-ca2.key.enc */
+/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca2.key.enc */
+#define TEST_CA_KEY_EC_PEM                                                 \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"                          \
+    "\r\n"                                                                 \
+    "IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n" \
+    "ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n" \
+    "UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n" \
+    "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"                                 \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
 
-const char mbedtls_test_srv_crt_ec[] =
-    "-----BEGIN CERTIFICATE-----\r\n"
-    "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
-    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
-    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-    "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n"
-    "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n"
-    "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n"
-    "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n"
-    "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n"
-    "clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n"
-    "CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n"
-    "C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
-    "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
-    "-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_srv_crt_ec_len = sizeof(mbedtls_test_srv_crt_ec);
+#define TEST_CA_PWD_EC_PEM "PolarSSLTest"
 
-const char mbedtls_test_srv_key_ec[] =
-    "-----BEGIN EC PRIVATE KEY-----\r\n"
-    "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n"
-    "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
-    "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
-    "-----END EC PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_srv_key_ec_len = sizeof(mbedtls_test_srv_key_ec);
+/* This is generated from tests/data_files/test-ca2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca2.key.der */
+#define TEST_CA_KEY_EC_DER {                                                 \
+    0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x83, 0xd9, 0x15, 0x0e,  \
+    0xa0, 0x71, 0xf0, 0x57, 0x10, 0x33, 0xa3, 0x38, 0xb8, 0x86, 0xc1, 0xa6,  \
+    0x11, 0x5d, 0x6d, 0xb4, 0x03, 0xe1, 0x29, 0x76, 0x45, 0xd7, 0x87, 0x6f,  \
+    0x23, 0xab, 0x44, 0x20, 0xea, 0x64, 0x7b, 0x85, 0xb1, 0x76, 0xe7, 0x85,  \
+    0x95, 0xaa, 0x74, 0xd6, 0xd1, 0xa4, 0x5e, 0xea, 0xa0, 0x07, 0x06, 0x05,  \
+    0x2b, 0x81, 0x04, 0x00, 0x22, 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0xc3,  \
+    0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89,  \
+    0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33,  \
+    0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f,  \
+    0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87,  \
+    0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3,  \
+    0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad,  \
+    0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55,  \
+    0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e         \
+}
+/* END FILE */
 
-const char mbedtls_test_cli_crt_ec[] =
-    "-----BEGIN CERTIFICATE-----\r\n"
-    "MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
-    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
-    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n"
-    "A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n"
-    "WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n"
-    "9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n"
-    "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n"
-    "IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n"
-    "MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n"
-    "CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n"
-    "lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
-    "LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
-    "-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_cli_crt_ec_len = sizeof(mbedtls_test_cli_crt_ec);
+/* This is taken from tests/data_files/test-ca-sha256.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM tests/data_files/test-ca-sha256.crt */
+#define TEST_CA_CRT_RSA_SHA256_PEM                                         \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA\r\n" \
+    "A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl\r\n" \
+    "oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW\r\n" \
+    "5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb\r\n" \
+    "+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL\r\n" \
+    "yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4\r\n" \
+    "/anT1dVxr/BtwJfiESoK3/4CeXR1\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
 
-const char mbedtls_test_cli_key_ec[] =
-    "-----BEGIN EC PRIVATE KEY-----\r\n"
-    "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n"
-    "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
-    "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
-    "-----END EC PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_cli_key_ec_len = sizeof(mbedtls_test_cli_key_ec);
-#endif /* MBEDTLS_ECDSA_C */
+/* This is generated from tests/data_files/test-ca-sha256.crt.der
+ * using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER tests/data_files/test-ca-sha256.crt.der */
+#define TEST_CA_CRT_RSA_SHA256_DER {                                         \
+  0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,    \
+  0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,    \
+  0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,    \
+  0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,    \
+  0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,    \
+  0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,    \
+  0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,    \
+  0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,    \
+  0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,    \
+  0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,    \
+  0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,    \
+  0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,    \
+  0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,    \
+  0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,    \
+  0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,    \
+  0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,    \
+  0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,    \
+  0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,    \
+  0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,    \
+  0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,    \
+  0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,    \
+  0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,    \
+  0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,    \
+  0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,    \
+  0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,    \
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,    \
+  0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,    \
+  0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,    \
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,    \
+  0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,    \
+  0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x01, 0x00, 0x38, 0xa8, 0x54, 0x82, 0xb6, 0x1d, 0xaa,    \
+  0xdb, 0x6b, 0x89, 0x21, 0xd1, 0x38, 0x28, 0x61, 0xc9, 0xb0, 0x98, 0xd5,    \
+  0x11, 0xfc, 0x36, 0xff, 0x19, 0xfe, 0x32, 0x44, 0xef, 0x08, 0xc7, 0xf1,    \
+  0x56, 0xbb, 0xe6, 0x46, 0xfa, 0x82, 0xb6, 0x31, 0x38, 0xb4, 0xa0, 0xe5,    \
+  0xa0, 0xae, 0x0c, 0xc4, 0x53, 0x9e, 0x93, 0x4e, 0xe8, 0x0d, 0x9c, 0x2f,    \
+  0xb4, 0x04, 0xfd, 0x8a, 0x39, 0xf5, 0x84, 0x77, 0xed, 0x4c, 0xd4, 0xbb,    \
+  0x44, 0x7f, 0x73, 0x77, 0xf7, 0xf1, 0x36, 0x97, 0xdc, 0x1e, 0x73, 0x19,    \
+  0x5d, 0x50, 0xb8, 0xc3, 0x80, 0xcd, 0x03, 0x57, 0xd2, 0x00, 0xdb, 0x56,    \
+  0xe6, 0xc6, 0x35, 0x24, 0x1e, 0x49, 0x7b, 0xd8, 0xd2, 0x72, 0xbb, 0x0b,    \
+  0x49, 0x2f, 0xa6, 0x02, 0x3c, 0xaf, 0xd0, 0xec, 0x37, 0x1d, 0xbd, 0x81,    \
+  0x8b, 0x1f, 0x30, 0xbb, 0xbc, 0x4d, 0x36, 0xb5, 0x79, 0x7c, 0x87, 0xfb,    \
+  0x51, 0xb9, 0xbe, 0xc2, 0xde, 0x92, 0xa8, 0x40, 0x71, 0xbb, 0x72, 0x9b,    \
+  0xf8, 0x47, 0xce, 0x6c, 0x04, 0xf8, 0x86, 0xe7, 0xf7, 0x73, 0x3c, 0xe7,    \
+  0x84, 0x7d, 0xc2, 0xd7, 0xb7, 0x9d, 0xe8, 0xd4, 0x9b, 0x5f, 0x0a, 0x17,    \
+  0x7d, 0xbc, 0xbb, 0xb2, 0xd5, 0x94, 0x0d, 0xe4, 0x49, 0xbf, 0x4f, 0x11,    \
+  0x68, 0x53, 0xb2, 0x91, 0xff, 0xc0, 0x69, 0xee, 0xdb, 0x63, 0x93, 0xcb,    \
+  0xc9, 0x35, 0x6b, 0x90, 0x09, 0xe2, 0x90, 0xc9, 0xed, 0x27, 0xd6, 0x08,    \
+  0xfa, 0x13, 0x4d, 0x62, 0xdd, 0xe2, 0x9e, 0xaa, 0xb5, 0xd4, 0x0e, 0x5c,    \
+  0x37, 0x4f, 0xab, 0x55, 0x3b, 0x2d, 0xf1, 0x42, 0x82, 0xc7, 0x34, 0x38,    \
+  0x1a, 0x9b, 0xeb, 0xa1, 0x2c, 0x0f, 0x29, 0x31, 0x64, 0x6c, 0xcc, 0x38,    \
+  0xfd, 0xa9, 0xd3, 0xd5, 0xd5, 0x71, 0xaf, 0xf0, 0x6d, 0xc0, 0x97, 0xe2,    \
+  0x11, 0x2a, 0x0a, 0xdf, 0xfe, 0x02, 0x79, 0x74, 0x75                       \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM tests/data_files/test-ca-sha1.crt */
+#define TEST_CA_CRT_RSA_SHA1_PEM                                           \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA\r\n" \
+    "A4IBAQABE3OEPfEd/bcJW5ZdU3/VgPNS4tMzh8gnJP/V2FcvFtGylMpQq6YnEBYI\r\n" \
+    "yBHAL4DRvlMY5rnXGBp3ODR8MpqHC6AquRTCLzjS57iYff//4QFQqW9n92zctspv\r\n" \
+    "czkaPKgjqo1No3Uq0Xaz10rcxyTUPrf5wNVRZ2V0KvllvAAVSzbI4mpdUXztjhST\r\n" \
+    "S5A2BeWQAAOr0zq1F7TSRVJpJs7jmB2ai/igkh1IAjcuwV6VwlP+sbw0gjQ0NpGM\r\n" \
+    "iHpnlzRAi/tIbtOvMIGOBU2TIfax/5jq1agUx5aPmT5TWAiJPOOP6l5xXnDwxeYS\r\n" \
+    "NWqiX9GyusBZjezaCaHabjDLU0qQ\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt.der. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER tests/data_files/test-ca-sha1.crt.der */
+#define TEST_CA_CRT_RSA_SHA1_DER {                                           \
+    0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,  \
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,  \
+    0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,  \
+    0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,  \
+    0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,  \
+    0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,  \
+    0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,  \
+    0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,  \
+    0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,  \
+    0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,  \
+    0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,  \
+    0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,  \
+    0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,  \
+    0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,  \
+    0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,  \
+    0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,  \
+    0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,  \
+    0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,  \
+    0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,  \
+    0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,  \
+    0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,  \
+    0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,  \
+    0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,  \
+    0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,  \
+    0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,  \
+    0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,  \
+    0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,  \
+    0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,  \
+    0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,  \
+    0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,  \
+    0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,  \
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,  \
+    0x03, 0x82, 0x01, 0x01, 0x00, 0x01, 0x13, 0x73, 0x84, 0x3d, 0xf1, 0x1d,  \
+    0xfd, 0xb7, 0x09, 0x5b, 0x96, 0x5d, 0x53, 0x7f, 0xd5, 0x80, 0xf3, 0x52,  \
+    0xe2, 0xd3, 0x33, 0x87, 0xc8, 0x27, 0x24, 0xff, 0xd5, 0xd8, 0x57, 0x2f,  \
+    0x16, 0xd1, 0xb2, 0x94, 0xca, 0x50, 0xab, 0xa6, 0x27, 0x10, 0x16, 0x08,  \
+    0xc8, 0x11, 0xc0, 0x2f, 0x80, 0xd1, 0xbe, 0x53, 0x18, 0xe6, 0xb9, 0xd7,  \
+    0x18, 0x1a, 0x77, 0x38, 0x34, 0x7c, 0x32, 0x9a, 0x87, 0x0b, 0xa0, 0x2a,  \
+    0xb9, 0x14, 0xc2, 0x2f, 0x38, 0xd2, 0xe7, 0xb8, 0x98, 0x7d, 0xff, 0xff,  \
+    0xe1, 0x01, 0x50, 0xa9, 0x6f, 0x67, 0xf7, 0x6c, 0xdc, 0xb6, 0xca, 0x6f,  \
+    0x73, 0x39, 0x1a, 0x3c, 0xa8, 0x23, 0xaa, 0x8d, 0x4d, 0xa3, 0x75, 0x2a,  \
+    0xd1, 0x76, 0xb3, 0xd7, 0x4a, 0xdc, 0xc7, 0x24, 0xd4, 0x3e, 0xb7, 0xf9,  \
+    0xc0, 0xd5, 0x51, 0x67, 0x65, 0x74, 0x2a, 0xf9, 0x65, 0xbc, 0x00, 0x15,  \
+    0x4b, 0x36, 0xc8, 0xe2, 0x6a, 0x5d, 0x51, 0x7c, 0xed, 0x8e, 0x14, 0x93,  \
+    0x4b, 0x90, 0x36, 0x05, 0xe5, 0x90, 0x00, 0x03, 0xab, 0xd3, 0x3a, 0xb5,  \
+    0x17, 0xb4, 0xd2, 0x45, 0x52, 0x69, 0x26, 0xce, 0xe3, 0x98, 0x1d, 0x9a,  \
+    0x8b, 0xf8, 0xa0, 0x92, 0x1d, 0x48, 0x02, 0x37, 0x2e, 0xc1, 0x5e, 0x95,  \
+    0xc2, 0x53, 0xfe, 0xb1, 0xbc, 0x34, 0x82, 0x34, 0x34, 0x36, 0x91, 0x8c,  \
+    0x88, 0x7a, 0x67, 0x97, 0x34, 0x40, 0x8b, 0xfb, 0x48, 0x6e, 0xd3, 0xaf,  \
+    0x30, 0x81, 0x8e, 0x05, 0x4d, 0x93, 0x21, 0xf6, 0xb1, 0xff, 0x98, 0xea,  \
+    0xd5, 0xa8, 0x14, 0xc7, 0x96, 0x8f, 0x99, 0x3e, 0x53, 0x58, 0x08, 0x89,  \
+    0x3c, 0xe3, 0x8f, 0xea, 0x5e, 0x71, 0x5e, 0x70, 0xf0, 0xc5, 0xe6, 0x12,  \
+    0x35, 0x6a, 0xa2, 0x5f, 0xd1, 0xb2, 0xba, 0xc0, 0x59, 0x8d, 0xec, 0xda,  \
+    0x09, 0xa1, 0xda, 0x6e, 0x30, 0xcb, 0x53, 0x4a, 0x90                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca.key */
+/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM tests/data_files/test-ca.key */
+#define TEST_CA_KEY_RSA_PEM                                                \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"                          \
+    "\r\n"                                                                 \
+    "9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n" \
+    "7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n" \
+    "Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n" \
+    "PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n" \
+    "GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n" \
+    "gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n" \
+    "QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n" \
+    "PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n" \
+    "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n" \
+    "WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n" \
+    "JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n" \
+    "KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n" \
+    "Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n" \
+    "9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n" \
+    "iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n" \
+    "tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n" \
+    "P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n" \
+    "1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n" \
+    "nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n" \
+    "X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n" \
+    "rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n" \
+    "L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n" \
+    "I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n" \
+    "wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n" \
+    "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n" \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_RSA_PEM "PolarSSLTest"
+
+/* This was generated from test-ca.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER tests/data_files/test-ca.key.der */
+#define TEST_CA_KEY_RSA_DER {                                                \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, 0x86, 0xde,  \
+    0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, 0x99, 0xd4,  \
+    0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, 0x9b, 0xc5,  \
+    0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, 0xc0, 0x8d,  \
+    0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, 0x93, 0xe8,  \
+    0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, 0xe7, 0x40,  \
+    0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, 0xf9, 0x3e,  \
+    0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, 0x29, 0x00,  \
+    0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, 0xbd, 0x83,  \
+    0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, 0x60, 0xc3,  \
+    0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, 0x32, 0xbe,  \
+    0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, 0xfb, 0xf5,  \
+    0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, 0xee, 0xe2,  \
+    0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, 0x47, 0xb1,  \
+    0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, 0xf1, 0x79,  \
+    0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, 0x6f, 0x27,  \
+    0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, 0xa1, 0x30,  \
+    0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, 0x28, 0xd1,  \
+    0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, 0x09, 0xea,  \
+    0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, 0xc9, 0xab,  \
+    0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, 0x9e, 0x99,  \
+    0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x3f, 0xf7, 0x07, 0xd3, 0x34, 0x6f, 0xdb, 0xc9, 0x37, 0xb7, 0x84,  \
+    0xdc, 0x37, 0x45, 0xe1, 0x63, 0xad, 0xb8, 0xb6, 0x75, 0xb1, 0xc7, 0x35,  \
+    0xb4, 0x77, 0x2a, 0x5b, 0x77, 0xf9, 0x7e, 0xe0, 0xc1, 0xa3, 0xd1, 0xb7,  \
+    0xcb, 0xa9, 0x5a, 0xc1, 0x87, 0xda, 0x5a, 0xfa, 0x17, 0xe4, 0xd5, 0x38,  \
+    0x03, 0xde, 0x68, 0x98, 0x81, 0xec, 0xb5, 0xf2, 0x2a, 0x8d, 0xe9, 0x2c,  \
+    0xf3, 0xa6, 0xe5, 0x32, 0x17, 0x7f, 0x33, 0x81, 0xe8, 0x38, 0x72, 0xd5,  \
+    0x9c, 0xfa, 0x4e, 0xfb, 0x26, 0xf5, 0x15, 0x0b, 0xaf, 0x84, 0x66, 0xab,  \
+    0x02, 0xe0, 0x18, 0xd5, 0x91, 0x7c, 0xd6, 0x8f, 0xc9, 0x4b, 0x76, 0x08,  \
+    0x2b, 0x1d, 0x81, 0x68, 0x30, 0xe1, 0xfa, 0x70, 0x6c, 0x13, 0x4e, 0x10,  \
+    0x03, 0x35, 0x3e, 0xc5, 0xca, 0x58, 0x20, 0x8a, 0x21, 0x18, 0x38, 0xa0,  \
+    0x0f, 0xed, 0xc4, 0xbb, 0x45, 0x6f, 0xf5, 0x84, 0x5b, 0xb0, 0xcf, 0x4e,  \
+    0x9d, 0x58, 0x13, 0x6b, 0x35, 0x35, 0x69, 0xa1, 0xd2, 0xc4, 0xf2, 0xc1,  \
+    0x48, 0x04, 0x20, 0x51, 0xb9, 0x6b, 0xa4, 0x5d, 0xa5, 0x4b, 0x84, 0x88,  \
+    0x43, 0x48, 0x99, 0x2c, 0xbb, 0xa4, 0x97, 0xd6, 0xd6, 0x18, 0xf6, 0xec,  \
+    0x5c, 0xd1, 0x31, 0x49, 0xc9, 0xf2, 0x8f, 0x0b, 0x4d, 0xef, 0x09, 0x02,  \
+    0xfe, 0x7d, 0xfd, 0xbb, 0xaf, 0x2b, 0x83, 0x94, 0x22, 0xc4, 0xa7, 0x3e,  \
+    0x66, 0xf5, 0xe0, 0x57, 0xdc, 0xf2, 0xed, 0x2c, 0x3e, 0x81, 0x74, 0x76,  \
+    0x1e, 0x96, 0x6f, 0x74, 0x1e, 0x32, 0x0e, 0x14, 0x31, 0xd0, 0x74, 0xf0,  \
+    0xf4, 0x07, 0xbd, 0xc3, 0xd1, 0x22, 0xc2, 0xa8, 0x95, 0x92, 0x06, 0x7f,  \
+    0x43, 0x02, 0x91, 0xbc, 0xdd, 0x23, 0x01, 0x89, 0x94, 0x20, 0x44, 0x64,  \
+    0xf5, 0x1d, 0x67, 0xd2, 0x8f, 0xe8, 0x69, 0xa5, 0x29, 0x25, 0xe6, 0x50,  \
+    0x9c, 0xe3, 0xe9, 0xcb, 0x75, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x29, 0x3e,  \
+    0xaa, 0x6b, 0xd5, 0x59, 0x1e, 0x9c, 0xe6, 0x47, 0xd5, 0xb6, 0xd7, 0xe3,  \
+    0xf1, 0x8e, 0x9e, 0xe9, 0x83, 0x5f, 0x10, 0x9f, 0x63, 0xec, 0x04, 0x44,  \
+    0xcc, 0x3f, 0xf8, 0xd9, 0x3a, 0x17, 0xe0, 0x4f, 0xfe, 0xd8, 0x4d, 0xcd,  \
+    0x46, 0x54, 0x74, 0xbf, 0x0a, 0xc4, 0x67, 0x9c, 0xa7, 0xd8, 0x89, 0x65,  \
+    0x4c, 0xfd, 0x58, 0x2a, 0x47, 0x0f, 0xf4, 0x37, 0xb6, 0x55, 0xb0, 0x1d,  \
+    0xed, 0xa7, 0x39, 0xfc, 0x4f, 0xa3, 0xc4, 0x75, 0x3a, 0xa3, 0x98, 0xa7,  \
+    0x45, 0xf5, 0x66, 0xcb, 0x7c, 0x65, 0xfb, 0x80, 0x23, 0xe6, 0xff, 0xfd,  \
+    0x99, 0x1f, 0x8e, 0x6b, 0xff, 0x5e, 0x93, 0x66, 0xdf, 0x6c, 0x6f, 0xc3,  \
+    0xf6, 0x38, 0x2e, 0xff, 0x69, 0xb5, 0xac, 0xae, 0xbb, 0xc6, 0x71, 0x16,  \
+    0x6b, 0xd0, 0xf8, 0x22, 0xd9, 0xf8, 0xa2, 0x72, 0x20, 0xd2, 0xe2, 0x3a,  \
+    0x70, 0x4b, 0xde, 0xab, 0x2f, 0x02, 0x81, 0x81, 0x00, 0xda, 0x51, 0x9b,  \
+    0xb8, 0xb2, 0x2a, 0x14, 0x75, 0x58, 0x40, 0x8d, 0x27, 0x70, 0xfa, 0x31,  \
+    0x48, 0xb0, 0x20, 0x21, 0x34, 0xfa, 0x4c, 0x57, 0xa8, 0x11, 0x88, 0xf3,  \
+    0xa7, 0xae, 0x21, 0xe9, 0xb6, 0x2b, 0xd1, 0xcd, 0xa7, 0xf8, 0xd8, 0x0c,  \
+    0x8a, 0x76, 0x22, 0x35, 0x44, 0xce, 0x3f, 0x25, 0x29, 0x83, 0x7d, 0x79,  \
+    0xa7, 0x31, 0xd6, 0xec, 0xb2, 0xbf, 0xda, 0x34, 0xb6, 0xf6, 0xb2, 0x3b,  \
+    0xf3, 0x78, 0x5a, 0x04, 0x83, 0x33, 0x3e, 0xa2, 0xe2, 0x81, 0x82, 0x13,  \
+    0xd4, 0x35, 0x17, 0x63, 0x9b, 0x9e, 0xc4, 0x8d, 0x91, 0x4c, 0x03, 0x77,  \
+    0xc7, 0x71, 0x5b, 0xee, 0x83, 0x6d, 0xd5, 0x78, 0x88, 0xf6, 0x2c, 0x79,  \
+    0xc2, 0x4a, 0xb4, 0x79, 0x90, 0x70, 0xbf, 0xdf, 0x34, 0x56, 0x96, 0x71,  \
+    0xe3, 0x0e, 0x68, 0x91, 0xbc, 0xea, 0xcb, 0x33, 0xc0, 0xbe, 0x45, 0xd7,  \
+    0xfc, 0x30, 0xfd, 0x01, 0x3b, 0x02, 0x81, 0x81, 0x00, 0xd2, 0x9f, 0x2a,  \
+    0xb7, 0x38, 0x19, 0xc7, 0x17, 0x95, 0x73, 0x78, 0xae, 0xf5, 0xcb, 0x75,  \
+    0x83, 0x7f, 0x19, 0x4b, 0xcb, 0x86, 0xfb, 0x4a, 0x15, 0x9a, 0xb6, 0x17,  \
+    0x04, 0x49, 0x07, 0x8d, 0xf6, 0x66, 0x4a, 0x06, 0xf6, 0x05, 0xa7, 0xdf,  \
+    0x66, 0x82, 0x3c, 0xff, 0xb6, 0x1d, 0x57, 0x89, 0x33, 0x5f, 0x9c, 0x05,  \
+    0x75, 0x7f, 0xf3, 0x5d, 0xdc, 0x34, 0x65, 0x72, 0x85, 0x22, 0xa4, 0x14,  \
+    0x1b, 0x41, 0xc3, 0xe4, 0xd0, 0x9e, 0x69, 0xd5, 0xeb, 0x38, 0x74, 0x70,  \
+    0x43, 0xdc, 0xd9, 0x50, 0xe4, 0x97, 0x6d, 0x73, 0xd6, 0xfb, 0xc8, 0xa7,  \
+    0xfa, 0xb4, 0xc2, 0xc4, 0x9d, 0x5d, 0x0c, 0xd5, 0x9f, 0x79, 0xb3, 0x54,  \
+    0xc2, 0xb7, 0x6c, 0x3d, 0x7d, 0xcb, 0x2d, 0xf8, 0xc4, 0xf3, 0x78, 0x5a,  \
+    0x33, 0x2a, 0xb8, 0x0c, 0x6d, 0x06, 0xfa, 0xf2, 0x62, 0xd3, 0x42, 0xd0,  \
+    0xbd, 0xc8, 0x4a, 0xa5, 0x0d, 0x02, 0x81, 0x81, 0x00, 0xd4, 0xa9, 0x90,  \
+    0x15, 0xde, 0xbf, 0x2c, 0xc4, 0x8d, 0x9d, 0xfb, 0xa1, 0xc2, 0xe4, 0x83,  \
+    0xe3, 0x79, 0x65, 0x22, 0xd3, 0xb7, 0x49, 0x6c, 0x4d, 0x94, 0x1f, 0x22,  \
+    0xb1, 0x60, 0xe7, 0x3a, 0x00, 0xb1, 0x38, 0xa2, 0xab, 0x0f, 0xb4, 0x6c,  \
+    0xaa, 0xe7, 0x9e, 0x34, 0xe3, 0x7c, 0x40, 0x78, 0x53, 0xb2, 0xf9, 0x23,  \
+    0xea, 0xa0, 0x9a, 0xea, 0x60, 0xc8, 0x8f, 0xa6, 0xaf, 0xdf, 0x29, 0x09,  \
+    0x4b, 0x06, 0x1e, 0x31, 0xad, 0x17, 0xda, 0xd8, 0xd1, 0xe9, 0x33, 0xab,  \
+    0x5b, 0x18, 0x08, 0x5b, 0x87, 0xf8, 0xa5, 0x1f, 0xfd, 0xbb, 0xdc, 0xd8,  \
+    0xed, 0x97, 0x57, 0xe4, 0xc3, 0x73, 0xd6, 0xf0, 0x9e, 0x01, 0xa6, 0x9b,  \
+    0x48, 0x8e, 0x7a, 0xb4, 0xbb, 0xe5, 0x88, 0x91, 0xc5, 0x2a, 0xdf, 0x4b,  \
+    0xba, 0xd0, 0x8b, 0x3e, 0x03, 0x97, 0x77, 0x2f, 0x47, 0x7e, 0x51, 0x0c,  \
+    0xae, 0x65, 0x8d, 0xde, 0x87, 0x02, 0x81, 0x80, 0x20, 0x24, 0x0f, 0xd2,  \
+    0xaf, 0xc2, 0x28, 0x3b, 0x97, 0x20, 0xb2, 0x92, 0x49, 0xeb, 0x09, 0x68,  \
+    0x40, 0xb2, 0xbe, 0xd1, 0xc3, 0x83, 0x94, 0x34, 0x38, 0xd6, 0xc9, 0xec,  \
+    0x34, 0x09, 0xf9, 0x41, 0x6d, 0x5c, 0x42, 0x94, 0xf7, 0x04, 0xfc, 0x32,  \
+    0x39, 0x69, 0xbc, 0x1c, 0xfb, 0x3e, 0x61, 0x98, 0xc0, 0x80, 0xd8, 0x36,  \
+    0x47, 0xc3, 0x6d, 0xc2, 0x2e, 0xe7, 0x81, 0x2a, 0x17, 0x34, 0x64, 0x30,  \
+    0x4e, 0x96, 0xbb, 0x26, 0x16, 0xb9, 0x41, 0x36, 0xfe, 0x8a, 0xd6, 0x53,  \
+    0x7c, 0xaa, 0xec, 0x39, 0x42, 0x50, 0xef, 0xe3, 0xb3, 0x01, 0x28, 0x32,  \
+    0xca, 0x6d, 0xf5, 0x9a, 0x1e, 0x9f, 0x37, 0xbe, 0xfe, 0x38, 0x20, 0x22,  \
+    0x91, 0x8c, 0xcd, 0x95, 0x02, 0xf2, 0x4d, 0x6f, 0x1a, 0xb4, 0x43, 0xf0,  \
+    0x19, 0xdf, 0x65, 0xc0, 0x92, 0xe7, 0x9d, 0x2f, 0x09, 0xe7, 0xec, 0x69,  \
+    0xa8, 0xc2, 0x8f, 0x0d                                                   \
+}
+/* END FILE */
+
+/*
+ * Test server Certificates
+ *
+ * Test server certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/server5.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */
+#define TEST_SRV_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
+    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" \
+    "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" \
+    "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" \
+    "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" \
+    "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n" \
+    "clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" \
+    "CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n" \
+    "C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n" \
+    "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server5.crt.der */
+#define TEST_SRV_CRT_EC_DER {                                                \
+    0x30, 0x82, 0x02, 0x1f, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,  \
+    0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x33, 0x30, 0x39, 0x32, 0x34, 0x31, 0x35, 0x35, 0x32, 0x30, 0x34,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x35,  \
+    0x32, 0x30, 0x34, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59,  \
+    0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,  \
+    0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7,  \
+    0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0,  \
+    0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00,  \
+    0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd,  \
+    0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa,  \
+    0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d,  \
+    0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5,  \
+    0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c,  \
+    0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,  \
+    0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,  \
+    0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,  \
+    0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,  \
+    0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x68, 0x00,  \
+    0x30, 0x65, 0x02, 0x31, 0x00, 0x9a, 0x2c, 0x5c, 0xd7, 0xa6, 0xdb, 0xa2,  \
+    0xe5, 0x64, 0x0d, 0xf0, 0xb9, 0x4e, 0xdd, 0xd7, 0x61, 0xd6, 0x13, 0x31,  \
+    0xc7, 0xab, 0x73, 0x80, 0xbb, 0xd3, 0xd3, 0x73, 0x13, 0x54, 0xad, 0x92,  \
+    0x0b, 0x5d, 0xab, 0xd0, 0xbc, 0xf7, 0xae, 0x2f, 0xe6, 0xa1, 0x21, 0x29,  \
+    0x35, 0x95, 0xaa, 0x3e, 0x39, 0x02, 0x30, 0x21, 0x36, 0x7f, 0x9d, 0xc6,  \
+    0x5d, 0xc6, 0x0b, 0xab, 0x27, 0xf2, 0x25, 0x1d, 0x3b, 0xf1, 0xcf, 0xf1,  \
+    0x35, 0x25, 0x14, 0xe7, 0xe5, 0xf1, 0x97, 0xb5, 0x59, 0xe3, 0x5e, 0x15,  \
+    0x7c, 0x66, 0xb9, 0x90, 0x7b, 0xc7, 0x01, 0x10, 0x4f, 0x73, 0xc6, 0x00,  \
+    0x21, 0x52, 0x2a, 0x0e, 0xf1, 0xc7, 0xd5                                 \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server5.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server5.key */
+#define TEST_SRV_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n" \
+    "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server5.key.der */
+#define TEST_SRV_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf1, 0x2a, 0x13, 0x20, 0x76,  \
+    0x02, 0x70, 0xa8, 0x3c, 0xbf, 0xfd, 0x53, 0xf6, 0x03, 0x1e, 0xf7, 0x6a,  \
+    0x5d, 0x86, 0xc8, 0xa2, 0x04, 0xf2, 0xc3, 0x0c, 0xa9, 0xeb, 0xf5, 0x1f,  \
+    0x0f, 0x0e, 0xa7, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x37, 0xcc, 0x56,  \
+    0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, 0x59, 0x2d, 0xff, 0x20,  \
+    0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, 0xad, 0x14, 0xb5, 0xf7,  \
+    0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, 0xd8, 0x23, 0x11, 0xff,  \
+    0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, 0x8a, 0x88, 0xc2, 0x6b,  \
+    0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, 0x01, 0xc8, 0xb4, 0xed,  \
+    0xff                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256_PEM                                        \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh\r\n" \
+    "Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U\r\n" \
+    "HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9\r\n" \
+    "1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv\r\n" \
+    "a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0\r\n" \
+    "e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo\r\n" \
+    "pMZqLmbBm/7WPLc=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER tests/data_files/server2-sha256.crt.der */
+#define TEST_SRV_CRT_RSA_SHA256_DER {                                        \
+  0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,    \
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,    \
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,    \
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,    \
+  0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,    \
+  0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,    \
+  0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,    \
+  0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,    \
+  0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,    \
+  0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,    \
+  0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,    \
+  0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,    \
+  0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,    \
+  0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,    \
+  0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,    \
+  0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,    \
+  0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,    \
+  0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,    \
+  0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,    \
+  0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,    \
+  0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,    \
+  0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,    \
+  0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,    \
+  0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,    \
+  0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,    \
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,    \
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,    \
+  0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,    \
+  0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,    \
+  0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,    \
+  0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,    \
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,    \
+  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x2e, 0x3a, 0xe4, 0x52, 0x61,    \
+  0x3e, 0xa7, 0xa5, 0xef, 0x32, 0x67, 0x80, 0x72, 0x07, 0x26, 0xba, 0xa3,    \
+  0xff, 0x05, 0x40, 0xc4, 0x60, 0x05, 0x39, 0x31, 0x77, 0xf7, 0xa5, 0xca,    \
+  0x01, 0x31, 0x80, 0xa7, 0xe1, 0xd1, 0x0a, 0xa2, 0x7c, 0xd5, 0x1c, 0xba,    \
+  0xd0, 0x23, 0x4a, 0xd6, 0x30, 0xf3, 0x93, 0xc7, 0x6f, 0xe8, 0xce, 0x94,    \
+  0x1e, 0x84, 0xbb, 0x44, 0x81, 0x62, 0x33, 0xff, 0x6b, 0x5d, 0x00, 0x9b,    \
+  0x25, 0xf8, 0x8f, 0x0f, 0x9c, 0x4c, 0x4d, 0xe8, 0xd9, 0xa7, 0x99, 0xf9,    \
+  0x51, 0x81, 0xc0, 0x9b, 0x1b, 0x31, 0x0d, 0xa6, 0xb3, 0x7c, 0x0e, 0x45,    \
+  0xb8, 0x18, 0x64, 0x7e, 0x89, 0x0a, 0x2b, 0xa8, 0xc3, 0xe0, 0x4a, 0xbd,    \
+  0xd4, 0x2f, 0x78, 0xc4, 0x62, 0x9b, 0xe9, 0x7e, 0x3f, 0x56, 0x46, 0x8f,    \
+  0x17, 0xb7, 0x2a, 0xa0, 0x10, 0x70, 0xfd, 0xb1, 0xf1, 0x6b, 0x05, 0xdc,    \
+  0xd1, 0x41, 0x0f, 0x8e, 0xa6, 0xb2, 0x88, 0x1a, 0x42, 0x61, 0x4f, 0xeb,    \
+  0x26, 0x85, 0x59, 0x80, 0xba, 0x85, 0x54, 0xfe, 0xcf, 0xc7, 0x7b, 0x2f,    \
+  0x6b, 0x59, 0xce, 0xac, 0xdc, 0x7c, 0xac, 0xf3, 0xc8, 0xd6, 0x12, 0x7e,    \
+  0x64, 0xe8, 0x3c, 0x99, 0xa8, 0x8f, 0x4f, 0x11, 0xd9, 0x9c, 0x15, 0x4b,    \
+  0x6a, 0x44, 0x92, 0x2d, 0x0c, 0xbf, 0xb1, 0x67, 0x96, 0xc9, 0xac, 0xce,    \
+  0xd5, 0x19, 0xeb, 0x6f, 0x18, 0xeb, 0x6e, 0x04, 0x2d, 0x60, 0xac, 0xf4,    \
+  0x7b, 0x79, 0xf0, 0x1a, 0x9b, 0xb5, 0xc3, 0x5d, 0xef, 0x7d, 0xc9, 0x05,    \
+  0x99, 0x44, 0x81, 0x84, 0x75, 0xc7, 0xec, 0x00, 0x12, 0xfc, 0x7a, 0x4a,    \
+  0x0b, 0x82, 0x07, 0xec, 0x6d, 0x86, 0x02, 0x4d, 0xfe, 0x9f, 0xc8, 0x92,    \
+  0x48, 0xde, 0xf5, 0xb1, 0x9c, 0xe9, 0xc6, 0x89, 0xd0, 0xc1, 0x56, 0xe8,    \
+  0xa4, 0xc6, 0x6a, 0x2e, 0x66, 0xc1, 0x9b, 0xfe, 0xd6, 0x3c, 0xb7           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1_PEM                                       \
+"-----BEGIN CERTIFICATE-----\r\n"                                       \
+"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
+"MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
+"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"  \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"  \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"  \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"  \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"  \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"  \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"  \
+"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"  \
+"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4\r\n"  \
+"cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A\r\n"  \
+"O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc\r\n"  \
+"KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE\r\n"  \
+"iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp\r\n"  \
+"HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap\r\n"  \
+"Awgk0+4m0T25cNs=\r\n"                                                  \
+"-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER tests/data_files/server2.crt.der */
+#define TEST_SRV_CRT_RSA_SHA1_DER {                                          \
+    0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,  \
+    0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,  \
+    0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,  \
+    0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,  \
+    0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,  \
+    0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,  \
+    0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,  \
+    0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,  \
+    0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,  \
+    0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,  \
+    0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,  \
+    0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,  \
+    0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,  \
+    0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,  \
+    0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,  \
+    0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,  \
+    0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,  \
+    0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,  \
+    0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,  \
+    0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,  \
+    0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,  \
+    0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,  \
+    0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,  \
+    0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,  \
+    0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,  \
+    0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,  \
+    0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,  \
+    0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,  \
+    0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,  \
+    0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,  \
+    0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,  \
+    0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,  \
+    0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x01, 0x73, 0x0b, 0x4a, 0xc5,  \
+    0xcb, 0xa0, 0xde, 0xf1, 0x63, 0x1c, 0x76, 0x04, 0x2b, 0x13, 0x0d, 0xc0,  \
+    0x84, 0x11, 0xc5, 0x8f, 0x3a, 0xa7, 0xc5, 0x9c, 0x35, 0x7a, 0x77, 0xb8,  \
+    0x20, 0x14, 0x82, 0xee, 0x54, 0xf0, 0xf2, 0xb0, 0x52, 0xcb, 0x78, 0xce,  \
+    0x59, 0x07, 0x4f, 0x51, 0x69, 0xfe, 0xd3, 0x2f, 0xe9, 0x09, 0xe7, 0x85,  \
+    0x92, 0xd8, 0xba, 0xb1, 0xeb, 0xc5, 0x76, 0x5d, 0x61, 0x2d, 0xe9, 0x86,  \
+    0xb5, 0xde, 0x2a, 0xf9, 0x3f, 0x53, 0x28, 0x42, 0x86, 0x83, 0x73, 0x43,  \
+    0xe0, 0x04, 0x5f, 0x07, 0x90, 0x14, 0x65, 0x9f, 0x6e, 0x10, 0x7a, 0xbc,  \
+    0x58, 0x19, 0x22, 0xc2, 0xeb, 0x39, 0x72, 0x51, 0x92, 0xd7, 0xb4, 0x1d,  \
+    0x75, 0x2f, 0xd3, 0x3a, 0x2b, 0x01, 0xe7, 0xdb, 0x50, 0xae, 0xe2, 0xf1,  \
+    0xd4, 0x4d, 0x5b, 0x3c, 0xbb, 0x41, 0x2b, 0x2a, 0xa4, 0xe2, 0x4a, 0x02,  \
+    0xe5, 0x60, 0x14, 0x2c, 0x9c, 0x1f, 0xa6, 0xcc, 0x06, 0x4b, 0x25, 0x89,  \
+    0x4e, 0x96, 0x30, 0x22, 0x9c, 0x5c, 0x58, 0x4d, 0xc3, 0xda, 0xd0, 0x6e,  \
+    0x50, 0x1e, 0x8c, 0x65, 0xf5, 0xd9, 0x17, 0x35, 0xa6, 0x58, 0x43, 0xb2,  \
+    0x29, 0xb7, 0xa8, 0x5e, 0x35, 0xde, 0xf0, 0x60, 0x42, 0x1a, 0x01, 0xcb,  \
+    0xcb, 0x0b, 0xd8, 0x0e, 0xc1, 0x90, 0xdf, 0xa1, 0xd2, 0x1a, 0xd1, 0x2c,  \
+    0x02, 0xf4, 0x76, 0x41, 0xa4, 0xcb, 0x4b, 0x15, 0x98, 0x71, 0xf9, 0x35,  \
+    0x7d, 0xb0, 0xe7, 0xe2, 0x34, 0x96, 0x91, 0xbe, 0x32, 0x67, 0x2d, 0x6b,  \
+    0xd3, 0x55, 0x04, 0x8a, 0x01, 0x50, 0xb4, 0xe3, 0x62, 0x78, 0x6c, 0x11,  \
+    0x15, 0xa5, 0x2a, 0x11, 0xc1, 0x49, 0x1c, 0x9b, 0xc4, 0x10, 0x65, 0x60,  \
+    0x87, 0xd9, 0x1e, 0x69, 0x59, 0x4e, 0x8f, 0x6b, 0xeb, 0xc1, 0xfe, 0x6b,  \
+    0xe2, 0x63, 0x78, 0x95, 0x6e, 0xe0, 0x2d, 0xd7, 0xa7, 0x37, 0xa8         \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM tests/data_files/server2.key */
+#define TEST_SRV_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" \
+    "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" \
+    "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" \
+    "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" \
+    "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" \
+    "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" \
+    "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" \
+    "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" \
+    "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" \
+    "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" \
+    "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" \
+    "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" \
+    "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" \
+    "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" \
+    "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" \
+    "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" \
+    "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" \
+    "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" \
+    "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" \
+    "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" \
+    "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" \
+    "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" \
+    "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" \
+    "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" \
+    "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/server2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER tests/data_files/server2.key.der */
+#define TEST_SRV_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc1, 0x4d, 0xa3, 0xdd, 0xe7, 0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72,  \
+    0xb8, 0x99, 0xac, 0x0e, 0x78, 0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13,  \
+    0x16, 0xd0, 0x5a, 0xe4, 0xcd, 0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b,  \
+    0x96, 0xa7, 0x52, 0xb4, 0x90, 0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a,  \
+    0xfc, 0xb6, 0x34, 0xac, 0x24, 0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c,  \
+    0xb0, 0x28, 0x7d, 0xa1, 0xda, 0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc,  \
+    0xfe, 0xc1, 0x04, 0x52, 0xb3, 0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76,  \
+    0xd8, 0x90, 0xc1, 0x61, 0xb4, 0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa,  \
+    0xab, 0x74, 0x5e, 0x07, 0x7d, 0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0,  \
+    0xd9, 0x0d, 0x1c, 0x2d, 0x49, 0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8,  \
+    0x0b, 0x8a, 0x4f, 0x69, 0x0c, 0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10,  \
+    0x66, 0x7d, 0xae, 0x54, 0x2b, 0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61,  \
+    0xc3, 0xcd, 0x40, 0x49, 0x08, 0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2,  \
+    0x46, 0xbf, 0xd0, 0xb8, 0xaa, 0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a,  \
+    0x1e, 0x44, 0x18, 0x0f, 0x0f, 0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2,  \
+    0x18, 0xc6, 0x62, 0x2f, 0xc7, 0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3,  \
+    0x27, 0x89, 0x29, 0x01, 0xc5, 0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8,  \
+    0x4a, 0x0e, 0xef, 0xd6, 0xde, 0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d,  \
+    0x7a, 0xc4, 0x02, 0x3c, 0x9a, 0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b,  \
+    0xcb, 0x73, 0x4b, 0x52, 0x96, 0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69,  \
+    0x39, 0x5a, 0xd3, 0x0f, 0xb0, 0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea,  \
+    0x12, 0x01, 0x30, 0x97, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0x97, 0x47, 0x44, 0xbc, 0x10, 0x81, 0xc5, 0x18, 0xe4, 0x59,  \
+    0xfb, 0xe0, 0x2d, 0x3a, 0x0e, 0x9e, 0x10, 0xdc, 0x43, 0xfb, 0x15, 0x6c,  \
+    0xd1, 0xfd, 0x48, 0x78, 0x6c, 0xf9, 0xed, 0x38, 0xe8, 0xdd, 0x09, 0xd7,  \
+    0x5f, 0xb5, 0x41, 0x64, 0xd7, 0x63, 0xfa, 0x9d, 0x44, 0x0a, 0xf8, 0x42,  \
+    0x13, 0xf1, 0xbb, 0x5e, 0x79, 0x20, 0x53, 0x98, 0x4b, 0x65, 0x7f, 0x86,  \
+    0x67, 0x48, 0xe4, 0xcf, 0xfb, 0x6a, 0x24, 0xe2, 0x34, 0xbd, 0x14, 0x9d,  \
+    0x2c, 0x16, 0xe2, 0xa4, 0x79, 0xd6, 0xa2, 0xec, 0x81, 0x43, 0x87, 0xbf,  \
+    0x03, 0x5c, 0x88, 0x25, 0xd9, 0x41, 0xb6, 0xa5, 0xf1, 0x27, 0x52, 0x84,  \
+    0xfe, 0x2b, 0x6e, 0x1d, 0x16, 0xcd, 0x73, 0x88, 0xf8, 0x90, 0xbf, 0x19,  \
+    0xfe, 0xbe, 0xa9, 0xbf, 0x09, 0xd3, 0x23, 0x43, 0xd2, 0xc7, 0x61, 0x2a,  \
+    0xb3, 0x4e, 0x3c, 0x61, 0xd4, 0xbd, 0xd8, 0xb4, 0xfa, 0xa8, 0x0b, 0xf8,  \
+    0x7e, 0x56, 0xcd, 0x0f, 0x13, 0x27, 0xda, 0xe6, 0x3b, 0xb3, 0x8c, 0x9c,  \
+    0x4b, 0x84, 0x3c, 0xc3, 0x52, 0x57, 0x9c, 0x27, 0x9a, 0x02, 0x76, 0x26,  \
+    0x59, 0x82, 0x39, 0xc3, 0x13, 0xbe, 0x6e, 0xf4, 0x44, 0x2d, 0x1d, 0x8c,  \
+    0x73, 0x3e, 0x43, 0x99, 0x59, 0xcb, 0xf2, 0x34, 0x72, 0x9a, 0x5e, 0xa5,  \
+    0xeb, 0x9f, 0x36, 0x6d, 0x2b, 0xf9, 0xa2, 0xe7, 0xd1, 0x78, 0x52, 0x1b,  \
+    0xc8, 0xf6, 0x5b, 0x41, 0x69, 0x57, 0x81, 0x89, 0xe9, 0xbb, 0xa1, 0xde,  \
+    0x19, 0x37, 0x3b, 0x13, 0x5c, 0xca, 0x61, 0x01, 0x86, 0xff, 0xdf, 0x83,  \
+    0x41, 0x49, 0x7f, 0xd6, 0xf4, 0x2e, 0x08, 0xfa, 0x90, 0xc2, 0x7c, 0xb4,  \
+    0xb5, 0x0a, 0x17, 0xdb, 0x0e, 0x6d, 0x75, 0x8a, 0x5d, 0x31, 0xd5, 0x66,  \
+    0xfb, 0x39, 0x0b, 0xb5, 0xb6, 0xa3, 0xcd, 0xd4, 0xef, 0x88, 0x92, 0x5a,  \
+    0x4d, 0x6c, 0xcb, 0xea, 0x5b, 0x79, 0x02, 0x81, 0x81, 0x00, 0xdf, 0x3a,  \
+    0xf9, 0x25, 0x5e, 0x24, 0x37, 0x26, 0x40, 0x97, 0x2f, 0xe0, 0x4a, 0xba,  \
+    0x52, 0x1b, 0x51, 0xaf, 0x84, 0x06, 0x32, 0x24, 0x0c, 0xcf, 0x44, 0xa8,  \
+    0x77, 0xa7, 0xad, 0xb5, 0x8c, 0x58, 0xcc, 0xc8, 0x31, 0xb7, 0x0d, 0xbc,  \
+    0x08, 0x8a, 0xe0, 0xa6, 0x8c, 0xc2, 0x73, 0xe5, 0x1a, 0x64, 0x92, 0xe8,  \
+    0xed, 0x4c, 0x6f, 0x0b, 0xa6, 0xa7, 0xf3, 0x9a, 0xf5, 0x6f, 0x69, 0xca,  \
+    0x3c, 0x22, 0xd0, 0x15, 0xa8, 0x20, 0x27, 0x41, 0xf8, 0x43, 0x42, 0x7f,  \
+    0xb1, 0x93, 0xa1, 0x04, 0x85, 0xda, 0xa0, 0x1c, 0xd6, 0xc6, 0xf7, 0x8a,  \
+    0x9e, 0xea, 0x5c, 0x78, 0xa7, 0x55, 0xc4, 0x6b, 0x05, 0x8b, 0xc0, 0x83,  \
+    0xcb, 0xce, 0x83, 0x05, 0xf8, 0xb2, 0x16, 0x2b, 0xdf, 0x06, 0x3f, 0xb8,  \
+    0xec, 0x16, 0xda, 0x43, 0x33, 0xc1, 0x8f, 0xb0, 0xb8, 0xac, 0xae, 0xd4,  \
+    0x94, 0xb8, 0xda, 0x6f, 0x6a, 0xc3, 0x02, 0x81, 0x81, 0x00, 0xdd, 0xae,  \
+    0x00, 0xcd, 0xa0, 0x72, 0x1a, 0x05, 0x8a, 0xee, 0x2f, 0xd4, 0x71, 0x4b,  \
+    0xf0, 0x3e, 0xe5, 0xc1, 0xe1, 0x29, 0x8b, 0xa6, 0x67, 0x30, 0x98, 0xe7,  \
+    0x12, 0xef, 0xdd, 0x12, 0x01, 0x90, 0x24, 0x58, 0xf0, 0x76, 0x92, 0xe7,  \
+    0x3d, 0xbb, 0x23, 0xe1, 0xce, 0xf9, 0xa1, 0xd4, 0x38, 0x1b, 0x3f, 0x20,  \
+    0xb3, 0x0f, 0x65, 0x6a, 0x8f, 0x55, 0x57, 0x36, 0xee, 0xb2, 0x84, 0x44,  \
+    0xfc, 0x91, 0x88, 0xe1, 0xa4, 0xdd, 0x3b, 0x4a, 0x40, 0x4d, 0x7c, 0x86,  \
+    0xed, 0xe1, 0xb5, 0x42, 0xef, 0xb9, 0x61, 0xcd, 0x58, 0x19, 0x77, 0x02,  \
+    0xae, 0x58, 0x80, 0xdb, 0x13, 0x3d, 0xc7, 0x1f, 0x9d, 0xed, 0xff, 0xac,  \
+    0x98, 0xfc, 0xcd, 0xf9, 0x62, 0x04, 0x83, 0x91, 0x89, 0x0d, 0x86, 0x43,  \
+    0x8c, 0x0c, 0xc7, 0x1b, 0x90, 0x4d, 0xbe, 0x2f, 0xc5, 0x7c, 0xcd, 0x42,  \
+    0xf5, 0xd3, 0xad, 0x8e, 0xfd, 0x9d, 0x02, 0x81, 0x80, 0x17, 0x4b, 0x79,  \
+    0x2a, 0x6c, 0x1b, 0x8d, 0x61, 0xc1, 0x85, 0xc5, 0x6a, 0x3b, 0x82, 0x1c,  \
+    0x05, 0x5b, 0xcd, 0xdc, 0x12, 0x25, 0x73, 0x5b, 0x9e, 0xd9, 0x84, 0x57,  \
+    0x10, 0x39, 0x71, 0x63, 0x96, 0xf4, 0xaf, 0xc3, 0x78, 0x5d, 0xc7, 0x8c,  \
+    0x80, 0xa9, 0x96, 0xd7, 0xc3, 0x87, 0x02, 0x96, 0x71, 0x7e, 0x5f, 0x2e,  \
+    0x3c, 0x36, 0xae, 0x59, 0x92, 0xd7, 0x3a, 0x09, 0x78, 0xb9, 0xea, 0x6f,  \
+    0xc2, 0x16, 0x42, 0xdc, 0x4b, 0x96, 0xad, 0x2c, 0xb2, 0x20, 0x23, 0x61,  \
+    0x2d, 0x8d, 0xb5, 0x02, 0x1e, 0xe1, 0x6c, 0x81, 0x01, 0x3c, 0x5d, 0xcb,  \
+    0xdd, 0x9b, 0x0e, 0xc0, 0x2f, 0x94, 0x12, 0xb2, 0xfe, 0x75, 0x75, 0x8b,  \
+    0x74, 0x1e, 0x7a, 0x26, 0x0c, 0xb7, 0x81, 0x96, 0x81, 0x79, 0x6e, 0xdb,  \
+    0xbc, 0x3a, 0xc4, 0x9e, 0x87, 0x09, 0x6e, 0xa0, 0xa6, 0xec, 0x8b, 0xa4,  \
+    0x85, 0x71, 0xce, 0x04, 0xaf, 0x02, 0x81, 0x81, 0x00, 0xc2, 0xa7, 0x47,  \
+    0x07, 0x48, 0x6a, 0xc8, 0xd4, 0xb3, 0x20, 0xe1, 0x98, 0xee, 0xff, 0x5a,  \
+    0x6f, 0x30, 0x7a, 0xa5, 0x47, 0x40, 0xdc, 0x16, 0x62, 0x42, 0xf1, 0x2c,  \
+    0xdc, 0xb8, 0xc7, 0x55, 0xde, 0x07, 0x3c, 0x9d, 0xb1, 0xd0, 0xdf, 0x02,  \
+    0x82, 0xb0, 0x48, 0x58, 0xe1, 0x34, 0xab, 0xcf, 0xb4, 0x85, 0x23, 0x26,  \
+    0x78, 0x4f, 0x7a, 0x59, 0x6f, 0xfb, 0x8c, 0x3d, 0xdf, 0x3d, 0x6c, 0x02,  \
+    0x47, 0x9c, 0xe5, 0x5e, 0x49, 0xf1, 0x05, 0x0b, 0x1f, 0xbf, 0x48, 0x0f,  \
+    0xdc, 0x10, 0xb9, 0x3d, 0x1d, 0x10, 0x77, 0x2a, 0x73, 0xf9, 0xdf, 0xbd,  \
+    0xcd, 0xf3, 0x1f, 0xeb, 0x6e, 0x64, 0xca, 0x2b, 0x78, 0x4f, 0xf8, 0x73,  \
+    0xc2, 0x10, 0xef, 0x79, 0x95, 0x33, 0x1e, 0x79, 0x35, 0x09, 0xff, 0x88,  \
+    0x1b, 0xb4, 0x3e, 0x4c, 0xe1, 0x27, 0x2e, 0x75, 0x80, 0x58, 0x11, 0x03,  \
+    0x21, 0x23, 0x96, 0x9a, 0xb5, 0x02, 0x81, 0x80, 0x05, 0x12, 0x64, 0x71,  \
+    0x83, 0x00, 0x1c, 0xfe, 0xef, 0x83, 0xea, 0xdd, 0x2c, 0xc8, 0x2c, 0x00,  \
+    0x62, 0x1e, 0x8f, 0x3a, 0xdb, 0x1c, 0xab, 0xd6, 0x34, 0x8b, 0xd1, 0xb2,  \
+    0x5a, 0x4f, 0x3d, 0x37, 0x38, 0x02, 0xe0, 0xd7, 0x70, 0xc1, 0xb0, 0x47,  \
+    0xe0, 0x08, 0x1a, 0x84, 0xec, 0x48, 0xc5, 0x7c, 0x76, 0x83, 0x12, 0x67,  \
+    0xab, 0x7c, 0x9f, 0x90, 0x97, 0xc8, 0x8f, 0x07, 0xf4, 0xb3, 0x60, 0xf2,  \
+    0x3f, 0x49, 0x18, 0xdb, 0x2e, 0x94, 0x6b, 0x53, 0x9e, 0xa2, 0x63, 0xde,  \
+    0x63, 0xd9, 0xab, 0x21, 0x2e, 0x2d, 0x0a, 0xe0, 0xd0, 0xe8, 0xba, 0xc4,  \
+    0x4c, 0x1e, 0xa5, 0xf5, 0x51, 0xa8, 0xc4, 0x92, 0xf8, 0x7f, 0x21, 0xe7,  \
+    0x65, 0xbf, 0x0b, 0xe6, 0x01, 0xaf, 0x9c, 0x1d, 0x5b, 0x6c, 0x3f, 0x1c,  \
+    0x2f, 0xa6, 0x0f, 0x68, 0x38, 0x8e, 0x85, 0xc4, 0x6c, 0x78, 0x2f, 0x6f,  \
+    0x06, 0x21, 0x2e, 0x56                                                   \
+}
+/* END FILE */
+
+/*
+ * Test client Certificates
+ *
+ * Test client certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - hash type
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/cli2.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */
+#define TEST_CLI_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIB3zCCAWOgAwIBAgIBDTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw\r\n" \
+    "DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJTU0wgVGVzdCBFQyBDQTAe\r\n" \
+    "Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMEExCzAJBgNVBAYTAk5MMREw\r\n" \
+    "DwYDVQQKDAhQb2xhclNTTDEfMB0GA1UEAwwWUG9sYXJTU0wgVGVzdCBDbGllbnQg\r\n" \
+    "MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFflrrFz39Osu5O4gf8Sru7mU6zO\r\n" \
+    "VVP2NA7MLuNjJQvfmOLzXGA2lsDVGBRw5X+f1UtFGOWwbNVc+JaPh3Cj5MejTTBL\r\n" \
+    "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMB8GA1Ud\r\n" \
+    "IwQYMBaAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAwGCCqGSM49BAMCBQADaAAwZQIx\r\n" \
+    "AMqme4DKMldUlplDET9Q6Eptre7uUWKhsLOF+zPkKDlfzpIkJYEFgcloDHGYw80u\r\n" \
+    "IgIwNftyPXsabTqMM7iEHgVpX/GRozKklY9yQI/5eoA6gGW7Y+imuGR/oao5ySOb\r\n" \
+    "a9Vk\r\n"       \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli2.crt.der */
+#define TEST_CLI_CRT_EC_DER {                                                \
+    0x30, 0x82, 0x01, 0xdf, 0x30, 0x82, 0x01, 0x63, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x0d, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,  \
+    0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e,  \
+    0x17, 0x0d, 0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34,  \
+    0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31,  \
+    0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x30, 0x41, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x0c, 0x16, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,  \
+    0x32, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,  \
+    0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae, 0xb1, 0x73, 0xdf, 0xd3, 0xac,  \
+    0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae, 0xee, 0xe6, 0x53, 0xac, 0xce,  \
+    0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e, 0xe3, 0x63, 0x25, 0x0b, 0xdf,  \
+    0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96, 0xc0, 0xd5, 0x18, 0x14, 0x70,  \
+    0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18, 0xe5, 0xb0, 0x6c, 0xd5, 0x5c,  \
+    0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4, 0xc7, 0xa3, 0x4d, 0x30, 0x4b,  \
+    0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,  \
+    0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7a, 0x00,  \
+    0x5f, 0x86, 0x64, 0xfc, 0xe0, 0x5d, 0xe5, 0x11, 0x10, 0x3b, 0xb2, 0xe6,  \
+    0x3b, 0xc4, 0x26, 0x3f, 0xcf, 0xe2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,  \
+    0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49,  \
+    0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb,  \
+    0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x31,  \
+    0x00, 0xca, 0xa6, 0x7b, 0x80, 0xca, 0x32, 0x57, 0x54, 0x96, 0x99, 0x43,  \
+    0x11, 0x3f, 0x50, 0xe8, 0x4a, 0x6d, 0xad, 0xee, 0xee, 0x51, 0x62, 0xa1,  \
+    0xb0, 0xb3, 0x85, 0xfb, 0x33, 0xe4, 0x28, 0x39, 0x5f, 0xce, 0x92, 0x24,  \
+    0x25, 0x81, 0x05, 0x81, 0xc9, 0x68, 0x0c, 0x71, 0x98, 0xc3, 0xcd, 0x2e,  \
+    0x22, 0x02, 0x30, 0x35, 0xfb, 0x72, 0x3d, 0x7b, 0x1a, 0x6d, 0x3a, 0x8c,  \
+    0x33, 0xb8, 0x84, 0x1e, 0x05, 0x69, 0x5f, 0xf1, 0x91, 0xa3, 0x32, 0xa4,  \
+    0x95, 0x8f, 0x72, 0x40, 0x8f, 0xf9, 0x7a, 0x80, 0x3a, 0x80, 0x65, 0xbb,  \
+    0x63, 0xe8, 0xa6, 0xb8, 0x64, 0x7f, 0xa1, 0xaa, 0x39, 0xc9, 0x23, 0x9b,  \
+    0x6b, 0xd5, 0x64                           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli2.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli2.key */
+#define TEST_CLI_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" \
+    "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli2.key.der */
+#define TEST_CLI_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf6, 0xf7, 0x86, 0x64, 0xf1,  \
+    0x67, 0x7f, 0xe6, 0x64, 0x8d, 0xef, 0xca, 0x4e, 0xe9, 0xdd, 0x4d, 0xf0,  \
+    0x05, 0xff, 0x96, 0x22, 0x8a, 0x7a, 0x84, 0x38, 0x64, 0x17, 0x32, 0x61,  \
+    0x98, 0xb7, 0x2a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae,  \
+    0xb1, 0x73, 0xdf, 0xd3, 0xac, 0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae,  \
+    0xee, 0xe6, 0x53, 0xac, 0xce, 0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e,  \
+    0xe3, 0x63, 0x25, 0x0b, 0xdf, 0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96,  \
+    0xc0, 0xd5, 0x18, 0x14, 0x70, 0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18,  \
+    0xe5, 0xb0, 0x6c, 0xd5, 0x5c, 0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4,  \
+    0xc7                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa-sha256.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */
+#define TEST_CLI_CRT_RSA_PEM                                               \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n" \
+    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n" \
+    "M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n" \
+    "1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n" \
+    "MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n" \
+    "4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n" \
+    "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n" \
+    "o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n" \
+    "BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \
+    "AQEAXidv1d4pLlBiKWED95rMycBdgDcgyNqJxakFkRfRyA2y1mlyTn7uBXRkNLY5\r\n" \
+    "ZFzK82GCjk2Q2OD4RZSCPAJJqLpHHU34t71ciffvy2KK81YvrxczRhMAE64i+qna\r\n" \
+    "yP3Td2XuWJR05PVPoSemsNELs9gWttdnYy3ce+EY2Y0n7Rsi7982EeLIAA7H6ca4\r\n" \
+    "2Es/NUH//JZJT32OP0doMxeDRA+vplkKqTLLWf7dX26LIriBkBaRCgR5Yv9LBPFc\r\n" \
+    "NOtpzu/LbrY7QFXKJMI+JXDudCsOn8KCmiA4d6Emisqfh3V3485l7HEQNcvLTxlD\r\n" \
+    "6zDQyi0/ykYUYZkwQTK1N2Nvlw==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa-sha256.crt.der
+   using `xxd -i.` */
+/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER tests/data_files/cli-rsa-sha256.crt.der */
+#define TEST_CLI_CRT_RSA_DER {                                               \
+  0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0x27, 0xa0, 0x03, 0x02, 0x01,   \
+  0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,   \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,   \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,   \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,   \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,   \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,   \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,   \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,   \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,   \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x3c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,   \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,   \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,   \
+  0x53, 0x4c, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,   \
+  0x11, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x6c,   \
+  0x69, 0x65, 0x6e, 0x74, 0x20, 0x32, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,   \
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,   \
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,   \
+  0x01, 0x01, 0x00, 0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9,   \
+  0x45, 0xd9, 0x14, 0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f,   \
+  0x33, 0xad, 0x0d, 0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9,   \
+  0xcc, 0x66, 0x85, 0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63,   \
+  0x9e, 0x0a, 0x6e, 0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10,   \
+  0x93, 0x86, 0x49, 0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e,   \
+  0xd4, 0x2f, 0x77, 0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95,   \
+  0x48, 0x70, 0xf5, 0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed,   \
+  0xe6, 0x43, 0xea, 0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4,   \
+  0x57, 0x4e, 0xa9, 0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30,   \
+  0x32, 0x30, 0xd5, 0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2,   \
+  0x5f, 0xf9, 0x3d, 0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d,   \
+  0xfb, 0xe5, 0x0c, 0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2,   \
+  0x7f, 0xca, 0xad, 0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f,   \
+  0xe0, 0x9b, 0xf8, 0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34,   \
+  0x04, 0x66, 0xc7, 0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a,   \
+  0x06, 0x67, 0xf4, 0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe,   \
+  0x3c, 0x8b, 0x35, 0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f,   \
+  0xfc, 0x36, 0x6b, 0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d,   \
+  0x00, 0xcf, 0xaf, 0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4,   \
+  0xe7, 0x50, 0x71, 0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8,   \
+  0xe4, 0xc4, 0xfd, 0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01,   \
+  0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,   \
+  0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,   \
+  0x04, 0x14, 0x71, 0xa1, 0x00, 0x73, 0x72, 0x40, 0x2f, 0x54, 0x76, 0x5e,   \
+  0x33, 0xfc, 0x52, 0x8f, 0xbc, 0xf1, 0xdd, 0x6b, 0x46, 0x21, 0x30, 0x1f,   \
+  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xb4,   \
+  0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, 0xa6, 0x95,   \
+  0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a,   \
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,   \
+  0x01, 0x01, 0x00, 0x5e, 0x27, 0x6f, 0xd5, 0xde, 0x29, 0x2e, 0x50, 0x62,   \
+  0x29, 0x61, 0x03, 0xf7, 0x9a, 0xcc, 0xc9, 0xc0, 0x5d, 0x80, 0x37, 0x20,   \
+  0xc8, 0xda, 0x89, 0xc5, 0xa9, 0x05, 0x91, 0x17, 0xd1, 0xc8, 0x0d, 0xb2,   \
+  0xd6, 0x69, 0x72, 0x4e, 0x7e, 0xee, 0x05, 0x74, 0x64, 0x34, 0xb6, 0x39,   \
+  0x64, 0x5c, 0xca, 0xf3, 0x61, 0x82, 0x8e, 0x4d, 0x90, 0xd8, 0xe0, 0xf8,   \
+  0x45, 0x94, 0x82, 0x3c, 0x02, 0x49, 0xa8, 0xba, 0x47, 0x1d, 0x4d, 0xf8,   \
+  0xb7, 0xbd, 0x5c, 0x89, 0xf7, 0xef, 0xcb, 0x62, 0x8a, 0xf3, 0x56, 0x2f,   \
+  0xaf, 0x17, 0x33, 0x46, 0x13, 0x00, 0x13, 0xae, 0x22, 0xfa, 0xa9, 0xda,   \
+  0xc8, 0xfd, 0xd3, 0x77, 0x65, 0xee, 0x58, 0x94, 0x74, 0xe4, 0xf5, 0x4f,   \
+  0xa1, 0x27, 0xa6, 0xb0, 0xd1, 0x0b, 0xb3, 0xd8, 0x16, 0xb6, 0xd7, 0x67,   \
+  0x63, 0x2d, 0xdc, 0x7b, 0xe1, 0x18, 0xd9, 0x8d, 0x27, 0xed, 0x1b, 0x22,   \
+  0xef, 0xdf, 0x36, 0x11, 0xe2, 0xc8, 0x00, 0x0e, 0xc7, 0xe9, 0xc6, 0xb8,   \
+  0xd8, 0x4b, 0x3f, 0x35, 0x41, 0xff, 0xfc, 0x96, 0x49, 0x4f, 0x7d, 0x8e,   \
+  0x3f, 0x47, 0x68, 0x33, 0x17, 0x83, 0x44, 0x0f, 0xaf, 0xa6, 0x59, 0x0a,   \
+  0xa9, 0x32, 0xcb, 0x59, 0xfe, 0xdd, 0x5f, 0x6e, 0x8b, 0x22, 0xb8, 0x81,   \
+  0x90, 0x16, 0x91, 0x0a, 0x04, 0x79, 0x62, 0xff, 0x4b, 0x04, 0xf1, 0x5c,   \
+  0x34, 0xeb, 0x69, 0xce, 0xef, 0xcb, 0x6e, 0xb6, 0x3b, 0x40, 0x55, 0xca,   \
+  0x24, 0xc2, 0x3e, 0x25, 0x70, 0xee, 0x74, 0x2b, 0x0e, 0x9f, 0xc2, 0x82,   \
+  0x9a, 0x20, 0x38, 0x77, 0xa1, 0x26, 0x8a, 0xca, 0x9f, 0x87, 0x75, 0x77,   \
+  0xe3, 0xce, 0x65, 0xec, 0x71, 0x10, 0x35, 0xcb, 0xcb, 0x4f, 0x19, 0x43,   \
+  0xeb, 0x30, 0xd0, 0xca, 0x2d, 0x3f, 0xca, 0x46, 0x14, 0x61, 0x99, 0x30,   \
+  0x41, 0x32, 0xb5, 0x37, 0x63, 0x6f, 0x97                                  \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM tests/data_files/cli-rsa.key */
+#define TEST_CLI_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n" \
+    "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n" \
+    "bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n" \
+    "Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n" \
+    "7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n" \
+    "dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n" \
+    "yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n" \
+    "4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n" \
+    "ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n" \
+    "zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n" \
+    "l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n" \
+    "DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n" \
+    "VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n" \
+    "Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n" \
+    "wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n" \
+    "c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n" \
+    "33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n" \
+    "ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n" \
+    "BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n" \
+    "KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n" \
+    "UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n" \
+    "7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n" \
+    "gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n" \
+    "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" \
+    "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER tests/data_files/cli-rsa.key.der */
+#define TEST_CLI_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, 0x45, 0xd9, 0x14,  \
+    0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f, 0x33, 0xad, 0x0d,  \
+    0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9, 0xcc, 0x66, 0x85,  \
+    0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63, 0x9e, 0x0a, 0x6e,  \
+    0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10, 0x93, 0x86, 0x49,  \
+    0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e, 0xd4, 0x2f, 0x77,  \
+    0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95, 0x48, 0x70, 0xf5,  \
+    0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed, 0xe6, 0x43, 0xea,  \
+    0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4, 0x57, 0x4e, 0xa9,  \
+    0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30, 0x32, 0x30, 0xd5,  \
+    0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2, 0x5f, 0xf9, 0x3d,  \
+    0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d, 0xfb, 0xe5, 0x0c,  \
+    0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2, 0x7f, 0xca, 0xad,  \
+    0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f, 0xe0, 0x9b, 0xf8,  \
+    0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34, 0x04, 0x66, 0xc7,  \
+    0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a, 0x06, 0x67, 0xf4,  \
+    0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe, 0x3c, 0x8b, 0x35,  \
+    0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f, 0xfc, 0x36, 0x6b,  \
+    0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d, 0x00, 0xcf, 0xaf,  \
+    0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4, 0xe7, 0x50, 0x71,  \
+    0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8, 0xe4, 0xc4, 0xfd,  \
+    0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x67, 0x4d, 0xb5, 0xf6, 0x03, 0x89, 0xaa, 0x7a, 0x6f, 0x3b, 0x2d,  \
+    0xca, 0x10, 0xa2, 0x23, 0xc9, 0xbd, 0x4e, 0xda, 0xe1, 0x67, 0x0e, 0x0c,  \
+    0x8a, 0xc6, 0x84, 0x68, 0xdf, 0xe5, 0x97, 0x75, 0xd2, 0x8d, 0xa3, 0x86,  \
+    0xd9, 0xdb, 0xd5, 0xeb, 0x13, 0x19, 0x08, 0xc5, 0x7e, 0xe5, 0x37, 0x97,  \
+    0x0c, 0x73, 0x80, 0x66, 0x76, 0x35, 0xf1, 0x88, 0xb5, 0xf2, 0xfc, 0xf3,  \
+    0xe1, 0x4b, 0x76, 0x4e, 0x73, 0x45, 0xce, 0x2c, 0xc2, 0x10, 0x26, 0x0d,  \
+    0x68, 0x0d, 0x9f, 0x49, 0x3d, 0xd6, 0x80, 0x89, 0xe7, 0xc5, 0x49, 0x15,  \
+    0xdd, 0x85, 0xc0, 0xc8, 0xfe, 0x82, 0x37, 0x12, 0x5a, 0x0a, 0x6b, 0xf6,  \
+    0x68, 0x0d, 0x32, 0x16, 0xbd, 0xa4, 0x15, 0x54, 0x9e, 0x68, 0xa1, 0xad,  \
+    0xca, 0x6b, 0xe5, 0x8c, 0xda, 0x76, 0x35, 0x59, 0x2f, 0x9b, 0xb4, 0xe1,  \
+    0xf1, 0xf0, 0x50, 0x04, 0xee, 0xc8, 0xec, 0x05, 0xe1, 0xcf, 0x8d, 0xe4,  \
+    0xd2, 0x64, 0x7b, 0x5e, 0x63, 0xe0, 0x7b, 0x07, 0xbc, 0x02, 0x96, 0x4e,  \
+    0x1b, 0x78, 0x6c, 0xb6, 0x43, 0x9a, 0x32, 0xf6, 0xd6, 0x02, 0xf5, 0x80,  \
+    0xcc, 0x26, 0x6e, 0xa5, 0xd0, 0xe3, 0x65, 0x88, 0xce, 0x26, 0xa9, 0x40,  \
+    0xe1, 0xe1, 0x00, 0xe0, 0x7f, 0x3f, 0xc3, 0xb1, 0x7c, 0xde, 0xbe, 0x42,  \
+    0xba, 0x07, 0x81, 0x13, 0xc2, 0xe0, 0x11, 0x11, 0x23, 0x2c, 0xf8, 0xb2,  \
+    0x7a, 0x3a, 0xd4, 0xe4, 0x7d, 0x5f, 0xb9, 0xb1, 0x18, 0xfa, 0x1d, 0x1d,  \
+    0x97, 0x91, 0xd9, 0x04, 0x9e, 0xbc, 0xc9, 0xb4, 0xd7, 0x7d, 0x0e, 0x54,  \
+    0xf6, 0x8f, 0xd0, 0x28, 0x0d, 0xdd, 0x77, 0x4b, 0x68, 0x04, 0x48, 0x61,  \
+    0x75, 0x15, 0x03, 0x1b, 0x35, 0xad, 0x8e, 0xfc, 0x24, 0x11, 0x07, 0xea,  \
+    0x17, 0x5a, 0xde, 0x19, 0x68, 0xff, 0xb6, 0x87, 0x7f, 0x80, 0x2a, 0x5f,  \
+    0x0c, 0x58, 0xba, 0x5f, 0x41, 0x02, 0x81, 0x81, 0x00, 0xe3, 0x03, 0xaf,  \
+    0xfe, 0x98, 0xd2, 0x0b, 0x7b, 0x72, 0xe9, 0x3b, 0x8e, 0xbc, 0xa5, 0xf6,  \
+    0xac, 0xe5, 0x22, 0x06, 0xb2, 0xd7, 0x5e, 0xfd, 0x89, 0x4b, 0x16, 0x67,  \
+    0x32, 0x83, 0x22, 0x58, 0x8e, 0x62, 0xa4, 0xb4, 0x2d, 0xf9, 0x16, 0x13,  \
+    0x54, 0xf6, 0x9f, 0x2f, 0xf9, 0xbb, 0x0e, 0x7e, 0x8c, 0x6f, 0x08, 0xda,  \
+    0xc8, 0xe9, 0x1c, 0x66, 0x10, 0x70, 0x93, 0x90, 0x8d, 0xcf, 0x90, 0x3a,  \
+    0x43, 0x89, 0x49, 0xeb, 0x83, 0x2a, 0xfe, 0x5a, 0x87, 0xce, 0x74, 0x42,  \
+    0x41, 0x0d, 0x8c, 0x73, 0x51, 0xbc, 0x7b, 0x20, 0xc5, 0xfd, 0xf6, 0x0b,  \
+    0x65, 0xed, 0xa9, 0x2e, 0xfc, 0x0f, 0xf5, 0x50, 0xf9, 0x8d, 0x37, 0x36,  \
+    0x9a, 0x20, 0xdf, 0xc3, 0xe3, 0x27, 0xbc, 0x98, 0x72, 0xc1, 0x14, 0x4b,  \
+    0x71, 0xe9, 0x83, 0x14, 0xff, 0x24, 0xe2, 0x14, 0x15, 0xb6, 0x6f, 0x0f,  \
+    0x32, 0x9d, 0xd9, 0x98, 0xd1, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x0c, 0xfb,  \
+    0xc3, 0x33, 0x9b, 0x47, 0x88, 0x27, 0xf2, 0x26, 0xde, 0xeb, 0x5e, 0xee,  \
+    0x40, 0xf6, 0x63, 0x5b, 0x35, 0x23, 0xf5, 0xd5, 0x07, 0x61, 0xdf, 0xa2,  \
+    0x9f, 0x58, 0x30, 0x04, 0x22, 0x2b, 0xb4, 0xd9, 0xda, 0x46, 0x7f, 0x48,  \
+    0xf5, 0x4f, 0xd0, 0xea, 0xd7, 0xa0, 0x45, 0x8a, 0x62, 0x8b, 0x8c, 0xac,  \
+    0x73, 0x5e, 0xfa, 0x36, 0x65, 0x3e, 0xba, 0x6c, 0xba, 0x5e, 0x6b, 0x92,  \
+    0x29, 0x5e, 0x6a, 0x0f, 0xd6, 0xd2, 0xa5, 0x95, 0x86, 0xda, 0x72, 0xc5,  \
+    0x9e, 0xc9, 0x6b, 0x37, 0x5e, 0x4b, 0x9b, 0x77, 0xe1, 0x67, 0x1a, 0x1e,  \
+    0x30, 0xd8, 0x41, 0x68, 0x40, 0xd3, 0x9c, 0xb4, 0xf6, 0xeb, 0x2a, 0x22,  \
+    0xdf, 0x78, 0x29, 0xd2, 0x64, 0x92, 0x5b, 0x2f, 0x78, 0x64, 0x4a, 0xa2,  \
+    0xa6, 0x6b, 0x3e, 0x50, 0xb1, 0x7a, 0xb1, 0x8d, 0x59, 0xb4, 0x55, 0xba,  \
+    0xb6, 0x91, 0x85, 0xa3, 0x2f, 0x02, 0x81, 0x80, 0x10, 0x1e, 0x19, 0xe7,  \
+    0xbc, 0x97, 0xe5, 0x22, 0xcd, 0xa4, 0xcb, 0x8a, 0xb5, 0xd0, 0x1e, 0xb4,  \
+    0x65, 0xcc, 0x45, 0xa7, 0x7a, 0xed, 0x0e, 0x99, 0x29, 0xd0, 0x9c, 0x61,  \
+    0x14, 0xb8, 0x62, 0x8b, 0x31, 0x6b, 0xba, 0x33, 0x2d, 0x65, 0x28, 0xd8,  \
+    0x36, 0x6e, 0x54, 0xec, 0xa9, 0x20, 0x3d, 0x51, 0xe1, 0x2c, 0x42, 0xc4,  \
+    0x52, 0xf0, 0xa6, 0x3a, 0x72, 0x93, 0xb7, 0x86, 0xa9, 0xfe, 0xf6, 0x74,  \
+    0x07, 0x12, 0x4d, 0x7b, 0x51, 0x99, 0x1f, 0x7a, 0x56, 0xe9, 0x20, 0x2f,  \
+    0x18, 0x34, 0x29, 0x97, 0xdb, 0x06, 0xee, 0xeb, 0xbf, 0xbd, 0x31, 0x4f,  \
+    0xfa, 0x50, 0xb1, 0xba, 0x49, 0xb3, 0xc4, 0x1d, 0x03, 0xae, 0xb0, 0xdc,  \
+    0xbe, 0x8a, 0xc4, 0x90, 0xa3, 0x28, 0x9b, 0xb6, 0x42, 0x09, 0x1b, 0xd6,  \
+    0x29, 0x9b, 0x19, 0xe9, 0x87, 0x87, 0xd9, 0x9f, 0x35, 0x05, 0xab, 0x91,  \
+    0x8f, 0x6d, 0x7c, 0x91, 0x02, 0x81, 0x81, 0x00, 0x94, 0x57, 0xf0, 0xe0,  \
+    0x28, 0xfd, 0xbd, 0xf3, 0x9c, 0x43, 0x4d, 0x3e, 0xfd, 0x37, 0x4f, 0x23,  \
+    0x52, 0x8d, 0xe1, 0x4c, 0xfe, 0x4c, 0x55, 0x80, 0x82, 0xba, 0x3f, 0xfe,  \
+    0x51, 0xe1, 0x30, 0xd5, 0x3b, 0xd9, 0x73, 0x1d, 0xcb, 0x25, 0xbc, 0xbb,  \
+    0x3f, 0xa5, 0xda, 0x77, 0xa6, 0xb5, 0xfc, 0x1a, 0xaf, 0x79, 0xa1, 0xb2,  \
+    0x14, 0xa2, 0x1f, 0x10, 0x52, 0x1a, 0x05, 0x40, 0x48, 0xb6, 0x4f, 0x34,  \
+    0xd6, 0xc0, 0xc3, 0xa4, 0x36, 0x98, 0x73, 0x88, 0x0b, 0xd3, 0x45, 0xdc,  \
+    0xee, 0x51, 0x6e, 0x04, 0x73, 0x99, 0x93, 0x12, 0x58, 0x96, 0xcb, 0x39,  \
+    0x42, 0xb1, 0xa9, 0xb8, 0xe1, 0x25, 0xf5, 0x9c, 0x14, 0xb7, 0x92, 0x2b,  \
+    0x14, 0xb0, 0x5d, 0x61, 0xa2, 0xaa, 0x34, 0x7c, 0xcd, 0x54, 0x2d, 0x69,  \
+    0x08, 0xf7, 0xdb, 0xfc, 0x9c, 0x87, 0xe8, 0x3a, 0xf6, 0x1d, 0x4c, 0x6a,  \
+    0x83, 0x15, 0x30, 0x01, 0x02, 0x81, 0x81, 0x00, 0x9c, 0x53, 0xa1, 0xb6,  \
+    0x2f, 0xc0, 0x06, 0xf5, 0xdf, 0x5c, 0xd1, 0x4a, 0x4e, 0xc8, 0xbd, 0x6d,  \
+    0x32, 0xf1, 0x5e, 0xe5, 0x3b, 0x70, 0xd0, 0xa8, 0xe5, 0x41, 0x57, 0x6c,  \
+    0x87, 0x53, 0x0f, 0xeb, 0x28, 0xa0, 0x62, 0x8f, 0x43, 0x62, 0xec, 0x2e,  \
+    0x6c, 0x71, 0x55, 0x5b, 0x6a, 0xf4, 0x74, 0x14, 0xea, 0x7a, 0x03, 0xf6,  \
+    0xfc, 0xa4, 0xce, 0xc4, 0xac, 0xda, 0x1d, 0xf0, 0xb5, 0xa9, 0xfd, 0x11,  \
+    0x18, 0x3b, 0x14, 0xa0, 0x90, 0x8d, 0x26, 0xb7, 0x75, 0x73, 0x0a, 0x02,  \
+    0x2c, 0x6f, 0x0f, 0xd8, 0x41, 0x78, 0xc3, 0x73, 0x81, 0xac, 0xaa, 0xaf,  \
+    0xf2, 0xee, 0x32, 0xb5, 0x8d, 0x05, 0xf9, 0x59, 0x5a, 0x9e, 0x3e, 0x65,  \
+    0x9b, 0x74, 0xda, 0xa0, 0x74, 0x95, 0x17, 0x5f, 0x8d, 0x58, 0xfc, 0x8e,  \
+    0x4e, 0x2c, 0x1e, 0xbc, 0x81, 0x02, 0x18, 0xac, 0x12, 0xc6, 0xf9, 0x64,  \
+    0x8b, 0x87, 0xc3, 0x00                                                   \
+}
+/* END FILE */
+
+/*
+ *
+ * Test certificates and keys as C variables
+ *
+ */
+
+/*
+ * CA
+ */
+
+const char mbedtls_test_ca_crt_ec_pem[]           = TEST_CA_CRT_EC_PEM;
+const char mbedtls_test_ca_key_ec_pem[]           = TEST_CA_KEY_EC_PEM;
+const char mbedtls_test_ca_pwd_ec_pem[]           = TEST_CA_PWD_EC_PEM;
+const char mbedtls_test_ca_key_rsa_pem[]          = TEST_CA_KEY_RSA_PEM;
+const char mbedtls_test_ca_pwd_rsa_pem[]          = TEST_CA_PWD_RSA_PEM;
+const char mbedtls_test_ca_crt_rsa_sha1_pem[]     = TEST_CA_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_ca_crt_rsa_sha256_pem[]   = TEST_CA_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_ca_crt_ec_der[]   = TEST_CA_CRT_EC_DER;
+const unsigned char mbedtls_test_ca_key_ec_der[]   = TEST_CA_KEY_EC_DER;
+const unsigned char mbedtls_test_ca_key_rsa_der[]  = TEST_CA_KEY_RSA_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[]   =
+    TEST_CA_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[] =
+    TEST_CA_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_ca_crt_ec_pem_len =
+    sizeof(mbedtls_test_ca_crt_ec_pem);
+const size_t mbedtls_test_ca_key_ec_pem_len =
+    sizeof(mbedtls_test_ca_key_ec_pem);
+const size_t mbedtls_test_ca_pwd_ec_pem_len =
+    sizeof(mbedtls_test_ca_pwd_ec_pem) - 1;
+const size_t mbedtls_test_ca_key_rsa_pem_len =
+    sizeof(mbedtls_test_ca_key_rsa_pem);
+const size_t mbedtls_test_ca_pwd_rsa_pem_len =
+    sizeof(mbedtls_test_ca_pwd_rsa_pem) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len =
+    sizeof(mbedtls_test_ca_crt_rsa_sha1_pem);
+const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len =
+    sizeof(mbedtls_test_ca_crt_rsa_sha256_pem);
+
+const size_t mbedtls_test_ca_crt_ec_der_len =
+    sizeof(mbedtls_test_ca_crt_ec_der);
+const size_t mbedtls_test_ca_key_ec_der_len =
+    sizeof(mbedtls_test_ca_key_ec_der);
+const size_t mbedtls_test_ca_pwd_ec_der_len = 0;
+const size_t mbedtls_test_ca_key_rsa_der_len =
+    sizeof(mbedtls_test_ca_key_rsa_der);
+const size_t mbedtls_test_ca_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_ca_crt_rsa_sha1_der_len =
+    sizeof(mbedtls_test_ca_crt_rsa_sha1_der);
+const size_t mbedtls_test_ca_crt_rsa_sha256_der_len =
+    sizeof(mbedtls_test_ca_crt_rsa_sha256_der);
+
+/*
+ * Server
+ */
+
+const char mbedtls_test_srv_crt_ec_pem[]           = TEST_SRV_CRT_EC_PEM;
+const char mbedtls_test_srv_key_ec_pem[]           = TEST_SRV_KEY_EC_PEM;
+const char mbedtls_test_srv_pwd_ec_pem[]           = "";
+const char mbedtls_test_srv_key_rsa_pem[]          = TEST_SRV_KEY_RSA_PEM;
+const char mbedtls_test_srv_pwd_rsa_pem[]          = "";
+const char mbedtls_test_srv_crt_rsa_sha1_pem[]     = TEST_SRV_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_srv_crt_rsa_sha256_pem[]   = TEST_SRV_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_srv_crt_ec_der[]   = TEST_SRV_CRT_EC_DER;
+const unsigned char mbedtls_test_srv_key_ec_der[]   = TEST_SRV_KEY_EC_DER;
+const unsigned char mbedtls_test_srv_key_rsa_der[]  = TEST_SRV_KEY_RSA_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[]   =
+    TEST_SRV_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[] =
+    TEST_SRV_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_srv_crt_ec_pem_len =
+    sizeof(mbedtls_test_srv_crt_ec_pem);
+const size_t mbedtls_test_srv_key_ec_pem_len =
+    sizeof(mbedtls_test_srv_key_ec_pem);
+const size_t mbedtls_test_srv_pwd_ec_pem_len =
+    sizeof(mbedtls_test_srv_pwd_ec_pem) - 1;
+const size_t mbedtls_test_srv_key_rsa_pem_len =
+    sizeof(mbedtls_test_srv_key_rsa_pem);
+const size_t mbedtls_test_srv_pwd_rsa_pem_len =
+    sizeof(mbedtls_test_srv_pwd_rsa_pem) - 1;
+const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len =
+    sizeof(mbedtls_test_srv_crt_rsa_sha1_pem);
+const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len =
+    sizeof(mbedtls_test_srv_crt_rsa_sha256_pem);
+
+const size_t mbedtls_test_srv_crt_ec_der_len =
+    sizeof(mbedtls_test_srv_crt_ec_der);
+const size_t mbedtls_test_srv_key_ec_der_len =
+    sizeof(mbedtls_test_srv_key_ec_der);
+const size_t mbedtls_test_srv_pwd_ec_der_len = 0;
+const size_t mbedtls_test_srv_key_rsa_der_len =
+    sizeof(mbedtls_test_srv_key_rsa_der);
+const size_t mbedtls_test_srv_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_srv_crt_rsa_sha1_der_len =
+    sizeof(mbedtls_test_srv_crt_rsa_sha1_der);
+const size_t mbedtls_test_srv_crt_rsa_sha256_der_len =
+    sizeof(mbedtls_test_srv_crt_rsa_sha256_der);
+
+/*
+ * Client
+ */
+
+const char mbedtls_test_cli_crt_ec_pem[]   = TEST_CLI_CRT_EC_PEM;
+const char mbedtls_test_cli_key_ec_pem[]   = TEST_CLI_KEY_EC_PEM;
+const char mbedtls_test_cli_pwd_ec_pem[]   = "";
+const char mbedtls_test_cli_key_rsa_pem[]  = TEST_CLI_KEY_RSA_PEM;
+const char mbedtls_test_cli_pwd_rsa_pem[]  = "";
+const char mbedtls_test_cli_crt_rsa_pem[]  = TEST_CLI_CRT_RSA_PEM;
+
+const unsigned char mbedtls_test_cli_crt_ec_der[]   = TEST_CLI_CRT_EC_DER;
+const unsigned char mbedtls_test_cli_key_ec_der[]   = TEST_CLI_KEY_EC_DER;
+const unsigned char mbedtls_test_cli_key_rsa_der[]  = TEST_CLI_KEY_RSA_DER;
+const unsigned char mbedtls_test_cli_crt_rsa_der[]  = TEST_CLI_CRT_RSA_DER;
+
+const size_t mbedtls_test_cli_crt_ec_pem_len =
+    sizeof(mbedtls_test_cli_crt_ec_pem);
+const size_t mbedtls_test_cli_key_ec_pem_len =
+    sizeof(mbedtls_test_cli_key_ec_pem);
+const size_t mbedtls_test_cli_pwd_ec_pem_len =
+    sizeof(mbedtls_test_cli_pwd_ec_pem) - 1;
+const size_t mbedtls_test_cli_key_rsa_pem_len =
+    sizeof(mbedtls_test_cli_key_rsa_pem);
+const size_t mbedtls_test_cli_pwd_rsa_pem_len =
+    sizeof(mbedtls_test_cli_pwd_rsa_pem) - 1;
+const size_t mbedtls_test_cli_crt_rsa_pem_len =
+    sizeof(mbedtls_test_cli_crt_rsa_pem);
+
+const size_t mbedtls_test_cli_crt_ec_der_len =
+    sizeof(mbedtls_test_cli_crt_ec_der);
+const size_t mbedtls_test_cli_key_ec_der_len =
+    sizeof(mbedtls_test_cli_key_ec_der);
+const size_t mbedtls_test_cli_key_rsa_der_len =
+    sizeof(mbedtls_test_cli_key_rsa_der);
+const size_t mbedtls_test_cli_crt_rsa_der_len =
+    sizeof(mbedtls_test_cli_crt_rsa_der);
+
+/*
+ *
+ * Definitions of test CRTs without specification of all parameters, choosing
+ * them automatically according to the config. For example, mbedtls_test_ca_crt
+ * is one of mbedtls_test_ca_crt_{rsa|ec}_{sha1|sha256}_{pem|der}.
+ *
+ */
+
+/*
+ * Dispatch between PEM and DER according to config
+ */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+
+/* PEM encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_PEM
+#define TEST_CA_PWD_RSA        TEST_CA_PWD_RSA_PEM
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_PEM
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_PEM
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_PEM
+#define TEST_CA_PWD_EC         TEST_CA_PWD_EC_PEM
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_PEM
+
+/* PEM encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_PEM
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_PEM
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_PEM
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_PEM
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_PEM
+
+/* PEM encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_PEM
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_PEM
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_PEM
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_PEM
+
+#else /* MBEDTLS_PEM_PARSE_C */
+
+/* DER encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_DER
+#define TEST_CA_PWD_RSA        ""
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_DER
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_DER
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_DER
+#define TEST_CA_PWD_EC         ""
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_DER
+
+/* DER encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_DER
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_DER
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_DER
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_DER
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_DER
+
+/* DER encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_DER
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_DER
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_DER
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_DER
+
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+const char mbedtls_test_ca_key_rsa[]         = TEST_CA_KEY_RSA;
+const char mbedtls_test_ca_pwd_rsa[]         = TEST_CA_PWD_RSA;
+const char mbedtls_test_ca_crt_rsa_sha256[]  = TEST_CA_CRT_RSA_SHA256;
+const char mbedtls_test_ca_crt_rsa_sha1[]    = TEST_CA_CRT_RSA_SHA1;
+const char mbedtls_test_ca_key_ec[]          = TEST_CA_KEY_EC;
+const char mbedtls_test_ca_pwd_ec[]          = TEST_CA_PWD_EC;
+const char mbedtls_test_ca_crt_ec[]          = TEST_CA_CRT_EC;
+
+const char mbedtls_test_srv_key_rsa[]        = TEST_SRV_KEY_RSA;
+const char mbedtls_test_srv_pwd_rsa[]        = TEST_SRV_PWD_RSA;
+const char mbedtls_test_srv_crt_rsa_sha256[] = TEST_SRV_CRT_RSA_SHA256;
+const char mbedtls_test_srv_crt_rsa_sha1[]   = TEST_SRV_CRT_RSA_SHA1;
+const char mbedtls_test_srv_key_ec[]         = TEST_SRV_KEY_EC;
+const char mbedtls_test_srv_pwd_ec[]         = TEST_SRV_PWD_EC;
+const char mbedtls_test_srv_crt_ec[]         = TEST_SRV_CRT_EC;
+
+const char mbedtls_test_cli_key_rsa[]        = TEST_CLI_KEY_RSA;
+const char mbedtls_test_cli_pwd_rsa[]        = TEST_CLI_PWD_RSA;
+const char mbedtls_test_cli_crt_rsa[]        = TEST_CLI_CRT_RSA;
+const char mbedtls_test_cli_key_ec[]         = TEST_CLI_KEY_EC;
+const char mbedtls_test_cli_pwd_ec[]         = TEST_CLI_PWD_EC;
+const char mbedtls_test_cli_crt_ec[]         = TEST_CLI_CRT_EC;
+
+const size_t mbedtls_test_ca_key_rsa_len =
+    sizeof(mbedtls_test_ca_key_rsa);
+const size_t mbedtls_test_ca_pwd_rsa_len =
+    sizeof(mbedtls_test_ca_pwd_rsa) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha256_len =
+    sizeof(mbedtls_test_ca_crt_rsa_sha256);
+const size_t mbedtls_test_ca_crt_rsa_sha1_len =
+    sizeof(mbedtls_test_ca_crt_rsa_sha1);
+const size_t mbedtls_test_ca_key_ec_len =
+    sizeof(mbedtls_test_ca_key_ec);
+const size_t mbedtls_test_ca_pwd_ec_len =
+    sizeof(mbedtls_test_ca_pwd_ec) - 1;
+const size_t mbedtls_test_ca_crt_ec_len =
+    sizeof(mbedtls_test_ca_crt_ec);
+
+const size_t mbedtls_test_srv_key_rsa_len =
+    sizeof(mbedtls_test_srv_key_rsa);
+const size_t mbedtls_test_srv_pwd_rsa_len =
+    sizeof(mbedtls_test_srv_pwd_rsa) - 1;
+const size_t mbedtls_test_srv_crt_rsa_sha256_len =
+    sizeof(mbedtls_test_srv_crt_rsa_sha256);
+const size_t mbedtls_test_srv_crt_rsa_sha1_len =
+    sizeof(mbedtls_test_srv_crt_rsa_sha1);
+const size_t mbedtls_test_srv_key_ec_len =
+    sizeof(mbedtls_test_srv_key_ec);
+const size_t mbedtls_test_srv_pwd_ec_len =
+    sizeof(mbedtls_test_srv_pwd_ec) - 1;
+const size_t mbedtls_test_srv_crt_ec_len =
+    sizeof(mbedtls_test_srv_crt_ec);
+
+const size_t mbedtls_test_cli_key_rsa_len =
+    sizeof(mbedtls_test_cli_key_rsa);
+const size_t mbedtls_test_cli_pwd_rsa_len =
+    sizeof(mbedtls_test_cli_pwd_rsa) - 1;
+const size_t mbedtls_test_cli_crt_rsa_len =
+    sizeof(mbedtls_test_cli_crt_rsa);
+const size_t mbedtls_test_cli_key_ec_len =
+    sizeof(mbedtls_test_cli_key_ec);
+const size_t mbedtls_test_cli_pwd_ec_len =
+    sizeof(mbedtls_test_cli_pwd_ec) - 1;
+const size_t mbedtls_test_cli_crt_ec_len =
+    sizeof(mbedtls_test_cli_crt_ec);
+
+/*
+ * Dispatch between SHA-1 and SHA-256
+ */
+
+#if defined(MBEDTLS_SHA256_C)
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA256
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA256
+#else
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA1
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA1
+#endif /* MBEDTLS_SHA256_C */
+
+const char mbedtls_test_ca_crt_rsa[]  = TEST_CA_CRT_RSA;
+const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA;
+
+const size_t mbedtls_test_ca_crt_rsa_len =
+    sizeof(mbedtls_test_ca_crt_rsa);
+const size_t mbedtls_test_srv_crt_rsa_len =
+    sizeof(mbedtls_test_srv_crt_rsa);
+
+/*
+ * Dispatch between RSA and EC
+ */
 
 #if defined(MBEDTLS_RSA_C)
 
-#if defined(MBEDTLS_SHA256_C)
-#define TEST_CA_CRT_RSA_SHA256                                          \
-    "-----BEGIN CERTIFICATE-----\r\n"                                       \
-    "MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
-    "MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
-    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"  \
-    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"  \
-    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"  \
-    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"  \
-    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"  \
-    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"  \
-    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"  \
-    "gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n"  \
-    "FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n"  \
-    "CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n"  \
-    "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n"  \
-    "4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n"  \
-    "XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n"  \
-    "G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n"  \
-    "ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n"  \
-    "n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n"      \
-    "-----END CERTIFICATE-----\r\n"
+#define TEST_CA_KEY TEST_CA_KEY_RSA
+#define TEST_CA_PWD TEST_CA_PWD_RSA
+#define TEST_CA_CRT TEST_CA_CRT_RSA
 
-const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA256;
-const size_t mbedtls_test_ca_crt_rsa_len = sizeof(mbedtls_test_ca_crt_rsa);
-#define TEST_CA_CRT_RSA_SOME
+#define TEST_SRV_KEY TEST_SRV_KEY_RSA
+#define TEST_SRV_PWD TEST_SRV_PWD_RSA
+#define TEST_SRV_CRT TEST_SRV_CRT_RSA
 
-static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
+#define TEST_CLI_KEY TEST_CLI_KEY_RSA
+#define TEST_CLI_PWD TEST_CLI_PWD_RSA
+#define TEST_CLI_CRT TEST_CLI_CRT_RSA
 
-#endif
+#else /* no RSA, so assume ECDSA */
 
-#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
-#define TEST_CA_CRT_RSA_SHA1                                            \
-    "-----BEGIN CERTIFICATE-----\r\n"                                       \
-    "MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
-    "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
-    "MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
-    "A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"  \
-    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"  \
-    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"  \
-    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"  \
-    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"  \
-    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"  \
-    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"  \
-    "gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n"  \
-    "/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n"  \
-    "BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n"  \
-    "dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n"  \
-    "SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n"  \
-    "DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n"  \
-    "pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n"  \
-    "m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n"  \
-    "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n"      \
-    "-----END CERTIFICATE-----\r\n"
+#define TEST_CA_KEY TEST_CA_KEY_EC
+#define TEST_CA_PWD TEST_CA_PWD_EC
+#define TEST_CA_CRT TEST_CA_CRT_EC
 
-#if !defined (TEST_CA_CRT_RSA_SOME)
-const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA1;
-const size_t mbedtls_test_ca_crt_rsa_len = sizeof(mbedtls_test_ca_crt_rsa);
-#endif
+#define TEST_SRV_KEY TEST_SRV_KEY_EC
+#define TEST_SRV_PWD TEST_SRV_PWD_EC
+#define TEST_SRV_CRT TEST_SRV_CRT_EC
 
-static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
-
-#endif
-
-const char mbedtls_test_ca_key_rsa[] =
-    "-----BEGIN RSA PRIVATE KEY-----\r\n"
-    "Proc-Type: 4,ENCRYPTED\r\n"
-    "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"
-    "\r\n"
-    "9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n"
-    "7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n"
-    "Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n"
-    "PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n"
-    "GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n"
-    "gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n"
-    "QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n"
-    "PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n"
-    "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n"
-    "WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n"
-    "JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n"
-    "KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n"
-    "Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n"
-    "9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n"
-    "iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n"
-    "tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n"
-    "P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n"
-    "1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n"
-    "nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n"
-    "X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n"
-    "rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n"
-    "L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n"
-    "I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n"
-    "wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
-    "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
-    "-----END RSA PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_ca_key_rsa_len = sizeof(mbedtls_test_ca_key_rsa);
-
-const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
-const size_t mbedtls_test_ca_pwd_rsa_len = sizeof(mbedtls_test_ca_pwd_rsa) - 1;
-
-const char mbedtls_test_srv_crt_rsa[] =
-    "-----BEGIN CERTIFICATE-----\r\n"
-    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-    "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-    "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-    "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
-    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
-    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
-    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
-    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
-    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
-    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
-    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
-    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
-    "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
-    "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
-    "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
-    "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
-    "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
-    "zhuYwjVuX6JHG0c=\r\n"
-    "-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_srv_crt_rsa_len = sizeof(mbedtls_test_srv_crt_rsa);
-
-const char mbedtls_test_srv_key_rsa[] =
-    "-----BEGIN RSA PRIVATE KEY-----\r\n"
-    "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
-    "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
-    "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
-    "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
-    "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
-    "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
-    "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
-    "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
-    "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
-    "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
-    "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
-    "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
-    "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
-    "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
-    "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
-    "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
-    "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
-    "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
-    "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
-    "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
-    "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
-    "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
-    "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
-    "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
-    "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
-    "-----END RSA PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_srv_key_rsa_len = sizeof(mbedtls_test_srv_key_rsa);
-
-const char mbedtls_test_cli_crt_rsa[] =
-    "-----BEGIN CERTIFICATE-----\r\n"
-    "MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-    "MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
-    "A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
-    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
-    "M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
-    "1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
-    "MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
-    "4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
-    "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
-    "o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa\r\n"
-    "gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV\r\n"
-    "BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud\r\n"
-    "EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom\r\n"
-    "LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W\r\n"
-    "iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK\r\n"
-    "D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE\r\n"
-    "ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj\r\n"
-    "c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=\r\n"
-    "-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_cli_crt_rsa_len = sizeof(mbedtls_test_cli_crt_rsa);
-
-const char mbedtls_test_cli_key_rsa[] =
-    "-----BEGIN RSA PRIVATE KEY-----\r\n"
-    "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"
-    "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"
-    "bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"
-    "Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"
-    "7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"
-    "dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"
-    "yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"
-    "4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"
-    "ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"
-    "zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"
-    "l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"
-    "DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"
-    "VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"
-    "Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"
-    "wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"
-    "c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"
-    "33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"
-    "ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"
-    "BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"
-    "KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"
-    "UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"
-    "7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"
-    "gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"
-    "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
-    "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
-    "-----END RSA PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_cli_key_rsa_len = sizeof(mbedtls_test_cli_key_rsa);
+#define TEST_CLI_KEY TEST_CLI_KEY_EC
+#define TEST_CLI_PWD TEST_CLI_PWD_EC
+#define TEST_CLI_CRT TEST_CLI_CRT_EC
 #endif /* MBEDTLS_RSA_C */
 
-#if defined(MBEDTLS_PEM_PARSE_C)
-/* Concatenation of all available CA certificates */
-const char mbedtls_test_cas_pem[] =
-#ifdef TEST_CA_CRT_RSA_SHA1
-    TEST_CA_CRT_RSA_SHA1
-#endif
-#ifdef TEST_CA_CRT_RSA_SHA256
-    TEST_CA_CRT_RSA_SHA256
-#endif
-#ifdef TEST_CA_CRT_EC
-    TEST_CA_CRT_EC
-#endif
-    "";
-const size_t mbedtls_test_cas_pem_len = sizeof(mbedtls_test_cas_pem);
-#endif
+/* API stability forces us to declare
+ *   mbedtls_test_{ca|srv|cli}_{key|pwd|crt}
+ * as pointers. */
+static const char test_ca_key[] = TEST_CA_KEY;
+static const char test_ca_pwd[] = TEST_CA_PWD;
+static const char test_ca_crt[] = TEST_CA_CRT;
 
-/* List of all available CA certificates */
+static const char test_srv_key[] = TEST_SRV_KEY;
+static const char test_srv_pwd[] = TEST_SRV_PWD;
+static const char test_srv_crt[] = TEST_SRV_CRT;
+
+static const char test_cli_key[] = TEST_CLI_KEY;
+static const char test_cli_pwd[] = TEST_CLI_PWD;
+static const char test_cli_crt[] = TEST_CLI_CRT;
+
+const char *mbedtls_test_ca_key = test_ca_key;
+const char *mbedtls_test_ca_pwd = test_ca_pwd;
+const char *mbedtls_test_ca_crt = test_ca_crt;
+
+const char *mbedtls_test_srv_key = test_srv_key;
+const char *mbedtls_test_srv_pwd = test_srv_pwd;
+const char *mbedtls_test_srv_crt = test_srv_crt;
+
+const char *mbedtls_test_cli_key = test_cli_key;
+const char *mbedtls_test_cli_pwd = test_cli_pwd;
+const char *mbedtls_test_cli_crt = test_cli_crt;
+
+const size_t mbedtls_test_ca_key_len =
+    sizeof(test_ca_key);
+const size_t mbedtls_test_ca_pwd_len =
+    sizeof(test_ca_pwd) - 1;
+const size_t mbedtls_test_ca_crt_len =
+    sizeof(test_ca_crt);
+
+const size_t mbedtls_test_srv_key_len =
+    sizeof(test_srv_key);
+const size_t mbedtls_test_srv_pwd_len =
+    sizeof(test_srv_pwd) - 1;
+const size_t mbedtls_test_srv_crt_len =
+    sizeof(test_srv_crt);
+
+const size_t mbedtls_test_cli_key_len =
+    sizeof(test_cli_key);
+const size_t mbedtls_test_cli_pwd_len =
+    sizeof(test_cli_pwd) - 1;
+const size_t mbedtls_test_cli_crt_len =
+    sizeof(test_cli_crt);
+
+/*
+ *
+ * Lists of certificates
+ *
+ */
+
+/* List of CAs in PEM or DER, depending on config */
 const char *mbedtls_test_cas[] = {
-#if defined(TEST_CA_CRT_RSA_SHA1)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
     mbedtls_test_ca_crt_rsa_sha1,
 #endif
-#if defined(TEST_CA_CRT_RSA_SHA256)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
     mbedtls_test_ca_crt_rsa_sha256,
 #endif
 #if defined(MBEDTLS_ECDSA_C)
@@ -358,10 +1682,10 @@ const char *mbedtls_test_cas[] = {
     NULL
 };
 const size_t mbedtls_test_cas_len[] = {
-#if defined(TEST_CA_CRT_RSA_SHA1)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
     sizeof(mbedtls_test_ca_crt_rsa_sha1),
 #endif
-#if defined(TEST_CA_CRT_RSA_SHA256)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
     sizeof(mbedtls_test_ca_crt_rsa_sha256),
 #endif
 #if defined(MBEDTLS_ECDSA_C)
@@ -370,36 +1694,53 @@ const size_t mbedtls_test_cas_len[] = {
     0
 };
 
+/* List of all available CA certificates in DER format */
+const unsigned char *mbedtls_test_cas_der[] = {
 #if defined(MBEDTLS_RSA_C)
-const char *mbedtls_test_ca_crt  = mbedtls_test_ca_crt_rsa; /* SHA1 or SHA256 */
-const char *mbedtls_test_ca_key  = mbedtls_test_ca_key_rsa;
-const char *mbedtls_test_ca_pwd  = mbedtls_test_ca_pwd_rsa;
-const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
-const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
-const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
-const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
-const size_t mbedtls_test_ca_crt_len  = sizeof(mbedtls_test_ca_crt_rsa);
-const size_t mbedtls_test_ca_key_len  = sizeof(mbedtls_test_ca_key_rsa);
-const size_t mbedtls_test_ca_pwd_len  = sizeof(mbedtls_test_ca_pwd_rsa) - 1;
-const size_t mbedtls_test_srv_crt_len = sizeof(mbedtls_test_srv_crt_rsa);
-const size_t mbedtls_test_srv_key_len = sizeof(mbedtls_test_srv_key_rsa);
-const size_t mbedtls_test_cli_crt_len = sizeof(mbedtls_test_cli_crt_rsa);
-const size_t mbedtls_test_cli_key_len = sizeof(mbedtls_test_cli_key_rsa);
-#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
-const char *mbedtls_test_ca_crt  = mbedtls_test_ca_crt_ec;
-const char *mbedtls_test_ca_key  = mbedtls_test_ca_key_ec;
-const char *mbedtls_test_ca_pwd  = mbedtls_test_ca_pwd_ec;
-const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_ec;
-const char *mbedtls_test_srv_key = mbedtls_test_srv_key_ec;
-const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_ec;
-const char *mbedtls_test_cli_key = mbedtls_test_cli_key_ec;
-const size_t mbedtls_test_ca_crt_len  = sizeof(mbedtls_test_ca_crt_ec);
-const size_t mbedtls_test_ca_key_len  = sizeof(mbedtls_test_ca_key_ec);
-const size_t mbedtls_test_ca_pwd_len  = sizeof(mbedtls_test_ca_pwd_ec) - 1;
-const size_t mbedtls_test_srv_crt_len = sizeof(mbedtls_test_srv_crt_ec);
-const size_t mbedtls_test_srv_key_len = sizeof(mbedtls_test_srv_key_ec);
-const size_t mbedtls_test_cli_crt_len = sizeof(mbedtls_test_cli_crt_ec);
-const size_t mbedtls_test_cli_key_len = sizeof(mbedtls_test_cli_key_ec);
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_test_ca_crt_rsa_sha256_der,
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    mbedtls_test_ca_crt_rsa_sha1_der,
+#endif /* MBEDTLS_SHA1_C */
 #endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec_der,
+#endif /* MBEDTLS_ECDSA_C */
+    NULL
+};
+
+const size_t mbedtls_test_cas_der_len[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    sizeof(mbedtls_test_ca_crt_rsa_sha256_der),
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    sizeof(mbedtls_test_ca_crt_rsa_sha1_der),
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof(mbedtls_test_ca_crt_ec_der),
+#endif /* MBEDTLS_ECDSA_C */
+    0
+};
+
+/* Concatenation of all available CA certificates in PEM format */
+#if defined(MBEDTLS_PEM_PARSE_C)
+const char mbedtls_test_cas_pem[] =
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    TEST_CA_CRT_RSA_SHA256_PEM
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    TEST_CA_CRT_RSA_SHA1_PEM
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    TEST_CA_CRT_EC_PEM
+#endif /* MBEDTLS_ECDSA_C */
+    "";
+const size_t mbedtls_test_cas_pem_len = sizeof(mbedtls_test_cas_pem);
+#endif /* MBEDTLS_PEM_PARSE_C */
 
 #endif /* MBEDTLS_CERTS_C */
diff --git a/common/mbedtls/certs.h b/common/mbedtls/certs.h
index 7522044e7..0ec6971e8 100644
--- a/common/mbedtls/certs.h
+++ b/common/mbedtls/certs.h
@@ -4,96 +4,244 @@
  * \brief Sample certificates and DHM parameters for testing
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+/* List of all PEM-encoded CA certificates, terminated by NULL;
+ * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded
+ * otherwise. */
+extern const char *mbedtls_test_cas[];
+extern const size_t mbedtls_test_cas_len[];
+
+/* List of all DER-encoded CA certificates, terminated by NULL */
+extern const unsigned char *mbedtls_test_cas_der[];
+extern const size_t mbedtls_test_cas_der_len[];
+
 #if defined(MBEDTLS_PEM_PARSE_C)
 /* Concatenation of all CA certificates in PEM format if available */
 extern const char   mbedtls_test_cas_pem[];
 extern const size_t mbedtls_test_cas_pem_len;
-#endif
-
-/* List of all CA certificates, terminated by NULL */
-extern const char *mbedtls_test_cas[];
-extern const size_t mbedtls_test_cas_len[];
+#endif /* MBEDTLS_PEM_PARSE_C */
 
 /*
- * Convenience for users who just want a certificate:
- * RSA by default, or ECDSA if RSA is not available
+ * CA test certificates
  */
-extern const char *mbedtls_test_ca_crt;
-extern const size_t mbedtls_test_ca_crt_len;
-extern const char *mbedtls_test_ca_key;
-extern const size_t mbedtls_test_ca_key_len;
-extern const char *mbedtls_test_ca_pwd;
-extern const size_t mbedtls_test_ca_pwd_len;
-extern const char *mbedtls_test_srv_crt;
-extern const size_t mbedtls_test_srv_crt_len;
-extern const char *mbedtls_test_srv_key;
-extern const size_t mbedtls_test_srv_key_len;
-extern const char *mbedtls_test_cli_crt;
-extern const size_t mbedtls_test_cli_crt_len;
-extern const char *mbedtls_test_cli_key;
-extern const size_t mbedtls_test_cli_key_len;
 
-#if defined(MBEDTLS_ECDSA_C)
-extern const char   mbedtls_test_ca_crt_ec[];
+extern const char mbedtls_test_ca_crt_ec_pem[];
+extern const char mbedtls_test_ca_key_ec_pem[];
+extern const char mbedtls_test_ca_pwd_ec_pem[];
+extern const char mbedtls_test_ca_key_rsa_pem[];
+extern const char mbedtls_test_ca_pwd_rsa_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_ca_crt_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_rsa_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_ca_crt_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_ec_pem_len;
+extern const size_t mbedtls_test_ca_pwd_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_rsa_pem_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_ca_crt_ec_der_len;
+extern const size_t mbedtls_test_ca_key_ec_der_len;
+extern const size_t mbedtls_test_ca_pwd_ec_der_len;
+extern const size_t mbedtls_test_ca_key_rsa_der_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_ca_crt_ec[];
+extern const char mbedtls_test_ca_key_ec[];
+extern const char mbedtls_test_ca_pwd_ec[];
+extern const char mbedtls_test_ca_key_rsa[];
+extern const char mbedtls_test_ca_pwd_rsa[];
+extern const char mbedtls_test_ca_crt_rsa_sha1[];
+extern const char mbedtls_test_ca_crt_rsa_sha256[];
+
 extern const size_t mbedtls_test_ca_crt_ec_len;
-extern const char   mbedtls_test_ca_key_ec[];
 extern const size_t mbedtls_test_ca_key_ec_len;
-extern const char   mbedtls_test_ca_pwd_ec[];
 extern const size_t mbedtls_test_ca_pwd_ec_len;
-extern const char   mbedtls_test_srv_crt_ec[];
-extern const size_t mbedtls_test_srv_crt_ec_len;
-extern const char   mbedtls_test_srv_key_ec[];
-extern const size_t mbedtls_test_srv_key_ec_len;
-extern const char   mbedtls_test_cli_crt_ec[];
-extern const size_t mbedtls_test_cli_crt_ec_len;
-extern const char   mbedtls_test_cli_key_ec[];
-extern const size_t mbedtls_test_cli_key_ec_len;
-#endif
-
-#if defined(MBEDTLS_RSA_C)
-extern const char   mbedtls_test_ca_crt_rsa[];
-extern const size_t mbedtls_test_ca_crt_rsa_len;
-extern const char   mbedtls_test_ca_key_rsa[];
 extern const size_t mbedtls_test_ca_key_rsa_len;
-extern const char   mbedtls_test_ca_pwd_rsa[];
 extern const size_t mbedtls_test_ca_pwd_rsa_len;
-extern const char   mbedtls_test_srv_crt_rsa[];
-extern const size_t mbedtls_test_srv_crt_rsa_len;
-extern const char   mbedtls_test_srv_key_rsa[];
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_ca_crt_rsa[];
+extern const size_t mbedtls_test_ca_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char *mbedtls_test_ca_crt;
+extern const char *mbedtls_test_ca_key;
+extern const char *mbedtls_test_ca_pwd;
+extern const size_t mbedtls_test_ca_crt_len;
+extern const size_t mbedtls_test_ca_key_len;
+extern const size_t mbedtls_test_ca_pwd_len;
+
+/*
+ * Server test certificates
+ */
+
+extern const char mbedtls_test_srv_crt_ec_pem[];
+extern const char mbedtls_test_srv_key_ec_pem[];
+extern const char mbedtls_test_srv_pwd_ec_pem[];
+extern const char mbedtls_test_srv_key_rsa_pem[];
+extern const char mbedtls_test_srv_pwd_rsa_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_srv_crt_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_rsa_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_srv_crt_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_ec_pem_len;
+extern const size_t mbedtls_test_srv_pwd_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_rsa_pem_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_srv_crt_ec_der_len;
+extern const size_t mbedtls_test_srv_key_ec_der_len;
+extern const size_t mbedtls_test_srv_pwd_ec_der_len;
+extern const size_t mbedtls_test_srv_key_rsa_der_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_srv_crt_ec[];
+extern const char mbedtls_test_srv_key_ec[];
+extern const char mbedtls_test_srv_pwd_ec[];
+extern const char mbedtls_test_srv_key_rsa[];
+extern const char mbedtls_test_srv_pwd_rsa[];
+extern const char mbedtls_test_srv_crt_rsa_sha1[];
+extern const char mbedtls_test_srv_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_srv_crt_ec_len;
+extern const size_t mbedtls_test_srv_key_ec_len;
+extern const size_t mbedtls_test_srv_pwd_ec_len;
 extern const size_t mbedtls_test_srv_key_rsa_len;
-extern const char   mbedtls_test_cli_crt_rsa[];
-extern const size_t mbedtls_test_cli_crt_rsa_len;
-extern const char   mbedtls_test_cli_key_rsa[];
+extern const size_t mbedtls_test_srv_pwd_rsa_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_srv_crt_rsa[];
+extern const size_t mbedtls_test_srv_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char *mbedtls_test_srv_crt;
+extern const char *mbedtls_test_srv_key;
+extern const char *mbedtls_test_srv_pwd;
+extern const size_t mbedtls_test_srv_crt_len;
+extern const size_t mbedtls_test_srv_key_len;
+extern const size_t mbedtls_test_srv_pwd_len;
+
+/*
+ * Client test certificates
+ */
+
+extern const char mbedtls_test_cli_crt_ec_pem[];
+extern const char mbedtls_test_cli_key_ec_pem[];
+extern const char mbedtls_test_cli_pwd_ec_pem[];
+extern const char mbedtls_test_cli_key_rsa_pem[];
+extern const char mbedtls_test_cli_pwd_rsa_pem[];
+extern const char mbedtls_test_cli_crt_rsa_pem[];
+
+extern const unsigned char mbedtls_test_cli_crt_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_rsa_der[];
+extern const unsigned char mbedtls_test_cli_crt_rsa_der[];
+
+extern const size_t mbedtls_test_cli_crt_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_ec_pem_len;
+extern const size_t mbedtls_test_cli_pwd_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_rsa_pem_len;
+extern const size_t mbedtls_test_cli_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_cli_crt_rsa_pem_len;
+
+extern const size_t mbedtls_test_cli_crt_ec_der_len;
+extern const size_t mbedtls_test_cli_key_ec_der_len;
+extern const size_t mbedtls_test_cli_key_rsa_der_len;
+extern const size_t mbedtls_test_cli_crt_rsa_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_cli_crt_ec[];
+extern const char mbedtls_test_cli_key_ec[];
+extern const char mbedtls_test_cli_pwd_ec[];
+extern const char mbedtls_test_cli_key_rsa[];
+extern const char mbedtls_test_cli_pwd_rsa[];
+extern const char mbedtls_test_cli_crt_rsa[];
+
+extern const size_t mbedtls_test_cli_crt_ec_len;
+extern const size_t mbedtls_test_cli_key_ec_len;
+extern const size_t mbedtls_test_cli_pwd_ec_len;
 extern const size_t mbedtls_test_cli_key_rsa_len;
-#endif
+extern const size_t mbedtls_test_cli_pwd_rsa_len;
+extern const size_t mbedtls_test_cli_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char *mbedtls_test_cli_crt;
+extern const char *mbedtls_test_cli_key;
+extern const char *mbedtls_test_cli_pwd;
+extern const size_t mbedtls_test_cli_crt_len;
+extern const size_t mbedtls_test_cli_key_len;
+extern const size_t mbedtls_test_cli_pwd_len;
 
 #ifdef __cplusplus
 }
diff --git a/common/mbedtls/chacha20.c b/common/mbedtls/chacha20.c
new file mode 100644
index 000000000..62928ad7b
--- /dev/null
+++ b/common/mbedtls/chacha20.c
@@ -0,0 +1,544 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define CHACHA20_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+#define CHACHA20_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                   \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )     \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )    \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )    \
+    )
+
+#define ROTL32( value, amount ) \
+    ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) )
+
+#define CHACHA20_CTR_INDEX ( 12U )
+
+#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U )
+
+/**
+ * \brief           ChaCha20 quarter round operation.
+ *
+ *                  The quarter round is defined as follows (from RFC 7539):
+ *                      1.  a += b; d ^= a; d <<<= 16;
+ *                      2.  c += d; b ^= c; b <<<= 12;
+ *                      3.  a += b; d ^= a; d <<<= 8;
+ *                      4.  c += d; b ^= c; b <<<= 7;
+ *
+ * \param state     ChaCha20 state to modify.
+ * \param a         The index of 'a' in the state.
+ * \param b         The index of 'b' in the state.
+ * \param c         The index of 'c' in the state.
+ * \param d         The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round(uint32_t state[16],
+                                          size_t a,
+                                          size_t b,
+                                          size_t c,
+                                          size_t d) {
+    /* a += b; d ^= a; d <<<= 16; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32(state[d], 16);
+
+    /* c += d; b ^= c; b <<<= 12 */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32(state[b], 12);
+
+    /* a += b; d ^= a; d <<<= 8; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32(state[d], 8);
+
+    /* c += d; b ^= c; b <<<= 7; */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32(state[b], 7);
+}
+
+/**
+ * \brief           Perform the ChaCha20 inner block operation.
+ *
+ *                  This function performs two rounds: the column round and the
+ *                  diagonal round.
+ *
+ * \param state     The ChaCha20 state to update.
+ */
+static void chacha20_inner_block(uint32_t state[16]) {
+    chacha20_quarter_round(state, 0, 4, 8,  12);
+    chacha20_quarter_round(state, 1, 5, 9,  13);
+    chacha20_quarter_round(state, 2, 6, 10, 14);
+    chacha20_quarter_round(state, 3, 7, 11, 15);
+
+    chacha20_quarter_round(state, 0, 5, 10, 15);
+    chacha20_quarter_round(state, 1, 6, 11, 12);
+    chacha20_quarter_round(state, 2, 7, 8,  13);
+    chacha20_quarter_round(state, 3, 4, 9,  14);
+}
+
+/**
+ * \brief               Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream     Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block(const uint32_t initial_state[16],
+                           unsigned char keystream[64]) {
+    uint32_t working_state[16];
+    size_t i;
+
+    memcpy(working_state,
+           initial_state,
+           CHACHA20_BLOCK_SIZE_BYTES);
+
+    for (i = 0U; i < 10U; i++)
+        chacha20_inner_block(working_state);
+
+    working_state[ 0] += initial_state[ 0];
+    working_state[ 1] += initial_state[ 1];
+    working_state[ 2] += initial_state[ 2];
+    working_state[ 3] += initial_state[ 3];
+    working_state[ 4] += initial_state[ 4];
+    working_state[ 5] += initial_state[ 5];
+    working_state[ 6] += initial_state[ 6];
+    working_state[ 7] += initial_state[ 7];
+    working_state[ 8] += initial_state[ 8];
+    working_state[ 9] += initial_state[ 9];
+    working_state[10] += initial_state[10];
+    working_state[11] += initial_state[11];
+    working_state[12] += initial_state[12];
+    working_state[13] += initial_state[13];
+    working_state[14] += initial_state[14];
+    working_state[15] += initial_state[15];
+
+    for (i = 0U; i < 16; i++) {
+        size_t offset = i * 4U;
+
+        keystream[offset     ] = (unsigned char)(working_state[i]);
+        keystream[offset + 1U] = (unsigned char)(working_state[i] >>  8);
+        keystream[offset + 2U] = (unsigned char)(working_state[i] >> 16);
+        keystream[offset + 3U] = (unsigned char)(working_state[i] >> 24);
+    }
+
+    mbedtls_platform_zeroize(working_state, sizeof(working_state));
+}
+
+void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx) {
+    CHACHA20_VALIDATE(ctx != NULL);
+
+    mbedtls_platform_zeroize(ctx->state, sizeof(ctx->state));
+    mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+}
+
+void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx) {
+    if (ctx != NULL) {
+        mbedtls_platform_zeroize(ctx, sizeof(mbedtls_chacha20_context));
+    }
+}
+
+int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32]) {
+    CHACHA20_VALIDATE_RET(ctx != NULL);
+    CHACHA20_VALIDATE_RET(key != NULL);
+
+    /* ChaCha20 constants - the string "expand 32-byte k" */
+    ctx->state[0] = 0x61707865;
+    ctx->state[1] = 0x3320646e;
+    ctx->state[2] = 0x79622d32;
+    ctx->state[3] = 0x6b206574;
+
+    /* Set key */
+    ctx->state[4]  = BYTES_TO_U32_LE(key, 0);
+    ctx->state[5]  = BYTES_TO_U32_LE(key, 4);
+    ctx->state[6]  = BYTES_TO_U32_LE(key, 8);
+    ctx->state[7]  = BYTES_TO_U32_LE(key, 12);
+    ctx->state[8]  = BYTES_TO_U32_LE(key, 16);
+    ctx->state[9]  = BYTES_TO_U32_LE(key, 20);
+    ctx->state[10] = BYTES_TO_U32_LE(key, 24);
+    ctx->state[11] = BYTES_TO_U32_LE(key, 28);
+
+    return (0);
+}
+
+int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
+                            const unsigned char nonce[12],
+                            uint32_t counter) {
+    CHACHA20_VALIDATE_RET(ctx != NULL);
+    CHACHA20_VALIDATE_RET(nonce != NULL);
+
+    /* Counter */
+    ctx->state[12] = counter;
+
+    /* Nonce */
+    ctx->state[13] = BYTES_TO_U32_LE(nonce, 0);
+    ctx->state[14] = BYTES_TO_U32_LE(nonce, 4);
+    ctx->state[15] = BYTES_TO_U32_LE(nonce, 8);
+
+    mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+    return (0);
+}
+
+int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
+                            size_t size,
+                            const unsigned char *input,
+                            unsigned char *output) {
+    size_t offset = 0U;
+    size_t i;
+
+    CHACHA20_VALIDATE_RET(ctx != NULL);
+    CHACHA20_VALIDATE_RET(size == 0 || input  != NULL);
+    CHACHA20_VALIDATE_RET(size == 0 || output != NULL);
+
+    /* Use leftover keystream bytes, if available */
+    while (size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES) {
+        output[offset] = input[offset]
+                         ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+        ctx->keystream_bytes_used++;
+        offset++;
+        size--;
+    }
+
+    /* Process full blocks */
+    while (size >= CHACHA20_BLOCK_SIZE_BYTES) {
+        /* Generate new keystream block and increment counter */
+        chacha20_block(ctx->state, ctx->keystream8);
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for (i = 0U; i < 64U; i += 8U) {
+            output[offset + i  ] = input[offset + i  ] ^ ctx->keystream8[i  ];
+            output[offset + i + 1] = input[offset + i + 1] ^ ctx->keystream8[i + 1];
+            output[offset + i + 2] = input[offset + i + 2] ^ ctx->keystream8[i + 2];
+            output[offset + i + 3] = input[offset + i + 3] ^ ctx->keystream8[i + 3];
+            output[offset + i + 4] = input[offset + i + 4] ^ ctx->keystream8[i + 4];
+            output[offset + i + 5] = input[offset + i + 5] ^ ctx->keystream8[i + 5];
+            output[offset + i + 6] = input[offset + i + 6] ^ ctx->keystream8[i + 6];
+            output[offset + i + 7] = input[offset + i + 7] ^ ctx->keystream8[i + 7];
+        }
+
+        offset += CHACHA20_BLOCK_SIZE_BYTES;
+        size   -= CHACHA20_BLOCK_SIZE_BYTES;
+    }
+
+    /* Last (partial) block */
+    if (size > 0U) {
+        /* Generate new keystream block and increment counter */
+        chacha20_block(ctx->state, ctx->keystream8);
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for (i = 0U; i < size; i++) {
+            output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
+        }
+
+        ctx->keystream_bytes_used = size;
+
+    }
+
+    return (0);
+}
+
+int mbedtls_chacha20_crypt(const unsigned char key[32],
+                           const unsigned char nonce[12],
+                           uint32_t counter,
+                           size_t data_len,
+                           const unsigned char *input,
+                           unsigned char *output) {
+    mbedtls_chacha20_context ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    CHACHA20_VALIDATE_RET(key != NULL);
+    CHACHA20_VALIDATE_RET(nonce != NULL);
+    CHACHA20_VALIDATE_RET(data_len == 0 || input  != NULL);
+    CHACHA20_VALIDATE_RET(data_len == 0 || output != NULL);
+
+    mbedtls_chacha20_init(&ctx);
+
+    ret = mbedtls_chacha20_setkey(&ctx, key);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_chacha20_starts(&ctx, nonce, counter);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_chacha20_update(&ctx, data_len, input, output);
+
+cleanup:
+    mbedtls_chacha20_free(&ctx);
+    return (ret);
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] = {
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+    }
+};
+
+static const unsigned char test_nonces[2][12] = {
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x02
+    }
+};
+
+static const uint32_t test_counters[2] = {
+    0U,
+    1U
+};
+
+static const unsigned char test_input[2][375] = {
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+        0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+        0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+        0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+        0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+        0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+        0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+        0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+        0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+        0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+        0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+        0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+        0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+        0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+        0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+        0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+        0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+        0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+        0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+        0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+        0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+        0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+        0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+        0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+        0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+        0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+        0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+        0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+        0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+        0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+        0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+        0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+        0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+        0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+        0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+    }
+};
+
+static const unsigned char test_output[2][375] = {
+    {
+        0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+        0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+        0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+        0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+        0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+        0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+        0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+        0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+    },
+    {
+        0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+        0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+        0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+        0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+        0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+        0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+        0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+        0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+        0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+        0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+        0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+        0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+        0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+        0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+        0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+        0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+        0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+        0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+        0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+        0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+        0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+        0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+        0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+        0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+        0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+        0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+        0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+        0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+        0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+        0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+        0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+        0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+        0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+        0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+        0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+        0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+        0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+        0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+        0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+        0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+        0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+        0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+        0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+        0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+        0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+        0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+        0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+    }
+};
+
+static const size_t test_lengths[2] = {
+    64U,
+    375U
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chacha20_self_test(int verbose) {
+    unsigned char output[381];
+    unsigned i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    for (i = 0U; i < 2U; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  ChaCha20 test %u ", i);
+
+        ret = mbedtls_chacha20_crypt(test_keys[i],
+                                     test_nonces[i],
+                                     test_counters[i],
+                                     test_lengths[i],
+                                     test_input[i],
+                                     output);
+
+        ASSERT(0 == ret, ("error code: %i\n", ret));
+
+        ASSERT(0 == memcmp(output, test_output[i], test_lengths[i]),
+               ("failed (output)\n"));
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/common/mbedtls/chacha20.h b/common/mbedtls/chacha20.h
new file mode 100644
index 000000000..db8aca4ea
--- /dev/null
+++ b/common/mbedtls/chacha20.h
@@ -0,0 +1,224 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief   This file contains ChaCha20 definitions and functions.
+ *
+ *          ChaCha20 is a stream cipher that can encrypt and decrypt
+ *          information. ChaCha was created by Daniel Bernstein as a variant of
+ *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
+ *          ChaCha20 is the variant with 20 rounds, that was also standardized
+ *          in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE    -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED        -0x0055  /**< Chacha20 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+typedef struct mbedtls_chacha20_context {
+    uint32_t state[16];          /*! The state (before round operations). */
+    uint8_t  keystream8[64];     /*! Leftover keystream bytes. */
+    size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
+}
+mbedtls_chacha20_context;
+
+#else  /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by calls to
+ *                  \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts(), then one or more calls to
+ *                  to \c mbedtls_chacha20_update(), and finally to
+ *                  \c mbedtls_chacha20_free().
+ *
+ * \param ctx       The ChaCha20 context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx);
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20 context.
+ *
+ * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
+ *                  in which case this function is a no-op. If it is not
+ *                  \c NULL, it must point to an initialized context.
+ *
+ */
+void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx);
+
+/**
+ * \brief           This function sets the encryption/decryption key.
+ *
+ * \note            After using this function, you must also call
+ *                  \c mbedtls_chacha20_starts() to set a nonce before you
+ *                  start encrypting/decrypting data with
+ *                  \c mbedtls_chacha_update().
+ *
+ * \param ctx       The ChaCha20 context to which the key should be bound.
+ *                  It must be initialized.
+ * \param key       The encryption/decryption key. This must be \c 32 Bytes
+ *                  in length.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
+ */
+int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32]);
+
+/**
+ * \brief           This function sets the nonce and initial counter value.
+ *
+ * \note            A ChaCha20 context can be re-used with the same key by
+ *                  calling this function to change the nonce.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality guarantees for the
+ *                  messages encrypted with the same nonce and key.
+ *
+ * \param ctx       The ChaCha20 context to which the nonce should be bound.
+ *                  It must be initialized and bound to a key.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
+ *                  NULL.
+ */
+int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
+                            const unsigned char nonce[12],
+                            uint32_t counter);
+
+/**
+ * \brief           This function encrypts or decrypts data.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \note            \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts() must be called at least once
+ *                  to setup the context before this function can be called.
+ *
+ * \note            This function can be called multiple times in a row in
+ *                  order to encrypt of decrypt data piecewise with the same
+ *                  key and nonce.
+ *
+ * \param ctx       The ChaCha20 context to use for encryption or decryption.
+ *                  It must be initialized and bound to a key and nonce.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
+                            size_t size,
+                            const unsigned char *input,
+                            unsigned char *output);
+
+/**
+ * \brief           This function encrypts or decrypts data with ChaCha20 and
+ *                  the given key and nonce.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \warning         You must never use the same (key, nonce) pair more than
+ *                  once. This would void any confidentiality guarantees for
+ *                  the messages encrypted with the same nonce and key.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \param key       The encryption/decryption key.
+ *                  This must be \c 32 Bytes in length.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_crypt(const unsigned char key[32],
+                           const unsigned char nonce[12],
+                           uint32_t counter,
+                           size_t size,
+                           const unsigned char *input,
+                           unsigned char *output);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chacha20_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/common/mbedtls/chachapoly.c b/common/mbedtls/chachapoly.c
new file mode 100644
index 000000000..90a71b489
--- /dev/null
+++ b/common/mbedtls/chachapoly.c
@@ -0,0 +1,504 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+/* Parameter validation macros */
+#define CHACHAPOLY_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define CHACHAPOLY_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CHACHAPOLY_STATE_INIT       ( 0 )
+#define CHACHAPOLY_STATE_AAD        ( 1 )
+#define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED   ( 3 )
+
+/**
+ * \brief           Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx) {
+    uint32_t partial_block_len = (uint32_t)(ctx->aad_len % 16U);
+    unsigned char zeroes[15];
+
+    if (partial_block_len == 0U)
+        return (0);
+
+    memset(zeroes, 0, sizeof(zeroes));
+
+    return (mbedtls_poly1305_update(&ctx->poly1305_ctx,
+                                    zeroes,
+                                    16U - partial_block_len));
+}
+
+/**
+ * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx) {
+    uint32_t partial_block_len = (uint32_t)(ctx->ciphertext_len % 16U);
+    unsigned char zeroes[15];
+
+    if (partial_block_len == 0U)
+        return (0);
+
+    memset(zeroes, 0, sizeof(zeroes));
+    return (mbedtls_poly1305_update(&ctx->poly1305_ctx,
+                                    zeroes,
+                                    16U - partial_block_len));
+}
+
+void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx) {
+    CHACHAPOLY_VALIDATE(ctx != NULL);
+
+    mbedtls_chacha20_init(&ctx->chacha20_ctx);
+    mbedtls_poly1305_init(&ctx->poly1305_ctx);
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_chacha20_free(&ctx->chacha20_ctx);
+    mbedtls_poly1305_free(&ctx->poly1305_ctx);
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
+                              const unsigned char key[32]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    CHACHAPOLY_VALIDATE_RET(ctx != NULL);
+    CHACHAPOLY_VALIDATE_RET(key != NULL);
+
+    ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
+
+    return (ret);
+}
+
+int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
+                              const unsigned char nonce[12],
+                              mbedtls_chachapoly_mode_t mode) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char poly1305_key[64];
+    CHACHAPOLY_VALIDATE_RET(ctx != NULL);
+    CHACHAPOLY_VALIDATE_RET(nonce != NULL);
+
+    /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+    ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+     * counter = 0.  This is the same as encrypting a buffer of zeroes.
+     * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+     * The other 256 bits are discarded.
+     */
+    memset(poly1305_key, 0, sizeof(poly1305_key));
+    ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
+                                  poly1305_key, poly1305_key);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
+
+    if (ret == 0) {
+        ctx->aad_len        = 0U;
+        ctx->ciphertext_len = 0U;
+        ctx->state          = CHACHAPOLY_STATE_AAD;
+        ctx->mode           = mode;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize(poly1305_key, 64U);
+    return (ret);
+}
+
+int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
+                                  const unsigned char *aad,
+                                  size_t aad_len) {
+    CHACHAPOLY_VALIDATE_RET(ctx != NULL);
+    CHACHAPOLY_VALIDATE_RET(aad_len == 0 || aad != NULL);
+
+    if (ctx->state != CHACHAPOLY_STATE_AAD)
+        return (MBEDTLS_ERR_CHACHAPOLY_BAD_STATE);
+
+    ctx->aad_len += aad_len;
+
+    return (mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len));
+}
+
+int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
+                              size_t len,
+                              const unsigned char *input,
+                              unsigned char *output) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    CHACHAPOLY_VALIDATE_RET(ctx != NULL);
+    CHACHAPOLY_VALIDATE_RET(len == 0 || input != NULL);
+    CHACHAPOLY_VALIDATE_RET(len == 0 || output != NULL);
+
+    if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
+            (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
+        return (MBEDTLS_ERR_CHACHAPOLY_BAD_STATE);
+    }
+
+    if (ctx->state == CHACHAPOLY_STATE_AAD) {
+        ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+        ret = chachapoly_pad_aad(ctx);
+        if (ret != 0)
+            return (ret);
+    }
+
+    ctx->ciphertext_len += len;
+
+    if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
+        ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
+        if (ret != 0)
+            return (ret);
+
+        ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
+        if (ret != 0)
+            return (ret);
+    } else { /* DECRYPT */
+        ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
+        if (ret != 0)
+            return (ret);
+
+        ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
+        if (ret != 0)
+            return (ret);
+    }
+
+    return (0);
+}
+
+int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
+                              unsigned char mac[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char len_block[16];
+    CHACHAPOLY_VALIDATE_RET(ctx != NULL);
+    CHACHAPOLY_VALIDATE_RET(mac != NULL);
+
+    if (ctx->state == CHACHAPOLY_STATE_INIT) {
+        return (MBEDTLS_ERR_CHACHAPOLY_BAD_STATE);
+    }
+
+    if (ctx->state == CHACHAPOLY_STATE_AAD) {
+        ret = chachapoly_pad_aad(ctx);
+        if (ret != 0)
+            return (ret);
+    } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
+        ret = chachapoly_pad_ciphertext(ctx);
+        if (ret != 0)
+            return (ret);
+    }
+
+    ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+    /* The lengths of the AAD and ciphertext are processed by
+     * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+     */
+    len_block[ 0] = (unsigned char)(ctx->aad_len);
+    len_block[ 1] = (unsigned char)(ctx->aad_len >>  8);
+    len_block[ 2] = (unsigned char)(ctx->aad_len >> 16);
+    len_block[ 3] = (unsigned char)(ctx->aad_len >> 24);
+    len_block[ 4] = (unsigned char)(ctx->aad_len >> 32);
+    len_block[ 5] = (unsigned char)(ctx->aad_len >> 40);
+    len_block[ 6] = (unsigned char)(ctx->aad_len >> 48);
+    len_block[ 7] = (unsigned char)(ctx->aad_len >> 56);
+    len_block[ 8] = (unsigned char)(ctx->ciphertext_len);
+    len_block[ 9] = (unsigned char)(ctx->ciphertext_len >>  8);
+    len_block[10] = (unsigned char)(ctx->ciphertext_len >> 16);
+    len_block[11] = (unsigned char)(ctx->ciphertext_len >> 24);
+    len_block[12] = (unsigned char)(ctx->ciphertext_len >> 32);
+    len_block[13] = (unsigned char)(ctx->ciphertext_len >> 40);
+    len_block[14] = (unsigned char)(ctx->ciphertext_len >> 48);
+    len_block[15] = (unsigned char)(ctx->ciphertext_len >> 56);
+
+    ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
+    if (ret != 0)
+        return (ret);
+
+    ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
+
+    return (ret);
+}
+
+static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
+                                    mbedtls_chachapoly_mode_t mode,
+                                    size_t length,
+                                    const unsigned char nonce[12],
+                                    const unsigned char *aad,
+                                    size_t aad_len,
+                                    const unsigned char *input,
+                                    unsigned char *output,
+                                    unsigned char tag[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update(ctx, length, input, output);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_finish(ctx, tag);
+
+cleanup:
+    return (ret);
+}
+
+int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
+                                       size_t length,
+                                       const unsigned char nonce[12],
+                                       const unsigned char *aad,
+                                       size_t aad_len,
+                                       const unsigned char *input,
+                                       unsigned char *output,
+                                       unsigned char tag[16]) {
+    CHACHAPOLY_VALIDATE_RET(ctx   != NULL);
+    CHACHAPOLY_VALIDATE_RET(nonce != NULL);
+    CHACHAPOLY_VALIDATE_RET(tag   != NULL);
+    CHACHAPOLY_VALIDATE_RET(aad_len == 0 || aad    != NULL);
+    CHACHAPOLY_VALIDATE_RET(length  == 0 || input  != NULL);
+    CHACHAPOLY_VALIDATE_RET(length  == 0 || output != NULL);
+
+    return (chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+                                     length, nonce, aad, aad_len,
+                                     input, output, tag));
+}
+
+int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
+                                    size_t length,
+                                    const unsigned char nonce[12],
+                                    const unsigned char *aad,
+                                    size_t aad_len,
+                                    const unsigned char tag[16],
+                                    const unsigned char *input,
+                                    unsigned char *output) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+    CHACHAPOLY_VALIDATE_RET(ctx   != NULL);
+    CHACHAPOLY_VALIDATE_RET(nonce != NULL);
+    CHACHAPOLY_VALIDATE_RET(tag   != NULL);
+    CHACHAPOLY_VALIDATE_RET(aad_len == 0 || aad    != NULL);
+    CHACHAPOLY_VALIDATE_RET(length  == 0 || input  != NULL);
+    CHACHAPOLY_VALIDATE_RET(length  == 0 || output != NULL);
+
+    if ((ret = chachapoly_crypt_and_tag(ctx,
+                                        MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+                                        aad, aad_len, input, output, check_tag)) != 0) {
+        return (ret);
+    }
+
+    /* Check tag in "constant-time" */
+    for (diff = 0, i = 0; i < sizeof(check_tag); i++)
+        diff |= tag[i] ^ check_tag[i];
+
+    if (diff != 0) {
+        mbedtls_platform_zeroize(output, length);
+        return (MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED);
+    }
+
+    return (0);
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] = {
+    {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    }
+};
+
+static const unsigned char test_nonce[1][12] = {
+    {
+        0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
+    }
+};
+
+static const unsigned char test_aad[1][12] = {
+    {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+        0xc4, 0xc5, 0xc6, 0xc7
+    }
+};
+
+static const size_t test_aad_len[1] = {
+    12U
+};
+
+static const unsigned char test_input[1][114] = {
+    {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+        0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+        0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+        0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+        0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+        0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+        0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+        0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+        0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+        0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+        0x74, 0x2e
+    }
+};
+
+static const unsigned char test_output[1][114] = {
+    {
+        0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+        0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+        0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+        0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+        0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+        0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+        0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+        0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+        0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+        0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+        0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+        0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+        0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+        0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+        0x61, 0x16
+    }
+};
+
+static const size_t test_input_len[1] = {
+    114U
+};
+
+static const unsigned char test_mac[1][16] = {
+    {
+        0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+        0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+    }
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chachapoly_self_test(int verbose) {
+    mbedtls_chachapoly_context ctx;
+    unsigned i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char output[200];
+    unsigned char mac[16];
+
+    for (i = 0U; i < 1U; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  ChaCha20-Poly1305 test %u ", i);
+
+        mbedtls_chachapoly_init(&ctx);
+
+        ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
+        ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
+
+        ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
+                                                 test_input_len[i],
+                                                 test_nonce[i],
+                                                 test_aad[i],
+                                                 test_aad_len[i],
+                                                 test_input[i],
+                                                 output,
+                                                 mac);
+
+        ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
+
+        ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
+               ("failure (wrong output)\n"));
+
+        ASSERT(0 == memcmp(mac, test_mac[i], 16U),
+               ("failure (wrong MAC)\n"));
+
+        mbedtls_chachapoly_free(&ctx);
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/common/mbedtls/chachapoly.h b/common/mbedtls/chachapoly.h
new file mode 100644
index 000000000..66af854e4
--- /dev/null
+++ b/common/mbedtls/chachapoly.h
@@ -0,0 +1,355 @@
+/**
+ * \file chachapoly.h
+ *
+ * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
+ *          functions.
+ *
+ *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
+ *          with Associated Data (AEAD) that can be used to encrypt and
+ *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
+ *          Bernstein and was standardized in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_CHACHAPOLY_H
+#define MBEDTLS_CHACHAPOLY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/* for shared error codes */
+#include "mbedtls/poly1305.h"
+
+#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
+#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
+    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
+}
+mbedtls_chachapoly_mode_t;
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#include "mbedtls/chacha20.h"
+
+typedef struct mbedtls_chachapoly_context {
+    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */
+    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */
+    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */
+    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */
+    int state;                              /**< The current state of the context. */
+    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */
+}
+mbedtls_chachapoly_context;
+
+#else /* !MBEDTLS_CHACHAPOLY_ALT */
+#include "chachapoly_alt.h"
+#endif /* !MBEDTLS_CHACHAPOLY_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20-Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context. It must be followed by a call to
+ *                  \c mbedtls_chachapoly_setkey() before any operation can be
+ *                  done, and to \c mbedtls_chachapoly_free() once all
+ *                  operations with that context have been finished.
+ *
+ *                  In order to encrypt or decrypt full messages at once, for
+ *                  each message you should make a single call to
+ *                  \c mbedtls_chachapoly_crypt_and_tag() or
+ *                  \c mbedtls_chachapoly_auth_decrypt().
+ *
+ *                  In order to encrypt messages piecewise, for each
+ *                  message you should make a call to
+ *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update(), then one call to
+ *                  \c mbedtls_chachapoly_finish().
+ *
+ * \warning         Decryption with the piecewise API is discouraged! Always
+ *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
+ *
+ *                  If however this is not possible because the data is too
+ *                  large to fit in memory, you need to:
+ *
+ *                  - call \c mbedtls_chachapoly_starts() and (if needed)
+ *                  \c mbedtls_chachapoly_update_aad() as above,
+ *                  - call \c mbedtls_chachapoly_update() multiple times and
+ *                  ensure its output (the plaintext) is NOT used in any other
+ *                  way than placing it in temporary storage at this point,
+ *                  - call \c mbedtls_chachapoly_finish() to compute the
+ *                  authentication tag and compared it in constant time to the
+ *                  tag received with the ciphertext.
+ *
+ *                  If the tags are not equal, you must immediately discard
+ *                  all previous outputs of \c mbedtls_chachapoly_update(),
+ *                  otherwise you can now safely use the plaintext.
+ *
+ * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
+ */
+void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx);
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20-Poly1305 context.
+ *
+ * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op.
+ */
+void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx);
+
+/**
+ * \brief           This function sets the ChaCha20-Poly1305
+ *                  symmetric encryption key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to which the key should be
+ *                  bound. This must be initialized.
+ * \param key       The \c 256 Bit (\c 32 Bytes) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
+                              const unsigned char key[32]);
+
+/**
+ * \brief           This function starts a ChaCha20-Poly1305 encryption or
+ *                  decryption operation.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \note            If the context is being used for AAD only (no data to
+ *                  encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param nonce     The nonce/IV to use for the message.
+ *                  This must be a redable buffer of length \c 12 Bytes.
+ * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
+ *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
+                              const unsigned char nonce[12],
+                              mbedtls_chachapoly_mode_t mode);
+
+/**
+ * \brief           This function feeds additional data to be authenticated
+ *                  into an ongoing ChaCha20-Poly1305 operation.
+ *
+ *                  The Additional Authenticated Data (AAD), also called
+ *                  Associated Data (AD) is only authenticated but not
+ *                  encrypted nor included in the encrypted output. It is
+ *                  usually transmitted separately from the ciphertext or
+ *                  computed locally by each party.
+ *
+ * \note            This function is called before data is encrypted/decrypted.
+ *                  I.e. call this function to process the AAD before calling
+ *                  \c mbedtls_chachapoly_update().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of AAD. It is permitted to call
+ *                  this function 0 times, if no AAD is used.
+ *
+ *                  This function cannot be called any more if data has
+ *                  been processed by \c mbedtls_chachapoly_update(),
+ *                  or if the context has been finished.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param aad_len   The length in Bytes of the AAD. The length has no
+ *                  restrictions.
+ * \param aad       Buffer containing the AAD.
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ *                  if \p ctx or \p aad are NULL.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operations has not been started or has been
+ *                  finished, or if the AAD has been finished.
+ */
+int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
+                                  const unsigned char *aad,
+                                  size_t aad_len);
+
+/**
+ * \brief           Thus function feeds data to be encrypted or decrypted
+ *                  into an on-going ChaCha20-Poly1305
+ *                  operation.
+ *
+ *                  The direction (encryption or decryption) depends on the
+ *                  mode that was given when calling
+ *                  \c mbedtls_chachapoly_starts().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of data. It is permitted to call
+ *                  this function 0 times, if no data is to be encrypted
+ *                  or decrypted.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param len       The length (in bytes) of the data to encrypt or decrypt.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `len == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data is
+ *                  written. This must be able to hold \p len bytes.
+ *                  This pointer can be \c NULL if `len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
+                              size_t len,
+                              const unsigned char *input,
+                              unsigned char *output);
+
+/**
+ * \brief           This function finished the ChaCha20-Poly1305 operation and
+ *                  generates the MAC (authentication tag).
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
+                              unsigned char mac[16]);
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated encryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ *                  This must be initialized.
+ * \param length    The length (in bytes) of the data to encrypt or decrypt.
+ * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated
+ *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data
+ *                  is written. This pointer can be \c NULL if `ilen == 0`.
+ * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
+ *                  is written. This must not be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
+                                       size_t length,
+                                       const unsigned char nonce[12],
+                                       const unsigned char *aad,
+                                       size_t aad_len,
+                                       const unsigned char *input,
+                                       unsigned char *output,
+                                       unsigned char tag[16]);
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated decryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length    The length (in Bytes) of the data to decrypt.
+ * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated data (AAD).
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param tag       The buffer holding the authentication tag.
+ *                  This must be a readable buffer of length \c 16 Bytes.
+ * \param input     The buffer containing the data to decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the decrypted data is written.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+ *                  if the data was not authentic.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
+                                    size_t length,
+                                    const unsigned char nonce[12],
+                                    const unsigned char *aad,
+                                    size_t aad_len,
+                                    const unsigned char tag[16],
+                                    const unsigned char *input,
+                                    unsigned char *output);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20-Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chachapoly_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/common/mbedtls/check_config.h b/common/mbedtls/check_config.h
index b395844d5..7df541986 100644
--- a/common/mbedtls/check_config.h
+++ b/common/mbedtls/check_config.h
@@ -4,24 +4,20 @@
  * \brief Consistency checks for configuration options
  */
 /*
- *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -47,11 +43,16 @@
 #endif
 
 /* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
- * it would confuse config.pl. */
+ * it would confuse config.py. */
 #if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
     !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
 #define MBEDTLS_PLATFORM_SNPRINTF_ALT
 #endif
+
+#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
+#endif
 #endif /* _WIN32 */
 
 #if defined(TARGET_LIKE_MBED) && \
@@ -100,6 +101,18 @@
 
 #if defined(MBEDTLS_ECDSA_C) &&            \
     ( !defined(MBEDTLS_ECP_C) ||           \
+      !( defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || \
+         defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) ||   \
+         defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) ||   \
+         defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) ) || \
       !defined(MBEDTLS_ASN1_PARSE_C) ||    \
       !defined(MBEDTLS_ASN1_WRITE_C) )
 #error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
@@ -110,12 +123,33 @@
 #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO)          || \
+      defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+      defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
+      defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
+      defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
+      defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
+      defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
+      defined(MBEDTLS_ECP_ALT) )
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative or PSA-based ECP implementation"
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
+    ! defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+#error "MBEDTLS_ECP_RESTARTABLE defined, but not MBEDTLS_ECDH_LEGACY_CONTEXT"
+#endif
+
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)           && \
+    defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+#error "MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED defined, but MBEDTLS_ECDH_LEGACY_CONTEXT not disabled"
+#endif
+
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
 #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (   \
-    !defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) &&                  \
+#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
     !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) &&                  \
@@ -126,10 +160,24 @@
     !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
     !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
-    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) )
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) &&                 \
+    !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
 #error "MBEDTLS_ECP_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_ECP_C) && !(            \
+    defined(MBEDTLS_ECP_ALT) ||             \
+    defined(MBEDTLS_CTR_DRBG_C) ||          \
+    defined(MBEDTLS_HMAC_DRBG_C) ||         \
+    defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
+#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
+#endif
+
 #if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
                                     !defined(MBEDTLS_SHA256_C))
 #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
@@ -148,6 +196,16 @@
 #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
 #endif
 
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#define MBEDTLS_HAS_MEMSAN
+#endif
+#endif
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) &&  !defined(MBEDTLS_HAS_MEMSAN)
+#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
+#endif
+#undef MBEDTLS_HAS_MEMSAN
+
 #if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
     ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
 #error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
@@ -159,7 +217,7 @@
 #endif
 
 #if defined(MBEDTLS_GCM_C) && (                                        \
-        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) )
+        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
 #error "MBEDTLS_GCM_C defined, but not all prerequisites"
 #endif
 
@@ -195,6 +253,10 @@
 #error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled"
+#endif
+
 #if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
 #error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
 #endif
@@ -208,12 +270,14 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
@@ -262,11 +326,27 @@
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) &&        \
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&              \
+    ( !defined(MBEDTLS_SHA256_C) &&                             \
+      !defined(MBEDTLS_SHA512_C) &&                             \
+      !defined(MBEDTLS_SHA1_C) )
+#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C"
+#endif
+
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) &&                          \
     ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
 #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_MEMORY_BACKTRACE) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_BACKTRACE defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_DEBUG) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequesites"
+#endif
+
 #if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
 #error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
 #endif
@@ -296,6 +376,14 @@
 #error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PKCS11_C)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_PKCS11_C */
+
 #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
 #endif
@@ -489,6 +577,54 @@
 #error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously"
 #endif
 
+#if defined(MBEDTLS_PSA_CRYPTO_C) &&                                    \
+    !( ( ( defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_HMAC_DRBG_C) ) && \
+         defined(MBEDTLS_ENTROPY_C) ) ||                                \
+       defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) )
+#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C) &&    \
+    ! ( defined(MBEDTLS_PSA_CRYPTO_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) )
+#error "MBEDTLS_PSA_CRYPTO_SE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&            \
+    ! defined(MBEDTLS_PSA_CRYPTO_C)
+#error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&      \
+    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
+       defined(MBEDTLS_ENTROPY_NV_SEED) )
+#error "MBEDTLS_PSA_INJECT_ENTROPY defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&              \
+    !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with actual entropy sources"
+#endif
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&              \
+    defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG"
+#endif
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
+    !defined(MBEDTLS_FS_IO)
+#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \
+    defined(MBEDTLS_USE_PSA_CRYPTO)
+#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined, but it cannot coexist with MBEDTLS_USE_PSA_CRYPTO."
+#endif
+
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
     !defined(MBEDTLS_OID_C) )
 #error "MBEDTLS_RSA_C defined, but not all prerequisites"
@@ -504,6 +640,10 @@
 #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C)
+#error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C"
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) ||     \
     !defined(MBEDTLS_SHA1_C) )
 #error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
@@ -524,6 +664,28 @@
 #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
+    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
+#endif
+
+#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) ||  \
+     defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+    !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                          \
+      defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                      \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                    \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                  \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                     \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ||                   \
+      defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                          \
+      defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                      \
+      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ||                      \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                    \
+      defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
+#error "One or more versions of the TLS protocol are enabled " \
+"but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)     && \
     !defined(MBEDTLS_SSL_PROTO_TLS1_1)  && \
     !defined(MBEDTLS_SSL_PROTO_TLS1_2)
@@ -579,6 +741,23 @@
 #error "MBEDTLS_SSL_DTLS_ANTI_REPLAY  defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_CONNECTION_ID  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)            &&                 \
+    defined(MBEDTLS_SSL_CID_IN_LEN_MAX) &&                 \
+    MBEDTLS_SSL_CID_IN_LEN_MAX > 255
+#error "MBEDTLS_SSL_CID_IN_LEN_MAX too large (max 255)"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)            &&                  \
+    defined(MBEDTLS_SSL_CID_OUT_LEN_MAX) &&                 \
+    MBEDTLS_SSL_CID_OUT_LEN_MAX > 255
+#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
+#endif
+
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
     ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
@@ -631,6 +810,10 @@
 #endif
 #undef MBEDTLS_THREADING_IMPL
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_VERSION_FEATURES) && !defined(MBEDTLS_VERSION_C)
 #error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
 #endif
@@ -647,6 +830,10 @@
 #error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_CERTS_C) && !defined(MBEDTLS_X509_USE_C)
+#error "MBEDTLS_CERTS_C defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
 #error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
 #endif
@@ -676,10 +863,42 @@
 #error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
 #endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
 
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_SRTP defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) && ( !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) )
+#error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites"
+#endif
+
 /*
  * Avoid warning from -pedantic. This is a convenient place for this
  * workaround since this is included by every single file before the
- * #if defined(MBEDTLS_xxx_C) that results in emtpy translation units.
+ * #if defined(MBEDTLS_xxx_C) that results in empty translation units.
  */
 typedef int mbedtls_iso_c_forbids_empty_translation_units;
 
diff --git a/common/mbedtls/check_crypto_config.h b/common/mbedtls/check_crypto_config.h
new file mode 100644
index 000000000..cac90a0df
--- /dev/null
+++ b/common/mbedtls/check_crypto_config.h
@@ -0,0 +1,72 @@
+/**
+ * \file check_crypto_config.h
+ *
+ * \brief Consistency checks for PSA configuration options
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * It is recommended to include this file from your crypto_config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CRYPTO_CONFIG_H
+#define MBEDTLS_CHECK_CRYPTO_CONFIG_H
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+    !( defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_ECDSA) && \
+    !( defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PSS) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \
+    !defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR defined, but not all prerequisites"
+#endif
+
+#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/common/mbedtls/cipher.c b/common/mbedtls/cipher.c
index 068626dcb..61941f56c 100644
--- a/common/mbedtls/cipher.c
+++ b/common/mbedtls/cipher.c
@@ -5,37 +5,30 @@
  *
  * \author Adriaan de Jong <dejong@fox-it.com>
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_CIPHER_C)
 
 #include "mbedtls/cipher.h"
 #include "mbedtls/cipher_internal.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <stdlib.h>
 #include <string.h>
@@ -60,6 +53,15 @@
 #include "mbedtls/cmac.h"
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_NIST_KW_C)
+#include "mbedtls/nist_kw.h"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
@@ -67,13 +69,19 @@
 #define mbedtls_free   free
 #endif
 
+#define CIPHER_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
+#define CIPHER_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 /* Compare the contents of two buffers in constant time.
  * Returns 0 if the contents are bitwise identical, otherwise returns
  * a non-zero value.
  * This is currently only used by GCM and ChaCha20+Poly1305.
  */
-static int mbedtls_constant_time_memcmp(const void *v1, const void *v2, size_t len) {
+static int mbedtls_constant_time_memcmp(const void *v1, const void *v2,
+                                        size_t len) {
     const unsigned char *p1 = (const unsigned char *) v1;
     const unsigned char *p2 = (const unsigned char *) v2;
     size_t i;
@@ -82,7 +90,7 @@ static int mbedtls_constant_time_memcmp(const void *v1, const void *v2, size_t l
     for (diff = 0, i = 0; i < len; i++)
         diff |= p1[i] ^ p2[i];
 
-    return (int)diff;
+    return ((int)diff);
 }
 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
 
@@ -107,7 +115,8 @@ const int *mbedtls_cipher_list(void) {
     return (mbedtls_cipher_supported);
 }
 
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type) {
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
+    const mbedtls_cipher_type_t cipher_type) {
     const mbedtls_cipher_definition_t *def;
 
     for (def = mbedtls_cipher_definitions; def->info != NULL; def++)
@@ -117,7 +126,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_
     return (NULL);
 }
 
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_name) {
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
+    const char *cipher_name) {
     const mbedtls_cipher_definition_t *def;
 
     if (NULL == cipher_name)
@@ -130,9 +140,10 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_
     return (NULL);
 }
 
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,
-        int key_bitlen,
-        const mbedtls_cipher_mode_t mode) {
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
+    const mbedtls_cipher_id_t cipher_id,
+    int key_bitlen,
+    const mbedtls_cipher_mode_t mode) {
     const mbedtls_cipher_definition_t *def;
 
     for (def = mbedtls_cipher_definitions; def->info != NULL; def++)
@@ -145,6 +156,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_ciphe
 }
 
 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) {
+    CIPHER_VALIDATE(ctx != NULL);
     memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
 }
 
@@ -152,6 +164,26 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) {
     if (ctx == NULL)
         return;
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        if (ctx->cipher_ctx != NULL) {
+            mbedtls_cipher_context_psa *const cipher_psa =
+                (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+            if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
+                /* xxx_free() doesn't allow to return failures. */
+                (void) psa_destroy_key(cipher_psa->slot);
+            }
+
+            mbedtls_platform_zeroize(cipher_psa, sizeof(*cipher_psa));
+            mbedtls_free(cipher_psa);
+        }
+
+        mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
+        return;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_CMAC_C)
     if (ctx->cmac_ctx) {
         mbedtls_platform_zeroize(ctx->cmac_ctx,
@@ -166,8 +198,10 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) {
     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
 }
 
-int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info) {
-    if (NULL == cipher_info || NULL == ctx)
+int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
+                         const mbedtls_cipher_info_t *cipher_info) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    if (cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
     memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
@@ -191,11 +225,104 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_inf
     return (0);
 }
 
-int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key,
-                          int key_bitlen, const mbedtls_operation_t operation) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
+                             const mbedtls_cipher_info_t *cipher_info,
+                             size_t taglen) {
+    psa_algorithm_t alg;
+    mbedtls_cipher_context_psa *cipher_psa;
+
+    if (NULL == cipher_info || NULL == ctx)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
+    /* Check that the underlying cipher mode and cipher type are
+     * supported by the underlying PSA Crypto implementation. */
+    alg = mbedtls_psa_translate_cipher_mode(cipher_info->mode, taglen);
+    if (alg == 0)
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    if (mbedtls_psa_translate_cipher_type(cipher_info->type) == 0)
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+
+    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+
+    cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
+    if (cipher_psa == NULL)
+        return (MBEDTLS_ERR_CIPHER_ALLOC_FAILED);
+    cipher_psa->alg  = alg;
+    ctx->cipher_ctx  = cipher_psa;
+    ctx->cipher_info = cipher_info;
+    ctx->psa_enabled = 1;
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *key,
+                          int key_bitlen,
+                          const mbedtls_operation_t operation) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(key != NULL);
+    CIPHER_VALIDATE_RET(operation == MBEDTLS_ENCRYPT ||
+                        operation == MBEDTLS_DECRYPT);
+    if (ctx->cipher_info == NULL)
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        mbedtls_cipher_context_psa *const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
+
+        psa_status_t status;
+        psa_key_type_t key_type;
+        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+        /* PSA Crypto API only accepts byte-aligned keys. */
+        if (key_bitlen % 8 != 0)
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+        /* Don't allow keys to be set multiple times. */
+        if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET)
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+        key_type = mbedtls_psa_translate_cipher_type(
+                       ctx->cipher_info->type);
+        if (key_type == 0)
+            return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+        psa_set_key_type(&attributes, key_type);
+
+        /* Mbed TLS' cipher layer doesn't enforce the mode of operation
+         * (encrypt vs. decrypt): it is possible to setup a key for encryption
+         * and use it for AEAD decryption. Until tests relying on this
+         * are changed, allow any usage in PSA. */
+        psa_set_key_usage_flags(&attributes,
+                                /* mbedtls_psa_translate_cipher_operation( operation ); */
+                                PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+        psa_set_key_algorithm(&attributes, cipher_psa->alg);
+
+        status = psa_import_key(&attributes, key, key_bytelen,
+                                &cipher_psa->slot);
+        switch (status) {
+            case PSA_SUCCESS:
+                break;
+            case PSA_ERROR_INSUFFICIENT_MEMORY:
+                return (MBEDTLS_ERR_CIPHER_ALLOC_FAILED);
+            case PSA_ERROR_NOT_SUPPORTED:
+                return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+            default:
+                return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+        }
+        /* Indicate that we own the key slot and need to
+         * destroy it in mbedtls_cipher_free(). */
+        cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
+
+        ctx->key_bitlen = key_bitlen;
+        ctx->operation = operation;
+        return (0);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
     if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
             (int) ctx->cipher_info->key_bitlen != key_bitlen) {
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
@@ -211,23 +338,34 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *ke
             MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
             MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
             MBEDTLS_MODE_CTR == ctx->cipher_info->mode) {
-        return ctx->cipher_info->base->setkey_enc_func(ctx->cipher_ctx, key,
-                                                       ctx->key_bitlen);
+        return (ctx->cipher_info->base->setkey_enc_func(ctx->cipher_ctx, key,
+                                                        ctx->key_bitlen));
     }
 
     if (MBEDTLS_DECRYPT == operation)
-        return ctx->cipher_info->base->setkey_dec_func(ctx->cipher_ctx, key,
-                                                       ctx->key_bitlen);
+        return (ctx->cipher_info->base->setkey_dec_func(ctx->cipher_ctx, key,
+                                                        ctx->key_bitlen));
 
     return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 }
 
 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *iv, size_t iv_len) {
+                          const unsigned char *iv,
+                          size_t iv_len) {
     size_t actual_iv_size;
 
-    if (NULL == ctx || NULL == ctx->cipher_info || NULL == iv)
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
+    if (ctx->cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     /* avoid buffer overflow in ctx->iv */
     if (iv_len > MBEDTLS_MAX_IV_LENGTH)
@@ -253,16 +391,27 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
     }
 #endif
 
-    memcpy(ctx->iv, iv, actual_iv_size);
-    ctx->iv_size = actual_iv_size;
+    if (actual_iv_size != 0) {
+        memcpy(ctx->iv, iv, actual_iv_size);
+        ctx->iv_size = actual_iv_size;
+    }
 
     return (0);
 }
 
 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    if (ctx->cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* We don't support resetting PSA-based
+         * cipher contexts, yet. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
     ctx->unprocessed_len = 0;
 
     return (0);
@@ -271,13 +420,24 @@ int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) {
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
                              const unsigned char *ad, size_t ad_len) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
+    if (ctx->cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_GCM_C)
     if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
-        return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
-                                  ctx->iv, ctx->iv_size, ad, ad_len);
+        return (mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
+                                   ctx->iv, ctx->iv_size, ad, ad_len));
     }
 #endif
 
@@ -296,8 +456,8 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
         if (result != 0)
             return (result);
 
-        return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                             ad, ad_len);
+        return (mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+                                              ad, ad_len));
     }
 #endif
 
@@ -307,15 +467,30 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
 
 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
                           size_t ilen, unsigned char *output, size_t *olen) {
-    int ret;
-    size_t block_size = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t block_size;
 
-    if (NULL == ctx || NULL == ctx->cipher_info || NULL == olen) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
+    CIPHER_VALIDATE_RET(output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+    if (ctx->cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
     }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     *olen = 0;
     block_size = mbedtls_cipher_get_block_size(ctx);
+    if (0 == block_size) {
+        return (MBEDTLS_ERR_CIPHER_INVALID_CONTEXT);
+    }
 
     if (ctx->cipher_info->mode == MBEDTLS_MODE_ECB) {
         if (ilen != block_size)
@@ -334,23 +509,19 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
 #if defined(MBEDTLS_GCM_C)
     if (ctx->cipher_info->mode == MBEDTLS_MODE_GCM) {
         *olen = ilen;
-        return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
-                                  output);
+        return (mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
+                                   output));
     }
 #endif
 
 #if defined(MBEDTLS_CHACHAPOLY_C)
     if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
         *olen = ilen;
-        return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                         ilen, input, output);
+        return (mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+                                          ilen, input, output));
     }
 #endif
 
-    if (0 == block_size) {
-        return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
-    }
-
     if (input == output &&
             (ctx->unprocessed_len != 0 || ilen % block_size)) {
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
@@ -403,10 +574,6 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
          * Cache final, incomplete block
          */
         if (0 != ilen) {
-            if (0 == block_size) {
-                return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
-            }
-
             /* Encryption: only cache partial blocks
              * Decryption w/ padding: always keep at least one whole block
              * Decryption w/o padding: only cache partial blocks
@@ -680,9 +847,21 @@ static int get_no_padding(unsigned char *input, size_t input_len,
 
 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
                           unsigned char *output, size_t *olen) {
-    if (NULL == ctx || NULL == ctx->cipher_info || NULL == olen)
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+    if (ctx->cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
     *olen = 0;
 
     if (MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
@@ -741,8 +920,8 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
 
         /* Set output size for decryption */
         if (MBEDTLS_DECRYPT == ctx->operation)
-            return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
-                                    olen);
+            return (ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
+                                     olen));
 
         /* Set output size for encryption */
         *olen = mbedtls_cipher_get_block_size(ctx);
@@ -756,12 +935,26 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
 }
 
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode) {
-    if (NULL == ctx ||
-            MBEDTLS_MODE_CBC != ctx->cipher_info->mode) {
+int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
+                                    mbedtls_cipher_padding_t mode) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+
+    if (NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode) {
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
     }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto knows about CBC padding
+         * schemes, we currently don't make them
+         * accessible through the cipher layer. */
+        if (mode != MBEDTLS_PADDING_NONE)
+            return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+
+        return (0);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
     switch (mode) {
 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
         case MBEDTLS_PADDING_PKCS7:
@@ -803,15 +996,27 @@ int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_ciphe
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
                              unsigned char *tag, size_t tag_len) {
-    if (NULL == ctx || NULL == ctx->cipher_info || NULL == tag)
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
+    if (ctx->cipher_info == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
     if (MBEDTLS_ENCRYPT != ctx->operation)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_GCM_C)
     if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode)
-        return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len);
+        return (mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
+                                   tag, tag_len));
 #endif
 
 #if defined(MBEDTLS_CHACHAPOLY_C)
@@ -820,8 +1025,8 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
         if (tag_len != 16U)
             return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
-        return mbedtls_chachapoly_finish((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                         tag);
+        return (mbedtls_chachapoly_finish(
+                    (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag));
     }
 #endif
 
@@ -831,20 +1036,34 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
                              const unsigned char *tag, size_t tag_len) {
     unsigned char check_tag[16];
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if (NULL == ctx || NULL == ctx->cipher_info ||
-            MBEDTLS_DECRYPT != ctx->operation) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
+    if (ctx->cipher_info == NULL)
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+    if (MBEDTLS_DECRYPT != ctx->operation) {
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
     }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_GCM_C)
     if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
         if (tag_len > sizeof(check_tag))
             return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
-        if (0 != (ret = mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
-                                           check_tag, tag_len))) {
+        if (0 != (ret = mbedtls_gcm_finish(
+                            (mbedtls_gcm_context *) ctx->cipher_ctx,
+                            check_tag, tag_len))) {
             return (ret);
         }
 
@@ -862,8 +1081,8 @@ int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
         if (tag_len != sizeof(check_tag))
             return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
 
-        ret = mbedtls_chachapoly_finish((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                        check_tag);
+        ret = mbedtls_chachapoly_finish(
+                  (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
         if (ret != 0) {
             return (ret);
         }
@@ -887,19 +1106,80 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
                          const unsigned char *iv, size_t iv_len,
                          const unsigned char *input, size_t ilen,
                          unsigned char *output, size_t *olen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t finish_olen;
 
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
+    CIPHER_VALIDATE_RET(output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* As in the non-PSA case, we don't check that
+         * a key has been set. If not, the key slot will
+         * still be in its default state of 0, which is
+         * guaranteed to be invalid, hence the PSA-call
+         * below will gracefully fail. */
+        mbedtls_cipher_context_psa *const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        psa_status_t status;
+        psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
+        size_t part_len;
+
+        if (ctx->operation == MBEDTLS_DECRYPT) {
+            status = psa_cipher_decrypt_setup(&cipher_op,
+                                              cipher_psa->slot,
+                                              cipher_psa->alg);
+        } else if (ctx->operation == MBEDTLS_ENCRYPT) {
+            status = psa_cipher_encrypt_setup(&cipher_op,
+                                              cipher_psa->slot,
+                                              cipher_psa->alg);
+        } else
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+        /* In the following, we can immediately return on an error,
+         * because the PSA Crypto API guarantees that cipher operations
+         * are terminated by unsuccessful calls to psa_cipher_update(),
+         * and by any call to psa_cipher_finish(). */
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+
+        status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+
+        status = psa_cipher_update(&cipher_op,
+                                   input, ilen,
+                                   output, ilen, olen);
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+
+        status = psa_cipher_finish(&cipher_op,
+                                   output + *olen, ilen - *olen,
+                                   &part_len);
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+
+        *olen += part_len;
+        return (0);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
     if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0)
         return (ret);
 
     if ((ret = mbedtls_cipher_reset(ctx)) != 0)
         return (ret);
 
-    if ((ret = mbedtls_cipher_update(ctx, input, ilen, output, olen)) != 0)
+    if ((ret = mbedtls_cipher_update(ctx, input, ilen,
+                                     output, olen)) != 0)
         return (ret);
 
-    if ((ret = mbedtls_cipher_finish(ctx, output + *olen, &finish_olen)) != 0)
+    if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
+                                     &finish_olen)) != 0)
         return (ret);
 
     *olen += finish_olen;
@@ -909,20 +1189,52 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
 /*
- * Packet-oriented encryption for AEAD modes
+ * Packet-oriented encryption for AEAD modes: internal function shared by
+ * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
  */
-int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx,
-                                const unsigned char *iv, size_t iv_len,
-                                const unsigned char *ad, size_t ad_len,
-                                const unsigned char *input, size_t ilen,
-                                unsigned char *output, size_t *olen,
-                                unsigned char *tag, size_t tag_len) {
+static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
+                                       const unsigned char *iv, size_t iv_len,
+                                       const unsigned char *ad, size_t ad_len,
+                                       const unsigned char *input, size_t ilen,
+                                       unsigned char *output, size_t *olen,
+                                       unsigned char *tag, size_t tag_len) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* As in the non-PSA case, we don't check that
+         * a key has been set. If not, the key slot will
+         * still be in its default state of 0, which is
+         * guaranteed to be invalid, hence the PSA-call
+         * below will gracefully fail. */
+        mbedtls_cipher_context_psa *const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        psa_status_t status;
+
+        /* PSA Crypto API always writes the authentication tag
+         * at the end of the encrypted message. */
+        if (output == NULL || tag != output + ilen)
+            return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+
+        status = psa_aead_encrypt(cipher_psa->slot,
+                                  cipher_psa->alg,
+                                  iv, iv_len,
+                                  ad, ad_len,
+                                  input, ilen,
+                                  output, ilen + tag_len, olen);
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+
+        *olen -= tag_len;
+        return (0);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_GCM_C)
     if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
         *olen = ilen;
-        return (mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
-                                          iv, iv_len, ad, ad_len, input, output,
-                                          tag_len, tag));
+        return (mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
+                                          ilen, iv, iv_len, ad, ad_len,
+                                          input, output, tag_len, tag));
     }
 #endif /* MBEDTLS_GCM_C */
 #if defined(MBEDTLS_CCM_C)
@@ -951,17 +1263,50 @@ int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx,
 }
 
 /*
- * Packet-oriented decryption for AEAD modes
+ * Packet-oriented encryption for AEAD modes: internal function shared by
+ * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
  */
-int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
-                                const unsigned char *iv, size_t iv_len,
-                                const unsigned char *ad, size_t ad_len,
-                                const unsigned char *input, size_t ilen,
-                                unsigned char *output, size_t *olen,
-                                const unsigned char *tag, size_t tag_len) {
+static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
+                                       const unsigned char *iv, size_t iv_len,
+                                       const unsigned char *ad, size_t ad_len,
+                                       const unsigned char *input, size_t ilen,
+                                       unsigned char *output, size_t *olen,
+                                       const unsigned char *tag, size_t tag_len) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (ctx->psa_enabled == 1) {
+        /* As in the non-PSA case, we don't check that
+         * a key has been set. If not, the key slot will
+         * still be in its default state of 0, which is
+         * guaranteed to be invalid, hence the PSA-call
+         * below will gracefully fail. */
+        mbedtls_cipher_context_psa *const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        psa_status_t status;
+
+        /* PSA Crypto API always writes the authentication tag
+         * at the end of the encrypted message. */
+        if (input == NULL || tag != input + ilen)
+            return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+
+        status = psa_aead_decrypt(cipher_psa->slot,
+                                  cipher_psa->alg,
+                                  iv, iv_len,
+                                  ad, ad_len,
+                                  input, ilen + tag_len,
+                                  output, ilen, olen);
+        if (status == PSA_ERROR_INVALID_SIGNATURE)
+            return (MBEDTLS_ERR_CIPHER_AUTH_FAILED);
+        else if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED);
+
+        return (0);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_GCM_C)
     if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
-        int ret;
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
         *olen = ilen;
         ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
@@ -976,7 +1321,7 @@ int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
 #endif /* MBEDTLS_GCM_C */
 #if defined(MBEDTLS_CCM_C)
     if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
-        int ret;
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
         *olen = ilen;
         ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
@@ -991,7 +1336,7 @@ int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
 #endif /* MBEDTLS_CCM_C */
 #if defined(MBEDTLS_CHACHAPOLY_C)
     if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
-        int ret;
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
         /* ChachaPoly has fixed length nonce and MAC (tag) */
         if ((iv_len != ctx->cipher_info->iv_size) ||
@@ -1012,6 +1357,160 @@ int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
 
     return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
 }
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/*
+ * Packet-oriented encryption for AEAD modes: public legacy function.
+ */
+int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx,
+                                const unsigned char *iv, size_t iv_len,
+                                const unsigned char *ad, size_t ad_len,
+                                const unsigned char *input, size_t ilen,
+                                unsigned char *output, size_t *olen,
+                                unsigned char *tag, size_t tag_len) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
+    CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+    CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
+
+    return (mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
+                                        input, ilen, output, olen,
+                                        tag, tag_len));
+}
+
+/*
+ * Packet-oriented decryption for AEAD modes: public legacy function.
+ */
+int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
+                                const unsigned char *iv, size_t iv_len,
+                                const unsigned char *ad, size_t ad_len,
+                                const unsigned char *input, size_t ilen,
+                                unsigned char *output, size_t *olen,
+                                const unsigned char *tag, size_t tag_len) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
+    CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+    CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
+
+    return (mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
+                                        input, ilen, output, olen,
+                                        tag, tag_len));
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
 
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/*
+ * Packet-oriented encryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
+    CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
+    CIPHER_VALIDATE_RET(output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+
+#if defined(MBEDTLS_NIST_KW_C)
+    if (
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        ctx->psa_enabled == 0 &&
+#endif
+        (MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
+         MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
+        mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
+                                      MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+        /* There is no iv, tag or ad associated with KW and KWP,
+         * so these length should be 0 as documented. */
+        if (iv_len != 0 || tag_len != 0 || ad_len != 0)
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+        (void) iv;
+        (void) ad;
+
+        return (mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
+                                     output, olen, output_len));
+    }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+    /* AEAD case: check length before passing on to shared function */
+    if (output_len < ilen + tag_len)
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+    int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
+                                          input, ilen, output, olen,
+                                          output + ilen, tag_len);
+    *olen += tag_len;
+    return (ret);
+#else
+    return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+
+/*
+ * Packet-oriented decryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len) {
+    CIPHER_VALIDATE_RET(ctx != NULL);
+    CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
+    CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
+    CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
+    CIPHER_VALIDATE_RET(output_len == 0 || output != NULL);
+    CIPHER_VALIDATE_RET(olen != NULL);
+
+#if defined(MBEDTLS_NIST_KW_C)
+    if (
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        ctx->psa_enabled == 0 &&
+#endif
+        (MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
+         MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
+        mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
+                                      MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+        /* There is no iv, tag or ad associated with KW and KWP,
+         * so these length should be 0 as documented. */
+        if (iv_len != 0 || tag_len != 0 || ad_len != 0)
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+        (void) iv;
+        (void) ad;
+
+        return (mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
+                                       output, olen, output_len));
+    }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+    /* AEAD case: check length before passing on to shared function */
+    if (ilen < tag_len || output_len < ilen - tag_len)
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+    return (mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
+                                        input, ilen - tag_len, output, olen,
+                                        input + ilen - tag_len, tag_len));
+#else
+    return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
+
 #endif /* MBEDTLS_CIPHER_C */
diff --git a/common/mbedtls/cipher.h b/common/mbedtls/cipher.h
index c653890ad..63533924d 100644
--- a/common/mbedtls/cipher.h
+++ b/common/mbedtls/cipher.h
@@ -8,36 +8,33 @@
  * \author Adriaan de Jong <dejong@fox-it.com>
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_CIPHER_H
 #define MBEDTLS_CIPHER_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
 #include <stddef.h>
+#include "mbedtls/platform_util.h"
 
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 #define MBEDTLS_CIPHER_MODE_AEAD
@@ -64,6 +61,8 @@
 #define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280  /**< Decryption of block requires a full block. */
 #define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300  /**< Authentication failed (for AEAD modes). */
 #define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380  /**< The context is invalid. For example, because it was freed. */
+
+/* MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED      -0x6400  /**< Cipher hardware accelerator failed. */
 
 #define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
@@ -175,21 +174,29 @@ typedef enum {
     MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
     MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
     MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
+    MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
+    MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
+    MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
 } mbedtls_cipher_type_t;
 
 /** Supported cipher modes. */
 typedef enum {
-    MBEDTLS_MODE_NONE = 0,               /**< None. */
-    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode. */
-    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode. */
-    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode. */
-    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode. */
-    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode. */
-    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode. */
-    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode. */
-    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode. */
-    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode. */
+    MBEDTLS_MODE_NONE = 0,               /**< None.                        */
+    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode.         */
+    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode.         */
+    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode.         */
+    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode.         */
+    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode.         */
+    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
+    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
+    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
+    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
     MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
+    MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
+    MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
 } mbedtls_cipher_mode_t;
 
 /** Supported cipher padding types. */
@@ -220,10 +227,30 @@ enum {
 };
 
 /** Maximum length of any IV, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
+ * in ssl_internal.h. */
 #define MBEDTLS_MAX_IV_LENGTH      16
+
 /** Maximum block size of any cipher, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
+ * in ssl_internal.h. */
 #define MBEDTLS_MAX_BLOCK_LENGTH   16
 
+/** Maximum key length, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * For now, only check whether XTS is enabled which uses 64 Byte keys,
+ * and use 32 Bytes as an upper bound for the maximum key length otherwise.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
+ * in ssl_internal.h, which however deliberately ignores the case of XTS
+ * since the latter isn't used in SSL/TLS. */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+#define MBEDTLS_MAX_KEY_LENGTH     64
+#else
+#define MBEDTLS_MAX_KEY_LENGTH     32
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 /**
  * Base cipher information (opaque struct).
  */
@@ -319,14 +346,32 @@ typedef struct mbedtls_cipher_context_t {
     /** CMAC-specific context. */
     mbedtls_cmac_context_t *cmac_ctx;
 #endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    /** Indicates whether the cipher operations should be performed
+     *  by Mbed TLS' own crypto library or an external implementation
+     *  of the PSA Crypto API.
+     *  This is unset if the cipher context was established through
+     *  mbedtls_cipher_setup(), and set if it was established through
+     *  mbedtls_cipher_setup_psa().
+     */
+    unsigned char psa_enabled;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 } mbedtls_cipher_context_t;
 
 /**
- * \brief This function retrieves the list of ciphers supported by the generic
- * cipher module.
+ * \brief This function retrieves the list of ciphers supported
+ *        by the generic cipher module.
  *
- * \return      A statically-allocated array of ciphers. The last entry
- *              is zero.
+ *        For any cipher identifier in the returned list, you can
+ *        obtain the corresponding generic cipher information structure
+ *        via mbedtls_cipher_info_from_type(), which can then be used
+ *        to prepare a cipher context via mbedtls_cipher_setup().
+ *
+ *
+ * \return      A statically-allocated array of cipher identifiers
+ *              of type cipher_type_t. The last entry is zero.
  */
 const int *mbedtls_cipher_list(void);
 
@@ -334,11 +379,12 @@ const int *mbedtls_cipher_list(void);
  * \brief               This function retrieves the cipher-information
  *                      structure associated with the given cipher name.
  *
- * \param cipher_name   Name of the cipher to search for.
+ * \param cipher_name   Name of the cipher to search for. This must not be
+ *                      \c NULL.
  *
  * \return              The cipher information structure associated with the
  *                      given \p cipher_name.
- * \return              NULL if the associated cipher information is not found.
+ * \return              \c NULL if the associated cipher information is not found.
  */
 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_name);
 
@@ -350,7 +396,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_
  *
  * \return              The cipher information structure associated with the
  *                      given \p cipher_type.
- * \return              NULL if the associated cipher information is not found.
+ * \return              \c NULL if the associated cipher information is not found.
  */
 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type);
 
@@ -366,7 +412,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_
  *
  * \return              The cipher information structure associated with the
  *                      given \p cipher_id.
- * \return              NULL if the associated cipher information is not found.
+ * \return              \c NULL if the associated cipher information is not found.
  */
 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,
         int key_bitlen,
@@ -374,6 +420,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_ciphe
 
 /**
  * \brief               This function initializes a \p cipher_context as NONE.
+ *
+ * \param ctx           The context to be initialized. This must not be \c NULL.
  */
 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx);
 
@@ -381,16 +429,19 @@ void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx);
  * \brief               This function frees and clears the cipher-specific
  *                      context of \p ctx. Freeing \p ctx itself remains the
  *                      responsibility of the caller.
+ *
+ * \param ctx           The context to be freed. If this is \c NULL, the
+ *                      function has no effect, otherwise this must point to an
+ *                      initialized context.
  */
 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
 
 
 /**
- * \brief               This function initializes and fills the cipher-context
- *                      structure with the appropriate values. It also clears
- *                      the structure.
+ * \brief               This function initializes a cipher context for
+ *                      use with the given cipher primitive.
  *
- * \param ctx           The context to initialize. May not be NULL.
+ * \param ctx           The context to initialize. This must be initialized.
  * \param cipher_info   The cipher to use.
  *
  * \return              \c 0 on success.
@@ -403,18 +454,48 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
  * In future versions, the caller will be required to call
  * mbedtls_cipher_init() on the structure first.
  */
-int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info);
+int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
+                         const mbedtls_cipher_info_t *cipher_info);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief               This function initializes a cipher context for
+ *                      PSA-based use with the given cipher primitive.
+ *
+ * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
+ *
+ * \param ctx           The context to initialize. May not be \c NULL.
+ * \param cipher_info   The cipher to use.
+ * \param taglen        For AEAD ciphers, the length in bytes of the
+ *                      authentication tag to use. Subsequent uses of
+ *                      mbedtls_cipher_auth_encrypt() or
+ *                      mbedtls_cipher_auth_decrypt() must provide
+ *                      the same tag length.
+ *                      For non-AEAD ciphers, the value must be \c 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context fails.
+ */
+int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
+                             const mbedtls_cipher_info_t *cipher_info,
+                             size_t taglen);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 /**
  * \brief        This function returns the block size of the given cipher.
  *
- * \param ctx    The context of the cipher. Must be initialized.
+ * \param ctx    The context of the cipher. This must be initialized.
  *
- * \return       The size of the blocks of the cipher.
- * \return       0 if \p ctx has not been initialized.
+ * \return       The block size of the underlying cipher.
+ * \return       \c 0 if \p ctx has not been initialized.
  */
-static inline unsigned int mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline unsigned int mbedtls_cipher_get_block_size(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
+    if (ctx->cipher_info == NULL)
         return 0;
 
     return ctx->cipher_info->block_size;
@@ -424,13 +505,15 @@ static inline unsigned int mbedtls_cipher_get_block_size(const mbedtls_cipher_co
  * \brief        This function returns the mode of operation for
  *               the cipher. For example, MBEDTLS_MODE_CBC.
  *
- * \param ctx    The context of the cipher. Must be initialized.
+ * \param ctx    The context of the cipher. This must be initialized.
  *
  * \return       The mode of operation.
  * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
  */
-static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE);
+    if (ctx->cipher_info == NULL)
         return MBEDTLS_MODE_NONE;
 
     return ctx->cipher_info->mode;
@@ -440,14 +523,16 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(const mbedtls
  * \brief       This function returns the size of the IV or nonce
  *              of the cipher, in Bytes.
  *
- * \param ctx   The context of the cipher. Must be initialized.
+ * \param ctx   The context of the cipher. This must be initialized.
  *
  * \return      The recommended IV size if no IV has been set.
  * \return      \c 0 for ciphers not using an IV or a nonce.
  * \return      The actual size if an IV has been set.
  */
-static inline int mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline int mbedtls_cipher_get_iv_size(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
+    if (ctx->cipher_info == NULL)
         return 0;
 
     if (ctx->iv_size != 0)
@@ -459,13 +544,16 @@ static inline int mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t *ctx
 /**
  * \brief               This function returns the type of the given cipher.
  *
- * \param ctx           The context of the cipher. Must be initialized.
+ * \param ctx           The context of the cipher. This must be initialized.
  *
  * \return              The type of the cipher.
  * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
  */
-static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_CIPHER_NONE);
+    if (ctx->cipher_info == NULL)
         return MBEDTLS_CIPHER_NONE;
 
     return ctx->cipher_info->type;
@@ -475,13 +563,15 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(const mbedtls_cipher
  * \brief               This function returns the name of the given cipher
  *                      as a string.
  *
- * \param ctx           The context of the cipher. Must be initialized.
+ * \param ctx           The context of the cipher. This must be initialized.
  *
  * \return              The name of the cipher.
  * \return              NULL if \p ctx has not been not initialized.
  */
-static inline const char *mbedtls_cipher_get_name(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline const char *mbedtls_cipher_get_name(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
+    if (ctx->cipher_info == NULL)
         return 0;
 
     return ctx->cipher_info->name;
@@ -490,14 +580,17 @@ static inline const char *mbedtls_cipher_get_name(const mbedtls_cipher_context_t
 /**
  * \brief               This function returns the key length of the cipher.
  *
- * \param ctx           The context of the cipher. Must be initialized.
+ * \param ctx           The context of the cipher. This must be initialized.
  *
  * \return              The key length of the cipher in bits.
  * \return              #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
  *                      initialized.
  */
-static inline int mbedtls_cipher_get_key_bitlen(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline int mbedtls_cipher_get_key_bitlen(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_KEY_LENGTH_NONE);
+    if (ctx->cipher_info == NULL)
         return MBEDTLS_KEY_LENGTH_NONE;
 
     return (int) ctx->cipher_info->key_bitlen;
@@ -506,13 +599,16 @@ static inline int mbedtls_cipher_get_key_bitlen(const mbedtls_cipher_context_t *
 /**
  * \brief          This function returns the operation of the given cipher.
  *
- * \param ctx      The context of the cipher. Must be initialized.
+ * \param ctx      The context of the cipher. This must be initialized.
  *
  * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
  * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
  */
-static inline mbedtls_operation_t mbedtls_cipher_get_operation(const mbedtls_cipher_context_t *ctx) {
-    if (NULL == ctx || NULL == ctx->cipher_info)
+static inline mbedtls_operation_t mbedtls_cipher_get_operation(
+    const mbedtls_cipher_context_t *ctx) {
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_OPERATION_NONE);
+    if (ctx->cipher_info == NULL)
         return MBEDTLS_OPERATION_NONE;
 
     return ctx->operation;
@@ -521,11 +617,11 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation(const mbedtls_cip
 /**
  * \brief               This function sets the key to use with the given context.
  *
- * \param ctx           The generic cipher context. May not be NULL. Must have
- *                      been initialized using mbedtls_cipher_info_from_type()
- *                      or mbedtls_cipher_info_from_string().
- * \param key           The key to use.
- * \param key_bitlen    The key length to use, in bits.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param key           The key to use. This must be a readable buffer of at
+ *                      least \p key_bitlen Bits.
+ * \param key_bitlen    The key length to use, in Bits.
  * \param operation     The operation that the key will be used for:
  *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
  *
@@ -534,8 +630,10 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation(const mbedtls_cip
  *                      parameter-verification failure.
  * \return              A cipher-specific error code on failure.
  */
-int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key,
-                          int key_bitlen, const mbedtls_operation_t operation);
+int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *key,
+                          int key_bitlen,
+                          const mbedtls_operation_t operation);
 
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
 /**
@@ -544,7 +642,8 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *ke
  *
  *                      The default passing mode is PKCS7 padding.
  *
- * \param ctx           The generic cipher context.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
  * \param mode          The padding mode.
  *
  * \return              \c 0 on success.
@@ -553,7 +652,8 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *ke
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
  *                      does not support padding.
  */
-int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode);
+int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
+                                    mbedtls_cipher_padding_t mode);
 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
 
 /**
@@ -563,8 +663,10 @@ int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_ciphe
  * \note            Some ciphers do not use IVs nor nonce. For these
  *                  ciphers, this function has no effect.
  *
- * \param ctx       The generic cipher context.
- * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \param ctx       The generic cipher context. This must be initialized and
+ *                  bound to a cipher information structure.
+ * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
+ *                  must be a readable buffer of at least \p iv_len Bytes.
  * \param iv_len    The IV length for ciphers with variable-size IV.
  *                  This parameter is discarded by ciphers with fixed-size IV.
  *
@@ -573,12 +675,13 @@ int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_ciphe
  *                  parameter-verification failure.
  */
 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *iv, size_t iv_len);
+                          const unsigned char *iv,
+                          size_t iv_len);
 
 /**
  * \brief         This function resets the cipher state.
  *
- * \param ctx     The generic cipher context.
+ * \param ctx     The generic cipher context. This must be initialized.
  *
  * \return        \c 0 on success.
  * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -590,11 +693,13 @@ int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx);
 /**
  * \brief               This function adds additional data for AEAD ciphers.
  *                      Currently supported with GCM and ChaCha20+Poly1305.
- *                      Must be called exactly once, after mbedtls_cipher_reset().
+ *                      This must be called exactly once, after
+ *                      mbedtls_cipher_reset().
  *
- * \param ctx           The generic cipher context.
- * \param ad            The additional data to use.
- * \param ad_len        the Length of \p ad.
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param ad            The additional data to use. This must be a readable
+ *                      buffer of at least \p ad_len Bytes.
+ * \param ad_len        The length of \p ad in Bytes.
  *
  * \return              \c 0 on success.
  * \return              A specific error code on failure.
@@ -618,14 +723,17 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
  *                      mbedtls_cipher_finish(), must have \p ilen as a
  *                      multiple of the block size of the cipher.
  *
- * \param ctx           The generic cipher context.
- * \param input         The buffer holding the input data.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. Must be able to hold at
- *                      least \p ilen + block_size. Must not be the same buffer
- *                      as input.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
  * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -634,8 +742,10 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
  *                      unsupported mode for a cipher.
  * \return              A cipher-specific error code on failure.
  */
-int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
-                          size_t ilen, unsigned char *output, size_t *olen);
+int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *input,
+                          size_t ilen, unsigned char *output,
+                          size_t *olen);
 
 /**
  * \brief               The generic cipher finalization function. If data still
@@ -643,9 +753,12 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
  *                      contained in it is padded to the size of
  *                      the last block, and written to the \p output buffer.
  *
- * \param ctx           The generic cipher context.
- * \param output        The buffer to write data to. Needs block_size available.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param output        The buffer to write data to. This needs to be a writable
+ *                      buffer of at least \p block_size Bytes.
  * \param olen          The length of the data written to the \p output buffer.
+ *                      This may not be \c NULL.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -663,10 +776,14 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
 /**
  * \brief               This function writes a tag for AEAD ciphers.
  *                      Currently supported with GCM and ChaCha20+Poly1305.
- *                      Must be called after mbedtls_cipher_finish().
+ *                      This must be called after mbedtls_cipher_finish().
  *
- * \param ctx           The generic cipher context.
- * \param tag           The buffer to write the tag to.
+ * \param ctx           The generic cipher context. This must be initialized,
+ *                      bound to a key, and have just completed a cipher
+ *                      operation through mbedtls_cipher_finish() the tag for
+ *                      which should be written.
+ * \param tag           The buffer to write the tag to. This must be a writable
+ *                      buffer of at least \p tag_len Bytes.
  * \param tag_len       The length of the tag to write.
  *
  * \return              \c 0 on success.
@@ -678,10 +795,11 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
 /**
  * \brief               This function checks the tag for AEAD ciphers.
  *                      Currently supported with GCM and ChaCha20+Poly1305.
- *                      Must be called after mbedtls_cipher_finish().
+ *                      This must be called after mbedtls_cipher_finish().
  *
- * \param ctx           The generic cipher context.
- * \param tag           The buffer holding the tag.
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param tag           The buffer holding the tag. This must be a readable
+ *                      buffer of at least \p tag_len Bytes.
  * \param tag_len       The length of the tag to check.
  *
  * \return              \c 0 on success.
@@ -695,18 +813,22 @@ int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
  * \brief               The generic all-in-one encryption/decryption function,
  *                      for all ciphers except AEAD constructs.
  *
- * \param ctx           The generic cipher context.
+ * \param ctx           The generic cipher context. This must be initialized.
  * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
  * \param iv_len        The IV length for ciphers with variable-size IV.
  *                      This parameter is discarded by ciphers with fixed-size
  *                      IV.
- * \param input         The buffer holding the input data.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. Must be able to hold at
- *                      least \p ilen + block_size. Must not be the same buffer
- *                      as input.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data in Bytes.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
  * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
  *
  * \note                Some ciphers do not use IVs nor nonce. For these
  *                      ciphers, use \p iv = NULL and \p iv_len = 0.
@@ -726,23 +848,52 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
                          unsigned char *output, size_t *olen);
 
 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_WARNING */
 /**
- * \brief               The generic autenticated encryption (AEAD) function.
+ * \brief               The generic authenticated encryption (AEAD) function.
  *
- * \param ctx           The generic cipher context.
- * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
- * \param iv_len        The IV length for ciphers with variable-size IV.
- *                      This parameter is discarded by ciphers with fixed-size IV.
- * \param ad            The additional data to authenticate.
+ * \deprecated          Superseded by mbedtls_cipher_auth_encrypt_ext().
+ *
+ * \note                This function only supports AEAD algorithms, not key
+ *                      wrapping algorithms such as NIST_KW; for this, see
+ *                      mbedtls_cipher_auth_encrypt_ext().
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key associated with an AEAD algorithm.
+ * \param iv            The nonce to use. This must be a readable buffer of
+ *                      at least \p iv_len Bytes and must not be \c NULL.
+ * \param iv_len        The length of the nonce. This must satisfy the
+ *                      constraints imposed by the AEAD cipher used.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes, and may
+ *                      be \c NULL is \p ad_len is \c 0.
  * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes, and may be
+ *                      \c NULL if \p ilen is \c 0.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data.
- *                      Must be able to hold at least \p ilen.
- * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
- * \param tag           The buffer for the authentication tag.
- * \param tag_len       The desired length of the authentication tag.
+ * \param output        The buffer for the output data. This must be a
+ *                      writable buffer of at least \p ilen Bytes, and must
+ *                      not be \c NULL.
+ * \param olen          This will be filled with the actual number of Bytes
+ *                      written to the \p output buffer. This must point to a
+ *                      writable object of type \c size_t.
+ * \param tag           The buffer for the authentication tag. This must be a
+ *                      writable buffer of at least \p tag_len Bytes. See note
+ *                      below regarding restrictions with PSA-based contexts.
+ * \param tag_len       The desired length of the authentication tag. This
+ *                      must match the constraints imposed by the AEAD cipher
+ *                      used, and in particular must not be \c 0.
+ *
+ * \note                If the context is based on PSA (that is, it was set up
+ *                      with mbedtls_cipher_setup_psa()), then it is required
+ *                      that \c tag == output + ilen. That is, the tag must be
+ *                      appended to the ciphertext as recommended by RFC 5116.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -754,29 +905,53 @@ int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx,
                                 const unsigned char *ad, size_t ad_len,
                                 const unsigned char *input, size_t ilen,
                                 unsigned char *output, size_t *olen,
-                                unsigned char *tag, size_t tag_len);
+                                unsigned char *tag, size_t tag_len)
+MBEDTLS_DEPRECATED;
 
 /**
- * \brief               The generic autenticated decryption (AEAD) function.
+ * \brief               The generic authenticated decryption (AEAD) function.
+ *
+ * \deprecated          Superseded by mbedtls_cipher_auth_decrypt_ext().
+ *
+ * \note                This function only supports AEAD algorithms, not key
+ *                      wrapping algorithms such as NIST_KW; for this, see
+ *                      mbedtls_cipher_auth_decrypt_ext().
  *
  * \note                If the data is not authentic, then the output buffer
  *                      is zeroed out to prevent the unauthentic plaintext being
  *                      used, making this interface safer.
  *
- * \param ctx           The generic cipher context.
- * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
- * \param iv_len        The IV length for ciphers with variable-size IV.
- *                      This parameter is discarded by ciphers with fixed-size IV.
- * \param ad            The additional data to be authenticated.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key associated with an AEAD algorithm.
+ * \param iv            The nonce to use. This must be a readable buffer of
+ *                      at least \p iv_len Bytes and must not be \c NULL.
+ * \param iv_len        The length of the nonce. This must satisfy the
+ *                      constraints imposed by the AEAD cipher used.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes, and may
+ *                      be \c NULL is \p ad_len is \c 0.
  * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes, and may be
+ *                      \c NULL if \p ilen is \c 0.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data.
- *                      Must be able to hold at least \p ilen.
- * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
- * \param tag           The buffer holding the authentication tag.
- * \param tag_len       The length of the authentication tag.
+ * \param output        The buffer for the output data. This must be a
+ *                      writable buffer of at least \p ilen Bytes, and must
+ *                      not be \c NULL.
+ * \param olen          This will be filled with the actual number of Bytes
+ *                      written to the \p output buffer. This must point to a
+ *                      writable object of type \c size_t.
+ * \param tag           The buffer for the authentication tag. This must be a
+ *                      readable buffer of at least \p tag_len Bytes. See note
+ *                      below regarding restrictions with PSA-based contexts.
+ * \param tag_len       The length of the authentication tag. This must match
+ *                      the constraints imposed by the AEAD cipher used, and in
+ *                      particular must not be \c 0.
+ *
+ * \note                If the context is based on PSA (that is, it was set up
+ *                      with mbedtls_cipher_setup_psa()), then it is required
+ *                      that \c tag == input + len. That is, the tag must be
+ *                      appended to the ciphertext as recommended by RFC 5116.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -789,9 +964,120 @@ int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
                                 const unsigned char *ad, size_t ad_len,
                                 const unsigned char *input, size_t ilen,
                                 unsigned char *output, size_t *olen,
-                                const unsigned char *tag, size_t tag_len);
+                                const unsigned char *tag, size_t tag_len)
+MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
 
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/**
+ * \brief               The authenticated encryption (AEAD/NIST_KW) function.
+ *
+ * \note                For AEAD modes, the tag will be appended to the
+ *                      ciphertext, as recommended by RFC 5116.
+ *                      (NIST_KW doesn't have a separate tag.)
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key, with an AEAD algorithm or NIST_KW.
+ * \param iv            The nonce to use. This must be a readable buffer of
+ *                      at least \p iv_len Bytes and may be \c NULL if \p
+ *                      iv_len is \c 0.
+ * \param iv_len        The length of the nonce. For AEAD ciphers, this must
+ *                      satisfy the constraints imposed by the cipher used.
+ *                      For NIST_KW, this must be \c 0.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes, and may
+ *                      be \c NULL is \p ad_len is \c 0.
+ * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes, and may be
+ *                      \c NULL if \p ilen is \c 0.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be a
+ *                      writable buffer of at least \p output_len Bytes, and
+ *                      must not be \c NULL.
+ * \param output_len    The length of the \p output buffer in Bytes. For AEAD
+ *                      ciphers, this must be at least \p ilen + \p tag_len.
+ *                      For NIST_KW, this must be at least \p ilen + 8
+ *                      (rounded up to a multiple of 8 if KWP is used);
+ *                      \p ilen + 15 is always a safe value.
+ * \param olen          This will be filled with the actual number of Bytes
+ *                      written to the \p output buffer. This must point to a
+ *                      writable object of type \c size_t.
+ * \param tag_len       The desired length of the authentication tag. For AEAD
+ *                      ciphers, this must match the constraints imposed by
+ *                      the cipher used, and in particular must not be \c 0.
+ *                      For NIST_KW, this must be \c 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len);
+
+/**
+ * \brief               The authenticated encryption (AEAD/NIST_KW) function.
+ *
+ * \note                If the data is not authentic, then the output buffer
+ *                      is zeroed out to prevent the unauthentic plaintext being
+ *                      used, making this interface safer.
+ *
+ * \note                For AEAD modes, the tag must be appended to the
+ *                      ciphertext, as recommended by RFC 5116.
+ *                      (NIST_KW doesn't have a separate tag.)
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key, with an AEAD algorithm or NIST_KW.
+ * \param iv            The nonce to use. This must be a readable buffer of
+ *                      at least \p iv_len Bytes and may be \c NULL if \p
+ *                      iv_len is \c 0.
+ * \param iv_len        The length of the nonce. For AEAD ciphers, this must
+ *                      satisfy the constraints imposed by the cipher used.
+ *                      For NIST_KW, this must be \c 0.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes, and may
+ *                      be \c NULL is \p ad_len is \c 0.
+ * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes, and may be
+ *                      \c NULL if \p ilen is \c 0.
+ * \param ilen          The length of the input data. For AEAD ciphers this
+ *                      must be at least \p tag_len. For NIST_KW this must be
+ *                      at least \c 8.
+ * \param output        The buffer for the output data. This must be a
+ *                      writable buffer of at least \p output_len Bytes, and
+ *                      may be \c NULL if \p output_len is \c 0.
+ * \param output_len    The length of the \p output buffer in Bytes. For AEAD
+ *                      ciphers, this must be at least \p ilen - \p tag_len.
+ *                      For NIST_KW, this must be at least \p ilen - 8.
+ * \param olen          This will be filled with the actual number of Bytes
+ *                      written to the \p output buffer. This must point to a
+ *                      writable object of type \c size_t.
+ * \param tag_len       The actual length of the authentication tag. For AEAD
+ *                      ciphers, this must match the constraints imposed by
+ *                      the cipher used, and in particular must not be \c 0.
+ *                      For NIST_KW, this must be \c 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len);
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/cipher_internal.h b/common/mbedtls/cipher_internal.h
index 1f43c7831..dc8f4f244 100644
--- a/common/mbedtls/cipher_internal.h
+++ b/common/mbedtls/cipher_internal.h
@@ -6,35 +6,35 @@
  * \author Adriaan de Jong <dejong@fox-it.com>
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_CIPHER_WRAP_H
 #define MBEDTLS_CIPHER_WRAP_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "cipher.h"
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #ifdef __cplusplus
 extern "C" {
@@ -114,6 +114,27 @@ typedef struct {
     const mbedtls_cipher_info_t *info;
 } mbedtls_cipher_definition_t;
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+typedef enum {
+    MBEDTLS_CIPHER_PSA_KEY_UNSET = 0,
+    MBEDTLS_CIPHER_PSA_KEY_OWNED, /* Used for PSA-based cipher contexts which */
+    /* use raw key material internally imported */
+    /* as a volatile key, and which hence need  */
+    /* to destroy that key when the context is  */
+    /* freed.                                   */
+    MBEDTLS_CIPHER_PSA_KEY_NOT_OWNED, /* Used for PSA-based cipher contexts   */
+    /* which use a key provided by the      */
+    /* user, and which hence will not be    */
+    /* destroyed when the context is freed. */
+} mbedtls_cipher_psa_key_ownership;
+
+typedef struct {
+    psa_algorithm_t alg;
+    psa_key_id_t slot;
+    mbedtls_cipher_psa_key_ownership slot_state;
+} mbedtls_cipher_context_psa;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
 
 extern int mbedtls_cipher_supported[];
diff --git a/common/mbedtls/cipher_wrap.c b/common/mbedtls/cipher_wrap.c
index e9069794d..d8261e4ef 100644
--- a/common/mbedtls/cipher_wrap.c
+++ b/common/mbedtls/cipher_wrap.c
@@ -5,35 +5,28 @@
  *
  * \author Adriaan de Jong <dejong@fox-it.com>
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_CIPHER_C)
 
 #include "mbedtls/cipher_internal.h"
+#include "mbedtls/error.h"
 
 #if defined(MBEDTLS_CHACHAPOLY_C)
 #include "mbedtls/chachapoly.h"
@@ -75,6 +68,10 @@
 #include "mbedtls/ccm.h"
 #endif
 
+#if defined(MBEDTLS_NIST_KW_C)
+#include "mbedtls/nist_kw.h"
+#endif
+
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
 #include <string.h>
 #endif
@@ -245,7 +242,7 @@ static const mbedtls_cipher_info_t aes_128_ecb_info = {
     MBEDTLS_MODE_ECB,
     128,
     "AES-128-ECB",
-    16,
+    0,
     0,
     16,
     &aes_info
@@ -256,7 +253,7 @@ static const mbedtls_cipher_info_t aes_192_ecb_info = {
     MBEDTLS_MODE_ECB,
     192,
     "AES-192-ECB",
-    16,
+    0,
     0,
     16,
     &aes_info
@@ -267,7 +264,7 @@ static const mbedtls_cipher_info_t aes_256_ecb_info = {
     MBEDTLS_MODE_ECB,
     256,
     "AES-256-ECB",
-    16,
+    0,
     0,
     16,
     &aes_info
@@ -727,7 +724,7 @@ static const mbedtls_cipher_info_t camellia_128_ecb_info = {
     MBEDTLS_MODE_ECB,
     128,
     "CAMELLIA-128-ECB",
-    16,
+    0,
     0,
     16,
     &camellia_info
@@ -738,7 +735,7 @@ static const mbedtls_cipher_info_t camellia_192_ecb_info = {
     MBEDTLS_MODE_ECB,
     192,
     "CAMELLIA-192-ECB",
-    16,
+    0,
     0,
     16,
     &camellia_info
@@ -749,7 +746,7 @@ static const mbedtls_cipher_info_t camellia_256_ecb_info = {
     MBEDTLS_MODE_ECB,
     256,
     "CAMELLIA-256-ECB",
-    16,
+    0,
     0,
     16,
     &camellia_info
@@ -1093,7 +1090,7 @@ static const mbedtls_cipher_info_t aria_128_ecb_info = {
     MBEDTLS_MODE_ECB,
     128,
     "ARIA-128-ECB",
-    16,
+    0,
     0,
     16,
     &aria_info
@@ -1104,7 +1101,7 @@ static const mbedtls_cipher_info_t aria_192_ecb_info = {
     MBEDTLS_MODE_ECB,
     192,
     "ARIA-192-ECB",
-    16,
+    0,
     0,
     16,
     &aria_info
@@ -1115,7 +1112,7 @@ static const mbedtls_cipher_info_t aria_256_ecb_info = {
     MBEDTLS_MODE_ECB,
     256,
     "ARIA-256-ECB",
-    16,
+    0,
     0,
     16,
     &aria_info
@@ -1501,7 +1498,7 @@ static const mbedtls_cipher_info_t des_ecb_info = {
     MBEDTLS_MODE_ECB,
     MBEDTLS_KEY_LENGTH_DES,
     "DES-ECB",
-    8,
+    0,
     0,
     8,
     &des_info
@@ -1552,7 +1549,7 @@ static const mbedtls_cipher_info_t des_ede_ecb_info = {
     MBEDTLS_MODE_ECB,
     MBEDTLS_KEY_LENGTH_DES_EDE,
     "DES-EDE-ECB",
-    8,
+    0,
     0,
     8,
     &des_ede_info
@@ -1603,7 +1600,7 @@ static const mbedtls_cipher_info_t des_ede3_ecb_info = {
     MBEDTLS_MODE_ECB,
     MBEDTLS_KEY_LENGTH_DES_EDE3,
     "DES-EDE3-ECB",
-    8,
+    0,
     0,
     8,
     &des_ede3_info
@@ -1711,7 +1708,7 @@ static const mbedtls_cipher_info_t blowfish_ecb_info = {
     MBEDTLS_MODE_ECB,
     128,
     "BLOWFISH-ECB",
-    8,
+    0,
     MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
     8,
     &blowfish_info
@@ -1846,7 +1843,7 @@ static int chacha20_setkey_wrap(void *ctx, const unsigned char *key,
 static int chacha20_stream_wrap(void *ctx,  size_t length,
                                 const unsigned char *input,
                                 unsigned char *output) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     ret = mbedtls_chacha20_update(ctx, length, input, output);
     if (ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA)
@@ -2044,6 +2041,127 @@ static const mbedtls_cipher_info_t null_cipher_info = {
 };
 #endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
 
+#if defined(MBEDTLS_NIST_KW_C)
+static void *kw_ctx_alloc(void) {
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_nist_kw_context));
+
+    if (ctx != NULL)
+        mbedtls_nist_kw_init((mbedtls_nist_kw_context *) ctx);
+
+    return (ctx);
+}
+
+static void kw_ctx_free(void *ctx) {
+    mbedtls_nist_kw_free(ctx);
+    mbedtls_free(ctx);
+}
+
+static int kw_aes_setkey_wrap(void *ctx, const unsigned char *key,
+                              unsigned int key_bitlen) {
+    return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
+                                  MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 1);
+}
+
+static int kw_aes_setkey_unwrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen) {
+    return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
+                                  MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 0);
+}
+
+static const mbedtls_cipher_base_t kw_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    kw_aes_setkey_wrap,
+    kw_aes_setkey_unwrap,
+    kw_ctx_alloc,
+    kw_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_nist_kw_info = {
+    MBEDTLS_CIPHER_AES_128_KW,
+    MBEDTLS_MODE_KW,
+    128,
+    "AES-128-KW",
+    0,
+    0,
+    16,
+    &kw_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_nist_kw_info = {
+    MBEDTLS_CIPHER_AES_192_KW,
+    MBEDTLS_MODE_KW,
+    192,
+    "AES-192-KW",
+    0,
+    0,
+    16,
+    &kw_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_nist_kw_info = {
+    MBEDTLS_CIPHER_AES_256_KW,
+    MBEDTLS_MODE_KW,
+    256,
+    "AES-256-KW",
+    0,
+    0,
+    16,
+    &kw_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_128_nist_kwp_info = {
+    MBEDTLS_CIPHER_AES_128_KWP,
+    MBEDTLS_MODE_KWP,
+    128,
+    "AES-128-KWP",
+    0,
+    0,
+    16,
+    &kw_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_nist_kwp_info = {
+    MBEDTLS_CIPHER_AES_192_KWP,
+    MBEDTLS_MODE_KWP,
+    192,
+    "AES-192-KWP",
+    0,
+    0,
+    16,
+    &kw_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_nist_kwp_info = {
+    MBEDTLS_CIPHER_AES_256_KWP,
+    MBEDTLS_MODE_KWP,
+    256,
+    "AES-256-KWP",
+    0,
+    0,
+    16,
+    &kw_aes_info
+};
+#endif /* MBEDTLS_NIST_KW_C */
+
 const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = {
 #if defined(MBEDTLS_AES_C)
     { MBEDTLS_CIPHER_AES_128_ECB,          &aes_128_ecb_info },
@@ -2183,6 +2301,15 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = {
     { MBEDTLS_CIPHER_CHACHA20_POLY1305,    &chachapoly_info },
 #endif
 
+#if defined(MBEDTLS_NIST_KW_C)
+    { MBEDTLS_CIPHER_AES_128_KW,          &aes_128_nist_kw_info },
+    { MBEDTLS_CIPHER_AES_192_KW,          &aes_192_nist_kw_info },
+    { MBEDTLS_CIPHER_AES_256_KW,          &aes_256_nist_kw_info },
+    { MBEDTLS_CIPHER_AES_128_KWP,         &aes_128_nist_kwp_info },
+    { MBEDTLS_CIPHER_AES_192_KWP,         &aes_192_nist_kwp_info },
+    { MBEDTLS_CIPHER_AES_256_KWP,         &aes_256_nist_kwp_info },
+#endif
+
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
     { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
 #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
@@ -2190,7 +2317,8 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = {
     { MBEDTLS_CIPHER_NONE, NULL }
 };
 
-#define NUM_CIPHERS sizeof mbedtls_cipher_definitions / sizeof mbedtls_cipher_definitions[0]
+#define NUM_CIPHERS ( sizeof(mbedtls_cipher_definitions) /      \
+                      sizeof(mbedtls_cipher_definitions[0]) )
 int mbedtls_cipher_supported[NUM_CIPHERS];
 
 #endif /* MBEDTLS_CIPHER_C */
diff --git a/common/mbedtls/cmac.c b/common/mbedtls/cmac.c
index dcb1521ab..32a5937b0 100644
--- a/common/mbedtls/cmac.c
+++ b/common/mbedtls/cmac.c
@@ -3,24 +3,20 @@
  *
  * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
  *
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -42,32 +38,17 @@
  *
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_CMAC_C)
 
 #include "mbedtls/cmac.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
 
 #include <string.h>
 
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc     calloc
-#define mbedtls_free       free
-#if defined(MBEDTLS_SELF_TEST)
-#include <stdio.h>
-#define mbedtls_printf     printf
-#endif /* MBEDTLS_SELF_TEST */
-#endif /* MBEDTLS_PLATFORM_C */
-
 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
 
 /*
@@ -130,7 +111,7 @@ static int cmac_multiply_by_u(unsigned char *output,
  */
 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
                                  unsigned char *K1, unsigned char *K2) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
     size_t olen, block_size;
 
@@ -298,7 +279,7 @@ int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
     unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t olen, block_size;
 
     if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
@@ -370,7 +351,7 @@ int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
                         const unsigned char *input, size_t ilen,
                         unsigned char *output) {
     mbedtls_cipher_context_t ctx;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (cipher_info == NULL || key == NULL || input == NULL || output == NULL)
         return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
@@ -402,8 +383,8 @@ exit:
  */
 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
                              const unsigned char *input, size_t in_len,
-                             unsigned char *output) {
-    int ret;
+                             unsigned char output[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const mbedtls_cipher_info_t *cipher_info;
     unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
     unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
@@ -752,7 +733,7 @@ static int cmac_test_subkeys(int verbose,
 
     for (i = 0; i < num_tests; i++) {
         if (verbose != 0)
-            mbedtls_printf("  %s CMAC subkey #%u: ", testname, i + 1);
+            mbedtls_printf("  %s CMAC subkey #%d: ", testname, i + 1);
 
         mbedtls_cipher_init(&ctx);
 
@@ -765,6 +746,18 @@ static int cmac_test_subkeys(int verbose,
 
         if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
                                          MBEDTLS_ENCRYPT)) != 0) {
+            /* When CMAC is implemented by an alternative implementation, or
+             * the underlying primitive itself is implemented alternatively,
+             * AES-192 may be unavailable. This should not cause the selftest
+             * function to fail. */
+            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+                    ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
+                    cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
+                if (verbose != 0)
+                    mbedtls_printf("skipped\n");
+                goto next_test;
+            }
+
             if (verbose != 0)
                 mbedtls_printf("test execution failed\n");
 
@@ -790,6 +783,7 @@ static int cmac_test_subkeys(int verbose,
         if (verbose != 0)
             mbedtls_printf("passed\n");
 
+next_test:
         mbedtls_cipher_free(&ctx);
     }
 
@@ -826,10 +820,22 @@ static int cmac_test_wth_cipher(int verbose,
 
     for (i = 0; i < num_tests; i++) {
         if (verbose != 0)
-            mbedtls_printf("  %s CMAC #%u: ", testname, i + 1);
+            mbedtls_printf("  %s CMAC #%d: ", testname, i + 1);
 
         if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
                                        message_lengths[i], output)) != 0) {
+            /* When CMAC is implemented by an alternative implementation, or
+             * the underlying primitive itself is implemented alternatively,
+             * AES-192 may be unavailable. This should not cause the selftest
+             * function to fail. */
+            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+                    ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
+                    cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
+                if (verbose != 0)
+                    mbedtls_printf("skipped\n");
+                continue;
+            }
+
             if (verbose != 0)
                 mbedtls_printf("failed\n");
             goto exit;
@@ -853,11 +859,11 @@ exit:
 #if defined(MBEDTLS_AES_C)
 static int test_aes128_cmac_prf(int verbose) {
     int i;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
 
     for (i = 0; i < NB_PRF_TESTS; i++) {
-        mbedtls_printf("  AES CMAC 128 PRF #%u: ", i);
+        mbedtls_printf("  AES CMAC 128 PRF #%d: ", i);
         ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
         if (ret != 0 ||
                 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
@@ -875,7 +881,7 @@ static int test_aes128_cmac_prf(int verbose) {
 #endif /* MBEDTLS_AES_C */
 
 int mbedtls_cmac_self_test(int verbose) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
 #if defined(MBEDTLS_AES_C)
     /* AES-128 */
diff --git a/common/mbedtls/cmac.h b/common/mbedtls/cmac.h
index 3775e7269..dc6b832d5 100644
--- a/common/mbedtls/cmac.h
+++ b/common/mbedtls/cmac.h
@@ -7,35 +7,38 @@
  * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
  */
 /*
- *  Copyright (C) 2015-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H
 
-#include "cipher.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/cipher.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+/* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A  /**< CMAC hardware accelerator failed. */
 
 #define MBEDTLS_AES_BLOCK_SIZE          16
@@ -187,7 +190,7 @@ int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
  */
 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_len,
                              const unsigned char *input, size_t in_len,
-                             unsigned char *output);
+                             unsigned char output[16]);
 #endif /* MBEDTLS_AES_C */
 
 #if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
diff --git a/common/mbedtls/common.h b/common/mbedtls/common.h
new file mode 100644
index 000000000..5845766ac
--- /dev/null
+++ b/common/mbedtls/common.h
@@ -0,0 +1,53 @@
+/**
+ * \file common.h
+ *
+ * \brief Utility macros for internal use in the library
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_LIBRARY_COMMON_H
+#define MBEDTLS_LIBRARY_COMMON_H
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+/** Helper to define a function as static except when building invasive tests.
+ *
+ * If a function is only used inside its own source file and should be
+ * declared `static` to allow the compiler to optimize for code size,
+ * but that function has unit tests, define it with
+ * ```
+ * MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
+ * ```
+ * and declare it in a header in the `library/` directory with
+ * ```
+ * #if defined(MBEDTLS_TEST_HOOKS)
+ * int mbedtls_foo(...);
+ * #endif
+ * ```
+ */
+#if defined(MBEDTLS_TEST_HOOKS)
+#define MBEDTLS_STATIC_TESTABLE
+#else
+#define MBEDTLS_STATIC_TESTABLE static
+#endif
+
+#endif /* MBEDTLS_LIBRARY_COMMON_H */
diff --git a/common/mbedtls/compat-1.3.h b/common/mbedtls/compat-1.3.h
new file mode 100644
index 000000000..40177512c
--- /dev/null
+++ b/common/mbedtls/compat-1.3.h
@@ -0,0 +1,2529 @@
+/**
+ * \file compat-1.3.h
+ *
+ * \brief Compatibility definitions for using mbed TLS with client code written
+ *  for the PolarSSL naming conventions.
+ *
+ * \deprecated Use the new names directly instead
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Including compat-1.3.h is deprecated"
+#endif
+
+#ifndef MBEDTLS_COMPAT13_H
+#define MBEDTLS_COMPAT13_H
+
+/*
+ * config.h options
+ */
+#if defined MBEDTLS_AESNI_C
+#define POLARSSL_AESNI_C MBEDTLS_AESNI_C
+#endif
+#if defined MBEDTLS_AES_ALT
+#define POLARSSL_AES_ALT MBEDTLS_AES_ALT
+#endif
+#if defined MBEDTLS_AES_C
+#define POLARSSL_AES_C MBEDTLS_AES_C
+#endif
+#if defined MBEDTLS_AES_ROM_TABLES
+#define POLARSSL_AES_ROM_TABLES MBEDTLS_AES_ROM_TABLES
+#endif
+#if defined MBEDTLS_ARC4_ALT
+#define POLARSSL_ARC4_ALT MBEDTLS_ARC4_ALT
+#endif
+#if defined MBEDTLS_ARC4_C
+#define POLARSSL_ARC4_C MBEDTLS_ARC4_C
+#endif
+#if defined MBEDTLS_ASN1_PARSE_C
+#define POLARSSL_ASN1_PARSE_C MBEDTLS_ASN1_PARSE_C
+#endif
+#if defined MBEDTLS_ASN1_WRITE_C
+#define POLARSSL_ASN1_WRITE_C MBEDTLS_ASN1_WRITE_C
+#endif
+#if defined MBEDTLS_BASE64_C
+#define POLARSSL_BASE64_C MBEDTLS_BASE64_C
+#endif
+#if defined MBEDTLS_BIGNUM_C
+#define POLARSSL_BIGNUM_C MBEDTLS_BIGNUM_C
+#endif
+#if defined MBEDTLS_BLOWFISH_ALT
+#define POLARSSL_BLOWFISH_ALT MBEDTLS_BLOWFISH_ALT
+#endif
+#if defined MBEDTLS_BLOWFISH_C
+#define POLARSSL_BLOWFISH_C MBEDTLS_BLOWFISH_C
+#endif
+#if defined MBEDTLS_CAMELLIA_ALT
+#define POLARSSL_CAMELLIA_ALT MBEDTLS_CAMELLIA_ALT
+#endif
+#if defined MBEDTLS_CAMELLIA_C
+#define POLARSSL_CAMELLIA_C MBEDTLS_CAMELLIA_C
+#endif
+#if defined MBEDTLS_CAMELLIA_SMALL_MEMORY
+#define POLARSSL_CAMELLIA_SMALL_MEMORY MBEDTLS_CAMELLIA_SMALL_MEMORY
+#endif
+#if defined MBEDTLS_CCM_C
+#define POLARSSL_CCM_C MBEDTLS_CCM_C
+#endif
+#if defined MBEDTLS_CERTS_C
+#define POLARSSL_CERTS_C MBEDTLS_CERTS_C
+#endif
+#if defined MBEDTLS_CIPHER_C
+#define POLARSSL_CIPHER_C MBEDTLS_CIPHER_C
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CBC
+#define POLARSSL_CIPHER_MODE_CBC MBEDTLS_CIPHER_MODE_CBC
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CFB
+#define POLARSSL_CIPHER_MODE_CFB MBEDTLS_CIPHER_MODE_CFB
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CTR
+#define POLARSSL_CIPHER_MODE_CTR MBEDTLS_CIPHER_MODE_CTR
+#endif
+#if defined MBEDTLS_CIPHER_NULL_CIPHER
+#define POLARSSL_CIPHER_NULL_CIPHER MBEDTLS_CIPHER_NULL_CIPHER
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_PKCS7
+#define POLARSSL_CIPHER_PADDING_PKCS7 MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS
+#define POLARSSL_CIPHER_PADDING_ZEROS MBEDTLS_CIPHER_PADDING_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#endif
+#if defined MBEDTLS_CTR_DRBG_C
+#define POLARSSL_CTR_DRBG_C MBEDTLS_CTR_DRBG_C
+#endif
+#if defined MBEDTLS_DEBUG_C
+#define POLARSSL_DEBUG_C MBEDTLS_DEBUG_C
+#endif
+#if defined MBEDTLS_DEPRECATED_REMOVED
+#define POLARSSL_DEPRECATED_REMOVED MBEDTLS_DEPRECATED_REMOVED
+#endif
+#if defined MBEDTLS_DEPRECATED_WARNING
+#define POLARSSL_DEPRECATED_WARNING MBEDTLS_DEPRECATED_WARNING
+#endif
+#if defined MBEDTLS_DES_ALT
+#define POLARSSL_DES_ALT MBEDTLS_DES_ALT
+#endif
+#if defined MBEDTLS_DES_C
+#define POLARSSL_DES_C MBEDTLS_DES_C
+#endif
+#if defined MBEDTLS_DHM_C
+#define POLARSSL_DHM_C MBEDTLS_DHM_C
+#endif
+#if defined MBEDTLS_ECDH_C
+#define POLARSSL_ECDH_C MBEDTLS_ECDH_C
+#endif
+#if defined MBEDTLS_ECDSA_C
+#define POLARSSL_ECDSA_C MBEDTLS_ECDSA_C
+#endif
+#if defined MBEDTLS_ECDSA_DETERMINISTIC
+#define POLARSSL_ECDSA_DETERMINISTIC MBEDTLS_ECDSA_DETERMINISTIC
+#endif
+#if defined MBEDTLS_ECP_C
+#define POLARSSL_ECP_C MBEDTLS_ECP_C
+#endif
+#if defined MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define POLARSSL_ECP_DP_BP256R1_ENABLED MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define POLARSSL_ECP_DP_BP384R1_ENABLED MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define POLARSSL_ECP_DP_BP512R1_ENABLED MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define POLARSSL_ECP_DP_M255_ENABLED MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define POLARSSL_ECP_DP_SECP192K1_ENABLED MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define POLARSSL_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define POLARSSL_ECP_DP_SECP224K1_ENABLED MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define POLARSSL_ECP_DP_SECP224R1_ENABLED MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define POLARSSL_ECP_DP_SECP256K1_ENABLED MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define POLARSSL_ECP_DP_SECP256R1_ENABLED MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define POLARSSL_ECP_DP_SECP384R1_ENABLED MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define POLARSSL_ECP_DP_SECP521R1_ENABLED MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_FIXED_POINT_OPTIM
+#define POLARSSL_ECP_FIXED_POINT_OPTIM MBEDTLS_ECP_FIXED_POINT_OPTIM
+#endif
+#if defined MBEDTLS_ECP_MAX_BITS
+#define POLARSSL_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS
+#endif
+#if defined MBEDTLS_ECP_NIST_OPTIM
+#define POLARSSL_ECP_NIST_OPTIM MBEDTLS_ECP_NIST_OPTIM
+#endif
+#if defined MBEDTLS_ECP_WINDOW_SIZE
+#define POLARSSL_ECP_WINDOW_SIZE MBEDTLS_ECP_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#define POLARSSL_ENABLE_WEAK_CIPHERSUITES MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#endif
+#if defined MBEDTLS_ENTROPY_C
+#define POLARSSL_ENTROPY_C MBEDTLS_ENTROPY_C
+#endif
+#if defined MBEDTLS_ENTROPY_FORCE_SHA256
+#define POLARSSL_ENTROPY_FORCE_SHA256 MBEDTLS_ENTROPY_FORCE_SHA256
+#endif
+#if defined MBEDTLS_ERROR_C
+#define POLARSSL_ERROR_C MBEDTLS_ERROR_C
+#endif
+#if defined MBEDTLS_ERROR_STRERROR_DUMMY
+#define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY
+#endif
+#if defined MBEDTLS_FS_IO
+#define POLARSSL_FS_IO MBEDTLS_FS_IO
+#endif
+#if defined MBEDTLS_GCM_C
+#define POLARSSL_GCM_C MBEDTLS_GCM_C
+#endif
+#if defined MBEDTLS_GENPRIME
+#define POLARSSL_GENPRIME MBEDTLS_GENPRIME
+#endif
+#if defined MBEDTLS_HAVEGE_C
+#define POLARSSL_HAVEGE_C MBEDTLS_HAVEGE_C
+#endif
+#if defined MBEDTLS_HAVE_ASM
+#define POLARSSL_HAVE_ASM MBEDTLS_HAVE_ASM
+#endif
+#if defined MBEDTLS_HAVE_SSE2
+#define POLARSSL_HAVE_SSE2 MBEDTLS_HAVE_SSE2
+#endif
+#if defined MBEDTLS_HAVE_TIME
+#define POLARSSL_HAVE_TIME MBEDTLS_HAVE_TIME
+#endif
+#if defined MBEDTLS_HMAC_DRBG_C
+#define POLARSSL_HMAC_DRBG_C MBEDTLS_HMAC_DRBG_C
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_INPUT MBEDTLS_HMAC_DRBG_MAX_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#define POLARSSL_HMAC_DRBG_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_SEED_INPUT MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#define POLARSSL_HMAC_DRBG_RESEED_INTERVAL MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif
+#if defined MBEDTLS_MD2_ALT
+#define POLARSSL_MD2_ALT MBEDTLS_MD2_ALT
+#endif
+#if defined MBEDTLS_MD2_C
+#define POLARSSL_MD2_C MBEDTLS_MD2_C
+#endif
+#if defined MBEDTLS_MD2_PROCESS_ALT
+#define POLARSSL_MD2_PROCESS_ALT MBEDTLS_MD2_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD4_ALT
+#define POLARSSL_MD4_ALT MBEDTLS_MD4_ALT
+#endif
+#if defined MBEDTLS_MD4_C
+#define POLARSSL_MD4_C MBEDTLS_MD4_C
+#endif
+#if defined MBEDTLS_MD4_PROCESS_ALT
+#define POLARSSL_MD4_PROCESS_ALT MBEDTLS_MD4_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD5_ALT
+#define POLARSSL_MD5_ALT MBEDTLS_MD5_ALT
+#endif
+#if defined MBEDTLS_MD5_C
+#define POLARSSL_MD5_C MBEDTLS_MD5_C
+#endif
+#if defined MBEDTLS_MD5_PROCESS_ALT
+#define POLARSSL_MD5_PROCESS_ALT MBEDTLS_MD5_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD_C
+#define POLARSSL_MD_C MBEDTLS_MD_C
+#endif
+#if defined MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#define POLARSSL_MEMORY_ALIGN_MULTIPLE MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#endif
+#if defined MBEDTLS_MEMORY_BACKTRACE
+#define POLARSSL_MEMORY_BACKTRACE MBEDTLS_MEMORY_BACKTRACE
+#endif
+#if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#endif
+#if defined MBEDTLS_MEMORY_DEBUG
+#define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG
+#endif
+#if defined MBEDTLS_MPI_MAX_SIZE
+#define POLARSSL_MPI_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+#if defined MBEDTLS_MPI_WINDOW_SIZE
+#define POLARSSL_MPI_WINDOW_SIZE MBEDTLS_MPI_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_NET_C
+#define POLARSSL_NET_C MBEDTLS_NET_C
+#endif
+#if defined MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define POLARSSL_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#endif
+#if defined MBEDTLS_NO_PLATFORM_ENTROPY
+#define POLARSSL_NO_PLATFORM_ENTROPY MBEDTLS_NO_PLATFORM_ENTROPY
+#endif
+#if defined MBEDTLS_OID_C
+#define POLARSSL_OID_C MBEDTLS_OID_C
+#endif
+#if defined MBEDTLS_PADLOCK_C
+#define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C
+#endif
+#if defined MBEDTLS_PEM_PARSE_C
+#define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C
+#endif
+#if defined MBEDTLS_PEM_WRITE_C
+#define POLARSSL_PEM_WRITE_C MBEDTLS_PEM_WRITE_C
+#endif
+#if defined MBEDTLS_PKCS11_C
+#define POLARSSL_PKCS11_C MBEDTLS_PKCS11_C
+#endif
+#if defined MBEDTLS_PKCS12_C
+#define POLARSSL_PKCS12_C MBEDTLS_PKCS12_C
+#endif
+#if defined MBEDTLS_PKCS1_V15
+#define POLARSSL_PKCS1_V15 MBEDTLS_PKCS1_V15
+#endif
+#if defined MBEDTLS_PKCS1_V21
+#define POLARSSL_PKCS1_V21 MBEDTLS_PKCS1_V21
+#endif
+#if defined MBEDTLS_PKCS5_C
+#define POLARSSL_PKCS5_C MBEDTLS_PKCS5_C
+#endif
+#if defined MBEDTLS_PK_C
+#define POLARSSL_PK_C MBEDTLS_PK_C
+#endif
+#if defined MBEDTLS_PK_PARSE_C
+#define POLARSSL_PK_PARSE_C MBEDTLS_PK_PARSE_C
+#endif
+#if defined MBEDTLS_PK_PARSE_EC_EXTENDED
+#define POLARSSL_PK_PARSE_EC_EXTENDED MBEDTLS_PK_PARSE_EC_EXTENDED
+#endif
+#if defined MBEDTLS_PK_RSA_ALT_SUPPORT
+#define POLARSSL_PK_RSA_ALT_SUPPORT MBEDTLS_PK_RSA_ALT_SUPPORT
+#endif
+#if defined MBEDTLS_PK_WRITE_C
+#define POLARSSL_PK_WRITE_C MBEDTLS_PK_WRITE_C
+#endif
+#if defined MBEDTLS_PLATFORM_C
+#define POLARSSL_PLATFORM_C MBEDTLS_PLATFORM_C
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_ALT
+#define POLARSSL_PLATFORM_EXIT_ALT MBEDTLS_PLATFORM_EXIT_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_MACRO
+#define POLARSSL_PLATFORM_EXIT_MACRO MBEDTLS_PLATFORM_EXIT_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_ALT
+#define POLARSSL_PLATFORM_FPRINTF_ALT MBEDTLS_PLATFORM_FPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_MACRO
+#define POLARSSL_PLATFORM_FPRINTF_MACRO MBEDTLS_PLATFORM_FPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FREE_MACRO
+#define POLARSSL_PLATFORM_FREE_MACRO MBEDTLS_PLATFORM_FREE_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_MEMORY
+#define POLARSSL_PLATFORM_MEMORY MBEDTLS_PLATFORM_MEMORY
+#endif
+#if defined MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_ALT
+#define POLARSSL_PLATFORM_PRINTF_ALT MBEDTLS_PLATFORM_PRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_MACRO
+#define POLARSSL_PLATFORM_PRINTF_MACRO MBEDTLS_PLATFORM_PRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_ALT
+#define POLARSSL_PLATFORM_SNPRINTF_ALT MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#define POLARSSL_PLATFORM_SNPRINTF_MACRO MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_STD_EXIT
+#define POLARSSL_PLATFORM_STD_EXIT MBEDTLS_PLATFORM_STD_EXIT
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FPRINTF
+#define POLARSSL_PLATFORM_STD_FPRINTF MBEDTLS_PLATFORM_STD_FPRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FREE
+#define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE
+#endif
+#if defined MBEDTLS_PLATFORM_STD_MEM_HDR
+#define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#if defined MBEDTLS_PLATFORM_STD_PRINTF
+#define POLARSSL_PLATFORM_STD_PRINTF MBEDTLS_PLATFORM_STD_PRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_SNPRINTF
+#define POLARSSL_PLATFORM_STD_SNPRINTF MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif
+#if defined MBEDTLS_PSK_MAX_LEN
+#define POLARSSL_PSK_MAX_LEN MBEDTLS_PSK_MAX_LEN
+#endif
+#if defined MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#define POLARSSL_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#endif
+#if defined MBEDTLS_RIPEMD160_ALT
+#define POLARSSL_RIPEMD160_ALT MBEDTLS_RIPEMD160_ALT
+#endif
+#if defined MBEDTLS_RIPEMD160_C
+#define POLARSSL_RIPEMD160_C MBEDTLS_RIPEMD160_C
+#endif
+#if defined MBEDTLS_RIPEMD160_PROCESS_ALT
+#define POLARSSL_RIPEMD160_PROCESS_ALT MBEDTLS_RIPEMD160_PROCESS_ALT
+#endif
+#if defined MBEDTLS_RSA_C
+#define POLARSSL_RSA_C MBEDTLS_RSA_C
+#endif
+#if defined MBEDTLS_RSA_NO_CRT
+#define POLARSSL_RSA_NO_CRT MBEDTLS_RSA_NO_CRT
+#endif
+#if defined MBEDTLS_SELF_TEST
+#define POLARSSL_SELF_TEST MBEDTLS_SELF_TEST
+#endif
+#if defined MBEDTLS_SHA1_ALT
+#define POLARSSL_SHA1_ALT MBEDTLS_SHA1_ALT
+#endif
+#if defined MBEDTLS_SHA1_C
+#define POLARSSL_SHA1_C MBEDTLS_SHA1_C
+#endif
+#if defined MBEDTLS_SHA1_PROCESS_ALT
+#define POLARSSL_SHA1_PROCESS_ALT MBEDTLS_SHA1_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA256_ALT
+#define POLARSSL_SHA256_ALT MBEDTLS_SHA256_ALT
+#endif
+#if defined MBEDTLS_SHA256_C
+#define POLARSSL_SHA256_C MBEDTLS_SHA256_C
+#endif
+#if defined MBEDTLS_SHA256_PROCESS_ALT
+#define POLARSSL_SHA256_PROCESS_ALT MBEDTLS_SHA256_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA512_ALT
+#define POLARSSL_SHA512_ALT MBEDTLS_SHA512_ALT
+#endif
+#if defined MBEDTLS_SHA512_C
+#define POLARSSL_SHA512_C MBEDTLS_SHA512_C
+#endif
+#if defined MBEDTLS_SHA512_PROCESS_ALT
+#define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#endif
+#if defined MBEDTLS_SSL_ALPN
+#define POLARSSL_SSL_ALPN MBEDTLS_SSL_ALPN
+#endif
+#if defined MBEDTLS_SSL_CACHE_C
+#define POLARSSL_SSL_CACHE_C MBEDTLS_SSL_CACHE_C
+#endif
+#if defined MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#define POLARSSL_SSL_CBC_RECORD_SPLITTING MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#endif
+#if defined MBEDTLS_SSL_CLI_C
+#define POLARSSL_SSL_CLI_C MBEDTLS_SSL_CLI_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_C
+#define POLARSSL_SSL_COOKIE_C MBEDTLS_SSL_COOKIE_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_TIMEOUT
+#define POLARSSL_SSL_COOKIE_TIMEOUT MBEDTLS_SSL_COOKIE_TIMEOUT
+#endif
+#if defined MBEDTLS_SSL_DEBUG_ALL
+#define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL
+#endif
+#if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#endif
+#if defined MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#define POLARSSL_SSL_DTLS_BADMAC_LIMIT MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#endif
+#if defined MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#endif
+#if defined MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#define POLARSSL_SSL_ENCRYPT_THEN_MAC MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#endif
+#if defined MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#endif
+#if defined MBEDTLS_SSL_FALLBACK_SCSV
+#define POLARSSL_SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#endif
+#if defined MBEDTLS_SSL_HW_RECORD_ACCEL
+#define POLARSSL_SSL_HW_RECORD_ACCEL MBEDTLS_SSL_HW_RECORD_ACCEL
+#endif
+#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#endif
+#if defined MBEDTLS_SSL_PROTO_DTLS
+#define POLARSSL_SSL_PROTO_DTLS MBEDTLS_SSL_PROTO_DTLS
+#endif
+#if defined MBEDTLS_SSL_PROTO_SSL3
+#define POLARSSL_SSL_PROTO_SSL3 MBEDTLS_SSL_PROTO_SSL3
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1
+#define POLARSSL_SSL_PROTO_TLS1 MBEDTLS_SSL_PROTO_TLS1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_1
+#define POLARSSL_SSL_PROTO_TLS1_1 MBEDTLS_SSL_PROTO_TLS1_1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_2
+#define POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2
+#endif
+#if defined MBEDTLS_SSL_RENEGOTIATION
+#define POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#endif
+#if defined MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
+#endif
+#if defined MBEDTLS_SSL_SESSION_TICKETS
+#define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
+#endif
+#if defined MBEDTLS_SSL_SRV_C
+#define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
+#endif
+#if defined MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#define POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#endif
+#if defined MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#endif
+#if defined MBEDTLS_SSL_TLS_C
+#define POLARSSL_SSL_TLS_C MBEDTLS_SSL_TLS_C
+#endif
+#if defined MBEDTLS_SSL_TRUNCATED_HMAC
+#define POLARSSL_SSL_TRUNCATED_HMAC MBEDTLS_SSL_TRUNCATED_HMAC
+#endif
+#if defined MBEDTLS_THREADING_ALT
+#define POLARSSL_THREADING_ALT MBEDTLS_THREADING_ALT
+#endif
+#if defined MBEDTLS_THREADING_C
+#define POLARSSL_THREADING_C MBEDTLS_THREADING_C
+#endif
+#if defined MBEDTLS_THREADING_PTHREAD
+#define POLARSSL_THREADING_PTHREAD MBEDTLS_THREADING_PTHREAD
+#endif
+#if defined MBEDTLS_TIMING_ALT
+#define POLARSSL_TIMING_ALT MBEDTLS_TIMING_ALT
+#endif
+#if defined MBEDTLS_TIMING_C
+#define POLARSSL_TIMING_C MBEDTLS_TIMING_C
+#endif
+#if defined MBEDTLS_VERSION_C
+#define POLARSSL_VERSION_C MBEDTLS_VERSION_C
+#endif
+#if defined MBEDTLS_VERSION_FEATURES
+#define POLARSSL_VERSION_FEATURES MBEDTLS_VERSION_FEATURES
+#endif
+#if defined MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#endif
+#if defined MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#endif
+#if defined MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CHECK_KEY_USAGE
+#define POLARSSL_X509_CHECK_KEY_USAGE MBEDTLS_X509_CHECK_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CREATE_C
+#define POLARSSL_X509_CREATE_C MBEDTLS_X509_CREATE_C
+#endif
+#if defined MBEDTLS_X509_CRL_PARSE_C
+#define POLARSSL_X509_CRL_PARSE_C MBEDTLS_X509_CRL_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_PARSE_C
+#define POLARSSL_X509_CRT_PARSE_C MBEDTLS_X509_CRT_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_WRITE_C
+#define POLARSSL_X509_CRT_WRITE_C MBEDTLS_X509_CRT_WRITE_C
+#endif
+#if defined MBEDTLS_X509_CSR_PARSE_C
+#define POLARSSL_X509_CSR_PARSE_C MBEDTLS_X509_CSR_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CSR_WRITE_C
+#define POLARSSL_X509_CSR_WRITE_C MBEDTLS_X509_CSR_WRITE_C
+#endif
+#if defined MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#endif
+#if defined MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#define POLARSSL_X509_RSASSA_PSS_SUPPORT MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#endif
+#if defined MBEDTLS_X509_USE_C
+#define POLARSSL_X509_USE_C MBEDTLS_X509_USE_C
+#endif
+#if defined MBEDTLS_XTEA_ALT
+#define POLARSSL_XTEA_ALT MBEDTLS_XTEA_ALT
+#endif
+#if defined MBEDTLS_XTEA_C
+#define POLARSSL_XTEA_C MBEDTLS_XTEA_C
+#endif
+#if defined MBEDTLS_ZLIB_SUPPORT
+#define POLARSSL_ZLIB_SUPPORT MBEDTLS_ZLIB_SUPPORT
+#endif
+
+/*
+ * Misc names (macros, types, functions, enum constants...)
+ */
+#define AES_DECRYPT MBEDTLS_AES_DECRYPT
+#define AES_ENCRYPT MBEDTLS_AES_ENCRYPT
+#define ASN1_BIT_STRING MBEDTLS_ASN1_BIT_STRING
+#define ASN1_BMP_STRING MBEDTLS_ASN1_BMP_STRING
+#define ASN1_BOOLEAN MBEDTLS_ASN1_BOOLEAN
+#define ASN1_CHK_ADD MBEDTLS_ASN1_CHK_ADD
+#define ASN1_CONSTRUCTED MBEDTLS_ASN1_CONSTRUCTED
+#define ASN1_CONTEXT_SPECIFIC MBEDTLS_ASN1_CONTEXT_SPECIFIC
+#define ASN1_GENERALIZED_TIME MBEDTLS_ASN1_GENERALIZED_TIME
+#define ASN1_IA5_STRING MBEDTLS_ASN1_IA5_STRING
+#define ASN1_INTEGER MBEDTLS_ASN1_INTEGER
+#define ASN1_NULL MBEDTLS_ASN1_NULL
+#define ASN1_OCTET_STRING MBEDTLS_ASN1_OCTET_STRING
+#define ASN1_OID MBEDTLS_ASN1_OID
+#define ASN1_PRIMITIVE MBEDTLS_ASN1_PRIMITIVE
+#define ASN1_PRINTABLE_STRING MBEDTLS_ASN1_PRINTABLE_STRING
+#define ASN1_SEQUENCE MBEDTLS_ASN1_SEQUENCE
+#define ASN1_SET MBEDTLS_ASN1_SET
+#define ASN1_T61_STRING MBEDTLS_ASN1_T61_STRING
+#define ASN1_UNIVERSAL_STRING MBEDTLS_ASN1_UNIVERSAL_STRING
+#define ASN1_UTC_TIME MBEDTLS_ASN1_UTC_TIME
+#define ASN1_UTF8_STRING MBEDTLS_ASN1_UTF8_STRING
+#define BADCERT_CN_MISMATCH MBEDTLS_X509_BADCERT_CN_MISMATCH
+#define BADCERT_EXPIRED MBEDTLS_X509_BADCERT_EXPIRED
+#define BADCERT_FUTURE MBEDTLS_X509_BADCERT_FUTURE
+#define BADCERT_MISSING MBEDTLS_X509_BADCERT_MISSING
+#define BADCERT_NOT_TRUSTED MBEDTLS_X509_BADCERT_NOT_TRUSTED
+#define BADCERT_OTHER MBEDTLS_X509_BADCERT_OTHER
+#define BADCERT_REVOKED MBEDTLS_X509_BADCERT_REVOKED
+#define BADCERT_SKIP_VERIFY MBEDTLS_X509_BADCERT_SKIP_VERIFY
+#define BADCRL_EXPIRED MBEDTLS_X509_BADCRL_EXPIRED
+#define BADCRL_FUTURE MBEDTLS_X509_BADCRL_FUTURE
+#define BADCRL_NOT_TRUSTED MBEDTLS_X509_BADCRL_NOT_TRUSTED
+#define BLOWFISH_BLOCKSIZE MBEDTLS_BLOWFISH_BLOCKSIZE
+#define BLOWFISH_DECRYPT MBEDTLS_BLOWFISH_DECRYPT
+#define BLOWFISH_ENCRYPT MBEDTLS_BLOWFISH_ENCRYPT
+#define BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
+#define BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
+#define BLOWFISH_ROUNDS MBEDTLS_BLOWFISH_ROUNDS
+#define CAMELLIA_DECRYPT MBEDTLS_CAMELLIA_DECRYPT
+#define CAMELLIA_ENCRYPT MBEDTLS_CAMELLIA_ENCRYPT
+#define COLLECT_SIZE MBEDTLS_HAVEGE_COLLECT_SIZE
+#define CTR_DRBG_BLOCKSIZE MBEDTLS_CTR_DRBG_BLOCKSIZE
+#define CTR_DRBG_ENTROPY_LEN MBEDTLS_CTR_DRBG_ENTROPY_LEN
+#define CTR_DRBG_KEYBITS MBEDTLS_CTR_DRBG_KEYBITS
+#define CTR_DRBG_KEYSIZE MBEDTLS_CTR_DRBG_KEYSIZE
+#define CTR_DRBG_MAX_INPUT MBEDTLS_CTR_DRBG_MAX_INPUT
+#define CTR_DRBG_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#define CTR_DRBG_MAX_SEED_INPUT MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+#define CTR_DRBG_PR_OFF MBEDTLS_CTR_DRBG_PR_OFF
+#define CTR_DRBG_PR_ON MBEDTLS_CTR_DRBG_PR_ON
+#define CTR_DRBG_RESEED_INTERVAL MBEDTLS_CTR_DRBG_RESEED_INTERVAL
+#define CTR_DRBG_SEEDLEN MBEDTLS_CTR_DRBG_SEEDLEN
+#define DEPRECATED MBEDTLS_DEPRECATED
+#define DES_DECRYPT MBEDTLS_DES_DECRYPT
+#define DES_ENCRYPT MBEDTLS_DES_ENCRYPT
+#define DES_KEY_SIZE MBEDTLS_DES_KEY_SIZE
+#define ENTROPY_BLOCK_SIZE MBEDTLS_ENTROPY_BLOCK_SIZE
+#define ENTROPY_MAX_GATHER MBEDTLS_ENTROPY_MAX_GATHER
+#define ENTROPY_MAX_SEED_SIZE MBEDTLS_ENTROPY_MAX_SEED_SIZE
+#define ENTROPY_MAX_SOURCES MBEDTLS_ENTROPY_MAX_SOURCES
+#define ENTROPY_MIN_HARDCLOCK MBEDTLS_ENTROPY_MIN_HARDCLOCK
+#define ENTROPY_MIN_HAVEGE MBEDTLS_ENTROPY_MIN_HAVEGE
+#define ENTROPY_MIN_PLATFORM MBEDTLS_ENTROPY_MIN_PLATFORM
+#define ENTROPY_SOURCE_MANUAL MBEDTLS_ENTROPY_SOURCE_MANUAL
+#define EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER
+#define EXT_BASIC_CONSTRAINTS MBEDTLS_X509_EXT_BASIC_CONSTRAINTS
+#define EXT_CERTIFICATE_POLICIES MBEDTLS_X509_EXT_CERTIFICATE_POLICIES
+#define EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS
+#define EXT_EXTENDED_KEY_USAGE MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE
+#define EXT_FRESHEST_CRL MBEDTLS_X509_EXT_FRESHEST_CRL
+#define EXT_INIHIBIT_ANYPOLICY MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY
+#define EXT_ISSUER_ALT_NAME MBEDTLS_X509_EXT_ISSUER_ALT_NAME
+#define EXT_KEY_USAGE MBEDTLS_X509_EXT_KEY_USAGE
+#define EXT_NAME_CONSTRAINTS MBEDTLS_X509_EXT_NAME_CONSTRAINTS
+#define EXT_NS_CERT_TYPE MBEDTLS_X509_EXT_NS_CERT_TYPE
+#define EXT_POLICY_CONSTRAINTS MBEDTLS_X509_EXT_POLICY_CONSTRAINTS
+#define EXT_POLICY_MAPPINGS MBEDTLS_X509_EXT_POLICY_MAPPINGS
+#define EXT_SUBJECT_ALT_NAME MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
+#define EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS
+#define EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER
+#define GCM_DECRYPT MBEDTLS_GCM_DECRYPT
+#define GCM_ENCRYPT MBEDTLS_GCM_ENCRYPT
+#define KU_CRL_SIGN MBEDTLS_X509_KU_CRL_SIGN
+#define KU_DATA_ENCIPHERMENT MBEDTLS_X509_KU_DATA_ENCIPHERMENT
+#define KU_DIGITAL_SIGNATURE MBEDTLS_X509_KU_DIGITAL_SIGNATURE
+#define KU_KEY_AGREEMENT MBEDTLS_X509_KU_KEY_AGREEMENT
+#define KU_KEY_CERT_SIGN MBEDTLS_X509_KU_KEY_CERT_SIGN
+#define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+#define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION
+#define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100
+#define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC
+#define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS
+#define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE
+#define MEMORY_VERIFY_NONE MBEDTLS_MEMORY_VERIFY_NONE
+#define MPI_CHK MBEDTLS_MPI_CHK
+#define NET_PROTO_TCP MBEDTLS_NET_PROTO_TCP
+#define NET_PROTO_UDP MBEDTLS_NET_PROTO_UDP
+#define NS_CERT_TYPE_EMAIL MBEDTLS_X509_NS_CERT_TYPE_EMAIL
+#define NS_CERT_TYPE_EMAIL_CA MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA
+#define NS_CERT_TYPE_OBJECT_SIGNING MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA
+#define NS_CERT_TYPE_RESERVED MBEDTLS_X509_NS_CERT_TYPE_RESERVED
+#define NS_CERT_TYPE_SSL_CA MBEDTLS_X509_NS_CERT_TYPE_SSL_CA
+#define NS_CERT_TYPE_SSL_CLIENT MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT
+#define NS_CERT_TYPE_SSL_SERVER MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+#define OID_ANSI_X9_62 MBEDTLS_OID_ANSI_X9_62
+#define OID_ANSI_X9_62_FIELD_TYPE MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE
+#define OID_ANSI_X9_62_PRIME_FIELD MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
+#define OID_ANSI_X9_62_SIG MBEDTLS_OID_ANSI_X9_62_SIG
+#define OID_ANSI_X9_62_SIG_SHA2 MBEDTLS_OID_ANSI_X9_62_SIG_SHA2
+#define OID_ANY_EXTENDED_KEY_USAGE MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE
+#define OID_AT MBEDTLS_OID_AT
+#define OID_AT_CN MBEDTLS_OID_AT_CN
+#define OID_AT_COUNTRY MBEDTLS_OID_AT_COUNTRY
+#define OID_AT_DN_QUALIFIER MBEDTLS_OID_AT_DN_QUALIFIER
+#define OID_AT_GENERATION_QUALIFIER MBEDTLS_OID_AT_GENERATION_QUALIFIER
+#define OID_AT_GIVEN_NAME MBEDTLS_OID_AT_GIVEN_NAME
+#define OID_AT_INITIALS MBEDTLS_OID_AT_INITIALS
+#define OID_AT_LOCALITY MBEDTLS_OID_AT_LOCALITY
+#define OID_AT_ORGANIZATION MBEDTLS_OID_AT_ORGANIZATION
+#define OID_AT_ORG_UNIT MBEDTLS_OID_AT_ORG_UNIT
+#define OID_AT_POSTAL_ADDRESS MBEDTLS_OID_AT_POSTAL_ADDRESS
+#define OID_AT_POSTAL_CODE MBEDTLS_OID_AT_POSTAL_CODE
+#define OID_AT_PSEUDONYM MBEDTLS_OID_AT_PSEUDONYM
+#define OID_AT_SERIAL_NUMBER MBEDTLS_OID_AT_SERIAL_NUMBER
+#define OID_AT_STATE MBEDTLS_OID_AT_STATE
+#define OID_AT_SUR_NAME MBEDTLS_OID_AT_SUR_NAME
+#define OID_AT_TITLE MBEDTLS_OID_AT_TITLE
+#define OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT_UNIQUE_IDENTIFIER
+#define OID_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER
+#define OID_BASIC_CONSTRAINTS MBEDTLS_OID_BASIC_CONSTRAINTS
+#define OID_CERTICOM MBEDTLS_OID_CERTICOM
+#define OID_CERTIFICATE_POLICIES MBEDTLS_OID_CERTIFICATE_POLICIES
+#define OID_CLIENT_AUTH MBEDTLS_OID_CLIENT_AUTH
+#define OID_CMP MBEDTLS_OID_CMP
+#define OID_CODE_SIGNING MBEDTLS_OID_CODE_SIGNING
+#define OID_COUNTRY_US MBEDTLS_OID_COUNTRY_US
+#define OID_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_CRL_DISTRIBUTION_POINTS
+#define OID_CRL_NUMBER MBEDTLS_OID_CRL_NUMBER
+#define OID_DES_CBC MBEDTLS_OID_DES_CBC
+#define OID_DES_EDE3_CBC MBEDTLS_OID_DES_EDE3_CBC
+#define OID_DIGEST_ALG_MD2 MBEDTLS_OID_DIGEST_ALG_MD2
+#define OID_DIGEST_ALG_MD4 MBEDTLS_OID_DIGEST_ALG_MD4
+#define OID_DIGEST_ALG_MD5 MBEDTLS_OID_DIGEST_ALG_MD5
+#define OID_DIGEST_ALG_SHA1 MBEDTLS_OID_DIGEST_ALG_SHA1
+#define OID_DIGEST_ALG_SHA224 MBEDTLS_OID_DIGEST_ALG_SHA224
+#define OID_DIGEST_ALG_SHA256 MBEDTLS_OID_DIGEST_ALG_SHA256
+#define OID_DIGEST_ALG_SHA384 MBEDTLS_OID_DIGEST_ALG_SHA384
+#define OID_DIGEST_ALG_SHA512 MBEDTLS_OID_DIGEST_ALG_SHA512
+#define OID_DOMAIN_COMPONENT MBEDTLS_OID_DOMAIN_COMPONENT
+#define OID_ECDSA_SHA1 MBEDTLS_OID_ECDSA_SHA1
+#define OID_ECDSA_SHA224 MBEDTLS_OID_ECDSA_SHA224
+#define OID_ECDSA_SHA256 MBEDTLS_OID_ECDSA_SHA256
+#define OID_ECDSA_SHA384 MBEDTLS_OID_ECDSA_SHA384
+#define OID_ECDSA_SHA512 MBEDTLS_OID_ECDSA_SHA512
+#define OID_EC_ALG_ECDH MBEDTLS_OID_EC_ALG_ECDH
+#define OID_EC_ALG_UNRESTRICTED MBEDTLS_OID_EC_ALG_UNRESTRICTED
+#define OID_EC_BRAINPOOL_V1 MBEDTLS_OID_EC_BRAINPOOL_V1
+#define OID_EC_GRP_BP256R1 MBEDTLS_OID_EC_GRP_BP256R1
+#define OID_EC_GRP_BP384R1 MBEDTLS_OID_EC_GRP_BP384R1
+#define OID_EC_GRP_BP512R1 MBEDTLS_OID_EC_GRP_BP512R1
+#define OID_EC_GRP_SECP192K1 MBEDTLS_OID_EC_GRP_SECP192K1
+#define OID_EC_GRP_SECP192R1 MBEDTLS_OID_EC_GRP_SECP192R1
+#define OID_EC_GRP_SECP224K1 MBEDTLS_OID_EC_GRP_SECP224K1
+#define OID_EC_GRP_SECP224R1 MBEDTLS_OID_EC_GRP_SECP224R1
+#define OID_EC_GRP_SECP256K1 MBEDTLS_OID_EC_GRP_SECP256K1
+#define OID_EC_GRP_SECP256R1 MBEDTLS_OID_EC_GRP_SECP256R1
+#define OID_EC_GRP_SECP384R1 MBEDTLS_OID_EC_GRP_SECP384R1
+#define OID_EC_GRP_SECP521R1 MBEDTLS_OID_EC_GRP_SECP521R1
+#define OID_EMAIL_PROTECTION MBEDTLS_OID_EMAIL_PROTECTION
+#define OID_EXTENDED_KEY_USAGE MBEDTLS_OID_EXTENDED_KEY_USAGE
+#define OID_FRESHEST_CRL MBEDTLS_OID_FRESHEST_CRL
+#define OID_GOV MBEDTLS_OID_GOV
+#define OID_HMAC_SHA1 MBEDTLS_OID_HMAC_SHA1
+#define OID_ID_CE MBEDTLS_OID_ID_CE
+#define OID_INIHIBIT_ANYPOLICY MBEDTLS_OID_INIHIBIT_ANYPOLICY
+#define OID_ISO_CCITT_DS MBEDTLS_OID_ISO_CCITT_DS
+#define OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ISO_IDENTIFIED_ORG
+#define OID_ISO_ITU_COUNTRY MBEDTLS_OID_ISO_ITU_COUNTRY
+#define OID_ISO_ITU_US_ORG MBEDTLS_OID_ISO_ITU_US_ORG
+#define OID_ISO_MEMBER_BODIES MBEDTLS_OID_ISO_MEMBER_BODIES
+#define OID_ISSUER_ALT_NAME MBEDTLS_OID_ISSUER_ALT_NAME
+#define OID_KEY_USAGE MBEDTLS_OID_KEY_USAGE
+#define OID_KP MBEDTLS_OID_KP
+#define OID_MGF1 MBEDTLS_OID_MGF1
+#define OID_NAME_CONSTRAINTS MBEDTLS_OID_NAME_CONSTRAINTS
+#define OID_NETSCAPE MBEDTLS_OID_NETSCAPE
+#define OID_NS_BASE_URL MBEDTLS_OID_NS_BASE_URL
+#define OID_NS_CA_POLICY_URL MBEDTLS_OID_NS_CA_POLICY_URL
+#define OID_NS_CA_REVOCATION_URL MBEDTLS_OID_NS_CA_REVOCATION_URL
+#define OID_NS_CERT MBEDTLS_OID_NS_CERT
+#define OID_NS_CERT_SEQUENCE MBEDTLS_OID_NS_CERT_SEQUENCE
+#define OID_NS_CERT_TYPE MBEDTLS_OID_NS_CERT_TYPE
+#define OID_NS_COMMENT MBEDTLS_OID_NS_COMMENT
+#define OID_NS_DATA_TYPE MBEDTLS_OID_NS_DATA_TYPE
+#define OID_NS_RENEWAL_URL MBEDTLS_OID_NS_RENEWAL_URL
+#define OID_NS_REVOCATION_URL MBEDTLS_OID_NS_REVOCATION_URL
+#define OID_NS_SSL_SERVER_NAME MBEDTLS_OID_NS_SSL_SERVER_NAME
+#define OID_OCSP_SIGNING MBEDTLS_OID_OCSP_SIGNING
+#define OID_OIW_SECSIG MBEDTLS_OID_OIW_SECSIG
+#define OID_OIW_SECSIG_ALG MBEDTLS_OID_OIW_SECSIG_ALG
+#define OID_OIW_SECSIG_SHA1 MBEDTLS_OID_OIW_SECSIG_SHA1
+#define OID_ORGANIZATION MBEDTLS_OID_ORGANIZATION
+#define OID_ORG_ANSI_X9_62 MBEDTLS_OID_ORG_ANSI_X9_62
+#define OID_ORG_CERTICOM MBEDTLS_OID_ORG_CERTICOM
+#define OID_ORG_DOD MBEDTLS_OID_ORG_DOD
+#define OID_ORG_GOV MBEDTLS_OID_ORG_GOV
+#define OID_ORG_NETSCAPE MBEDTLS_OID_ORG_NETSCAPE
+#define OID_ORG_OIW MBEDTLS_OID_ORG_OIW
+#define OID_ORG_RSA_DATA_SECURITY MBEDTLS_OID_ORG_RSA_DATA_SECURITY
+#define OID_ORG_TELETRUST MBEDTLS_OID_ORG_TELETRUST
+#define OID_PKCS MBEDTLS_OID_PKCS
+#define OID_PKCS1 MBEDTLS_OID_PKCS1
+#define OID_PKCS12 MBEDTLS_OID_PKCS12
+#define OID_PKCS12_PBE MBEDTLS_OID_PKCS12_PBE
+#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC
+#define OID_PKCS12_PBE_SHA1_RC4_128 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128
+#define OID_PKCS12_PBE_SHA1_RC4_40 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40
+#define OID_PKCS1_MD2 MBEDTLS_OID_PKCS1_MD2
+#define OID_PKCS1_MD4 MBEDTLS_OID_PKCS1_MD4
+#define OID_PKCS1_MD5 MBEDTLS_OID_PKCS1_MD5
+#define OID_PKCS1_RSA MBEDTLS_OID_PKCS1_RSA
+#define OID_PKCS1_SHA1 MBEDTLS_OID_PKCS1_SHA1
+#define OID_PKCS1_SHA224 MBEDTLS_OID_PKCS1_SHA224
+#define OID_PKCS1_SHA256 MBEDTLS_OID_PKCS1_SHA256
+#define OID_PKCS1_SHA384 MBEDTLS_OID_PKCS1_SHA384
+#define OID_PKCS1_SHA512 MBEDTLS_OID_PKCS1_SHA512
+#define OID_PKCS5 MBEDTLS_OID_PKCS5
+#define OID_PKCS5_PBES2 MBEDTLS_OID_PKCS5_PBES2
+#define OID_PKCS5_PBE_MD2_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC
+#define OID_PKCS5_PBE_MD2_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC
+#define OID_PKCS5_PBE_MD5_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC
+#define OID_PKCS5_PBE_MD5_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC
+#define OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC
+#define OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC
+#define OID_PKCS5_PBKDF2 MBEDTLS_OID_PKCS5_PBKDF2
+#define OID_PKCS5_PBMAC1 MBEDTLS_OID_PKCS5_PBMAC1
+#define OID_PKCS9 MBEDTLS_OID_PKCS9
+#define OID_PKCS9_CSR_EXT_REQ MBEDTLS_OID_PKCS9_CSR_EXT_REQ
+#define OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9_EMAIL
+#define OID_PKIX MBEDTLS_OID_PKIX
+#define OID_POLICY_CONSTRAINTS MBEDTLS_OID_POLICY_CONSTRAINTS
+#define OID_POLICY_MAPPINGS MBEDTLS_OID_POLICY_MAPPINGS
+#define OID_PRIVATE_KEY_USAGE_PERIOD MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD
+#define OID_RSASSA_PSS MBEDTLS_OID_RSASSA_PSS
+#define OID_RSA_COMPANY MBEDTLS_OID_RSA_COMPANY
+#define OID_RSA_SHA_OBS MBEDTLS_OID_RSA_SHA_OBS
+#define OID_SERVER_AUTH MBEDTLS_OID_SERVER_AUTH
+#define OID_SIZE MBEDTLS_OID_SIZE
+#define OID_SUBJECT_ALT_NAME MBEDTLS_OID_SUBJECT_ALT_NAME
+#define OID_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS
+#define OID_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER
+#define OID_TELETRUST MBEDTLS_OID_TELETRUST
+#define OID_TIME_STAMPING MBEDTLS_OID_TIME_STAMPING
+#define PADLOCK_ACE MBEDTLS_PADLOCK_ACE
+#define PADLOCK_ALIGN16 MBEDTLS_PADLOCK_ALIGN16
+#define PADLOCK_PHE MBEDTLS_PADLOCK_PHE
+#define PADLOCK_PMM MBEDTLS_PADLOCK_PMM
+#define PADLOCK_RNG MBEDTLS_PADLOCK_RNG
+#define PKCS12_DERIVE_IV MBEDTLS_PKCS12_DERIVE_IV
+#define PKCS12_DERIVE_KEY MBEDTLS_PKCS12_DERIVE_KEY
+#define PKCS12_DERIVE_MAC_KEY MBEDTLS_PKCS12_DERIVE_MAC_KEY
+#define PKCS12_PBE_DECRYPT MBEDTLS_PKCS12_PBE_DECRYPT
+#define PKCS12_PBE_ENCRYPT MBEDTLS_PKCS12_PBE_ENCRYPT
+#define PKCS5_DECRYPT MBEDTLS_PKCS5_DECRYPT
+#define PKCS5_ENCRYPT MBEDTLS_PKCS5_ENCRYPT
+#define POLARSSL_AESNI_AES MBEDTLS_AESNI_AES
+#define POLARSSL_AESNI_CLMUL MBEDTLS_AESNI_CLMUL
+#define POLARSSL_AESNI_H MBEDTLS_AESNI_H
+#define POLARSSL_AES_H MBEDTLS_AES_H
+#define POLARSSL_ARC4_H MBEDTLS_ARC4_H
+#define POLARSSL_ASN1_H MBEDTLS_ASN1_H
+#define POLARSSL_ASN1_WRITE_H MBEDTLS_ASN1_WRITE_H
+#define POLARSSL_BASE64_H MBEDTLS_BASE64_H
+#define POLARSSL_BIGNUM_H MBEDTLS_BIGNUM_H
+#define POLARSSL_BLOWFISH_H MBEDTLS_BLOWFISH_H
+#define POLARSSL_BN_MUL_H MBEDTLS_BN_MUL_H
+#define POLARSSL_CAMELLIA_H MBEDTLS_CAMELLIA_H
+#define POLARSSL_CCM_H MBEDTLS_CCM_H
+#define POLARSSL_CERTS_H MBEDTLS_CERTS_H
+#define POLARSSL_CHECK_CONFIG_H MBEDTLS_CHECK_CONFIG_H
+#define POLARSSL_CIPHERSUITE_NODTLS MBEDTLS_CIPHERSUITE_NODTLS
+#define POLARSSL_CIPHERSUITE_SHORT_TAG MBEDTLS_CIPHERSUITE_SHORT_TAG
+#define POLARSSL_CIPHERSUITE_WEAK MBEDTLS_CIPHERSUITE_WEAK
+#define POLARSSL_CIPHER_AES_128_CBC MBEDTLS_CIPHER_AES_128_CBC
+#define POLARSSL_CIPHER_AES_128_CCM MBEDTLS_CIPHER_AES_128_CCM
+#define POLARSSL_CIPHER_AES_128_CFB128 MBEDTLS_CIPHER_AES_128_CFB128
+#define POLARSSL_CIPHER_AES_128_CTR MBEDTLS_CIPHER_AES_128_CTR
+#define POLARSSL_CIPHER_AES_128_ECB MBEDTLS_CIPHER_AES_128_ECB
+#define POLARSSL_CIPHER_AES_128_GCM MBEDTLS_CIPHER_AES_128_GCM
+#define POLARSSL_CIPHER_AES_192_CBC MBEDTLS_CIPHER_AES_192_CBC
+#define POLARSSL_CIPHER_AES_192_CCM MBEDTLS_CIPHER_AES_192_CCM
+#define POLARSSL_CIPHER_AES_192_CFB128 MBEDTLS_CIPHER_AES_192_CFB128
+#define POLARSSL_CIPHER_AES_192_CTR MBEDTLS_CIPHER_AES_192_CTR
+#define POLARSSL_CIPHER_AES_192_ECB MBEDTLS_CIPHER_AES_192_ECB
+#define POLARSSL_CIPHER_AES_192_GCM MBEDTLS_CIPHER_AES_192_GCM
+#define POLARSSL_CIPHER_AES_256_CBC MBEDTLS_CIPHER_AES_256_CBC
+#define POLARSSL_CIPHER_AES_256_CCM MBEDTLS_CIPHER_AES_256_CCM
+#define POLARSSL_CIPHER_AES_256_CFB128 MBEDTLS_CIPHER_AES_256_CFB128
+#define POLARSSL_CIPHER_AES_256_CTR MBEDTLS_CIPHER_AES_256_CTR
+#define POLARSSL_CIPHER_AES_256_ECB MBEDTLS_CIPHER_AES_256_ECB
+#define POLARSSL_CIPHER_AES_256_GCM MBEDTLS_CIPHER_AES_256_GCM
+#define POLARSSL_CIPHER_ARC4_128 MBEDTLS_CIPHER_ARC4_128
+#define POLARSSL_CIPHER_BLOWFISH_CBC MBEDTLS_CIPHER_BLOWFISH_CBC
+#define POLARSSL_CIPHER_BLOWFISH_CFB64 MBEDTLS_CIPHER_BLOWFISH_CFB64
+#define POLARSSL_CIPHER_BLOWFISH_CTR MBEDTLS_CIPHER_BLOWFISH_CTR
+#define POLARSSL_CIPHER_BLOWFISH_ECB MBEDTLS_CIPHER_BLOWFISH_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_CBC MBEDTLS_CIPHER_CAMELLIA_128_CBC
+#define POLARSSL_CIPHER_CAMELLIA_128_CCM MBEDTLS_CIPHER_CAMELLIA_128_CCM
+#define POLARSSL_CIPHER_CAMELLIA_128_CFB128 MBEDTLS_CIPHER_CAMELLIA_128_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_128_CTR MBEDTLS_CIPHER_CAMELLIA_128_CTR
+#define POLARSSL_CIPHER_CAMELLIA_128_ECB MBEDTLS_CIPHER_CAMELLIA_128_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_GCM MBEDTLS_CIPHER_CAMELLIA_128_GCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CBC MBEDTLS_CIPHER_CAMELLIA_192_CBC
+#define POLARSSL_CIPHER_CAMELLIA_192_CCM MBEDTLS_CIPHER_CAMELLIA_192_CCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CFB128 MBEDTLS_CIPHER_CAMELLIA_192_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_192_CTR MBEDTLS_CIPHER_CAMELLIA_192_CTR
+#define POLARSSL_CIPHER_CAMELLIA_192_ECB MBEDTLS_CIPHER_CAMELLIA_192_ECB
+#define POLARSSL_CIPHER_CAMELLIA_192_GCM MBEDTLS_CIPHER_CAMELLIA_192_GCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CBC MBEDTLS_CIPHER_CAMELLIA_256_CBC
+#define POLARSSL_CIPHER_CAMELLIA_256_CCM MBEDTLS_CIPHER_CAMELLIA_256_CCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CFB128 MBEDTLS_CIPHER_CAMELLIA_256_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_256_CTR MBEDTLS_CIPHER_CAMELLIA_256_CTR
+#define POLARSSL_CIPHER_CAMELLIA_256_ECB MBEDTLS_CIPHER_CAMELLIA_256_ECB
+#define POLARSSL_CIPHER_CAMELLIA_256_GCM MBEDTLS_CIPHER_CAMELLIA_256_GCM
+#define POLARSSL_CIPHER_DES_CBC MBEDTLS_CIPHER_DES_CBC
+#define POLARSSL_CIPHER_DES_ECB MBEDTLS_CIPHER_DES_ECB
+#define POLARSSL_CIPHER_DES_EDE3_CBC MBEDTLS_CIPHER_DES_EDE3_CBC
+#define POLARSSL_CIPHER_DES_EDE3_ECB MBEDTLS_CIPHER_DES_EDE3_ECB
+#define POLARSSL_CIPHER_DES_EDE_CBC MBEDTLS_CIPHER_DES_EDE_CBC
+#define POLARSSL_CIPHER_DES_EDE_ECB MBEDTLS_CIPHER_DES_EDE_ECB
+#define POLARSSL_CIPHER_H MBEDTLS_CIPHER_H
+#define POLARSSL_CIPHER_ID_3DES MBEDTLS_CIPHER_ID_3DES
+#define POLARSSL_CIPHER_ID_AES MBEDTLS_CIPHER_ID_AES
+#define POLARSSL_CIPHER_ID_ARC4 MBEDTLS_CIPHER_ID_ARC4
+#define POLARSSL_CIPHER_ID_BLOWFISH MBEDTLS_CIPHER_ID_BLOWFISH
+#define POLARSSL_CIPHER_ID_CAMELLIA MBEDTLS_CIPHER_ID_CAMELLIA
+#define POLARSSL_CIPHER_ID_DES MBEDTLS_CIPHER_ID_DES
+#define POLARSSL_CIPHER_ID_NONE MBEDTLS_CIPHER_ID_NONE
+#define POLARSSL_CIPHER_ID_NULL MBEDTLS_CIPHER_ID_NULL
+#define POLARSSL_CIPHER_MODE_AEAD MBEDTLS_CIPHER_MODE_AEAD
+#define POLARSSL_CIPHER_MODE_STREAM MBEDTLS_CIPHER_MODE_STREAM
+#define POLARSSL_CIPHER_MODE_WITH_PADDING MBEDTLS_CIPHER_MODE_WITH_PADDING
+#define POLARSSL_CIPHER_NONE MBEDTLS_CIPHER_NONE
+#define POLARSSL_CIPHER_NULL MBEDTLS_CIPHER_NULL
+#define POLARSSL_CIPHER_VARIABLE_IV_LEN MBEDTLS_CIPHER_VARIABLE_IV_LEN
+#define POLARSSL_CIPHER_VARIABLE_KEY_LEN MBEDTLS_CIPHER_VARIABLE_KEY_LEN
+#define POLARSSL_CIPHER_WRAP_H MBEDTLS_CIPHER_WRAP_H
+#define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H
+#define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H
+#define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H
+#define POLARSSL_DECRYPT MBEDTLS_DECRYPT
+#define POLARSSL_DES_H MBEDTLS_DES_H
+#define POLARSSL_DHM_H MBEDTLS_DHM_H
+#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
+#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
+#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
+#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
+#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
+#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
+#define POLARSSL_ECDH_H MBEDTLS_ECDH_H
+#define POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
+#define POLARSSL_ECDH_THEIRS MBEDTLS_ECDH_THEIRS
+#define POLARSSL_ECDSA_H MBEDTLS_ECDSA_H
+#define POLARSSL_ECP_DP_BP256R1 MBEDTLS_ECP_DP_BP256R1
+#define POLARSSL_ECP_DP_BP384R1 MBEDTLS_ECP_DP_BP384R1
+#define POLARSSL_ECP_DP_BP512R1 MBEDTLS_ECP_DP_BP512R1
+#define POLARSSL_ECP_DP_M255 MBEDTLS_ECP_DP_CURVE25519
+#define POLARSSL_ECP_DP_MAX MBEDTLS_ECP_DP_MAX
+#define POLARSSL_ECP_DP_NONE MBEDTLS_ECP_DP_NONE
+#define POLARSSL_ECP_DP_SECP192K1 MBEDTLS_ECP_DP_SECP192K1
+#define POLARSSL_ECP_DP_SECP192R1 MBEDTLS_ECP_DP_SECP192R1
+#define POLARSSL_ECP_DP_SECP224K1 MBEDTLS_ECP_DP_SECP224K1
+#define POLARSSL_ECP_DP_SECP224R1 MBEDTLS_ECP_DP_SECP224R1
+#define POLARSSL_ECP_DP_SECP256K1 MBEDTLS_ECP_DP_SECP256K1
+#define POLARSSL_ECP_DP_SECP256R1 MBEDTLS_ECP_DP_SECP256R1
+#define POLARSSL_ECP_DP_SECP384R1 MBEDTLS_ECP_DP_SECP384R1
+#define POLARSSL_ECP_DP_SECP521R1 MBEDTLS_ECP_DP_SECP521R1
+#define POLARSSL_ECP_H MBEDTLS_ECP_H
+#define POLARSSL_ECP_MAX_BYTES MBEDTLS_ECP_MAX_BYTES
+#define POLARSSL_ECP_MAX_PT_LEN MBEDTLS_ECP_MAX_PT_LEN
+#define POLARSSL_ECP_PF_COMPRESSED MBEDTLS_ECP_PF_COMPRESSED
+#define POLARSSL_ECP_PF_UNCOMPRESSED MBEDTLS_ECP_PF_UNCOMPRESSED
+#define POLARSSL_ECP_TLS_NAMED_CURVE MBEDTLS_ECP_TLS_NAMED_CURVE
+#define POLARSSL_ENCRYPT MBEDTLS_ENCRYPT
+#define POLARSSL_ENTROPY_H MBEDTLS_ENTROPY_H
+#define POLARSSL_ENTROPY_POLL_H MBEDTLS_ENTROPY_POLL_H
+#define POLARSSL_ENTROPY_SHA256_ACCUMULATOR MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#define POLARSSL_ENTROPY_SHA512_ACCUMULATOR MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#define POLARSSL_ERROR_H MBEDTLS_ERROR_H
+#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_ASN1_BUF_TOO_SMALL MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+#define POLARSSL_ERR_ASN1_INVALID_DATA MBEDTLS_ERR_ASN1_INVALID_DATA
+#define POLARSSL_ERR_ASN1_INVALID_LENGTH MBEDTLS_ERR_ASN1_INVALID_LENGTH
+#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+#define POLARSSL_ERR_ASN1_MALLOC_FAILED MBEDTLS_ERR_ASN1_ALLOC_FAILED
+#define POLARSSL_ERR_ASN1_OUT_OF_DATA MBEDTLS_ERR_ASN1_OUT_OF_DATA
+#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_BASE64_INVALID_CHARACTER MBEDTLS_ERR_BASE64_INVALID_CHARACTER
+#define POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CCM_AUTH_FAILED MBEDTLS_ERR_CCM_AUTH_FAILED
+#define POLARSSL_ERR_CCM_BAD_INPUT MBEDTLS_ERR_CCM_BAD_INPUT
+#define POLARSSL_ERR_CIPHER_ALLOC_FAILED MBEDTLS_ERR_CIPHER_ALLOC_FAILED
+#define POLARSSL_ERR_CIPHER_AUTH_FAILED MBEDTLS_ERR_CIPHER_AUTH_FAILED
+#define POLARSSL_ERR_CIPHER_BAD_INPUT_DATA MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+#define POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
+#define POLARSSL_ERR_CIPHER_INVALID_PADDING MBEDTLS_ERR_CIPHER_INVALID_PADDING
+#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_DES_INVALID_INPUT_LENGTH MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_DHM_BAD_INPUT_DATA MBEDTLS_ERR_DHM_BAD_INPUT_DATA
+#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED MBEDTLS_ERR_DHM_CALC_SECRET_FAILED
+#define POLARSSL_ERR_DHM_FILE_IO_ERROR MBEDTLS_ERR_DHM_FILE_IO_ERROR
+#define POLARSSL_ERR_DHM_INVALID_FORMAT MBEDTLS_ERR_DHM_INVALID_FORMAT
+#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED
+#define POLARSSL_ERR_DHM_MALLOC_FAILED MBEDTLS_ERR_DHM_ALLOC_FAILED
+#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED MBEDTLS_ERR_DHM_READ_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED
+#define POLARSSL_ERR_ECP_BAD_INPUT_DATA MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_ECP_INVALID_KEY MBEDTLS_ERR_ECP_INVALID_KEY
+#define POLARSSL_ERR_ECP_MALLOC_FAILED MBEDTLS_ERR_ECP_ALLOC_FAILED
+#define POLARSSL_ERR_ECP_RANDOM_FAILED MBEDTLS_ERR_ECP_RANDOM_FAILED
+#define POLARSSL_ERR_ECP_SIG_LEN_MISMATCH MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_ECP_VERIFY_FAILED MBEDTLS_ERR_ECP_VERIFY_FAILED
+#define POLARSSL_ERR_ENTROPY_FILE_IO_ERROR MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR
+#define POLARSSL_ERR_ENTROPY_MAX_SOURCES MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+#define POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED
+#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_GCM_AUTH_FAILED MBEDTLS_ERR_GCM_AUTH_FAILED
+#define POLARSSL_ERR_GCM_BAD_INPUT MBEDTLS_ERR_GCM_BAD_INPUT
+#define POLARSSL_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED
+#define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA
+#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_MD_FILE_IO_ERROR MBEDTLS_ERR_MD_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_BAD_INPUT_DATA MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
+#define POLARSSL_ERR_MPI_FILE_IO_ERROR MBEDTLS_ERR_MPI_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_INVALID_CHARACTER MBEDTLS_ERR_MPI_INVALID_CHARACTER
+#define POLARSSL_ERR_MPI_MALLOC_FAILED MBEDTLS_ERR_MPI_ALLOC_FAILED
+#define POLARSSL_ERR_MPI_NEGATIVE_VALUE MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+#define POLARSSL_ERR_NET_ACCEPT_FAILED MBEDTLS_ERR_NET_ACCEPT_FAILED
+#define POLARSSL_ERR_NET_BIND_FAILED MBEDTLS_ERR_NET_BIND_FAILED
+#define POLARSSL_ERR_NET_CONNECT_FAILED MBEDTLS_ERR_NET_CONNECT_FAILED
+#define POLARSSL_ERR_NET_CONN_RESET MBEDTLS_ERR_NET_CONN_RESET
+#define POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED
+#define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
+#define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
+#define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
+#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
+#define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
+#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
+#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
+#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
+#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
+#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
+#define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA
+#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA
+#define POLARSSL_ERR_PEM_INVALID_ENC_IV MBEDTLS_ERR_PEM_INVALID_ENC_IV
+#define POLARSSL_ERR_PEM_MALLOC_FAILED MBEDTLS_ERR_PEM_ALLOC_FAILED
+#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
+#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
+#define POLARSSL_ERR_PKCS12_BAD_INPUT_DATA MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS5_INVALID_FORMAT MBEDTLS_ERR_PKCS5_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_BAD_INPUT_DATA MBEDTLS_ERR_PK_BAD_INPUT_DATA
+#define POLARSSL_ERR_PK_FEATURE_UNAVAILABLE MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PK_FILE_IO_ERROR MBEDTLS_ERR_PK_FILE_IO_ERROR
+#define POLARSSL_ERR_PK_INVALID_ALG MBEDTLS_ERR_PK_INVALID_ALG
+#define POLARSSL_ERR_PK_INVALID_PUBKEY MBEDTLS_ERR_PK_INVALID_PUBKEY
+#define POLARSSL_ERR_PK_KEY_INVALID_FORMAT MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+#define POLARSSL_ERR_PK_KEY_INVALID_VERSION MBEDTLS_ERR_PK_KEY_INVALID_VERSION
+#define POLARSSL_ERR_PK_MALLOC_FAILED MBEDTLS_ERR_PK_ALLOC_FAILED
+#define POLARSSL_ERR_PK_PASSWORD_MISMATCH MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_PASSWORD_REQUIRED MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PK_SIG_LEN_MISMATCH MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
+#define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
+#define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+#define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING
+#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+#define POLARSSL_ERR_RSA_KEY_GEN_FAILED MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
+#define POLARSSL_ERR_RSA_PRIVATE_FAILED MBEDTLS_ERR_RSA_PRIVATE_FAILED
+#define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED
+#define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED
+#define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
+#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
+#define POLARSSL_ERR_SSL_BAD_HS_FINISHED MBEDTLS_ERR_SSL_BAD_HS_FINISHED
+#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
+#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_INPUT_DATA MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+#define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
+#define POLARSSL_ERR_SSL_COMPRESSION_FAILED MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+#define POLARSSL_ERR_SSL_CONN_EOF MBEDTLS_ERR_SSL_CONN_EOF
+#define POLARSSL_ERR_SSL_COUNTER_WRAPPING MBEDTLS_ERR_SSL_COUNTER_WRAPPING
+#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
+#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
+#define POLARSSL_ERR_SSL_INTERNAL_ERROR MBEDTLS_ERR_SSL_INTERNAL_ERROR
+#define POLARSSL_ERR_SSL_INVALID_MAC MBEDTLS_ERR_SSL_INVALID_MAC
+#define POLARSSL_ERR_SSL_INVALID_RECORD MBEDTLS_ERR_SSL_INVALID_RECORD
+#define POLARSSL_ERR_SSL_MALLOC_FAILED MBEDTLS_ERR_SSL_ALLOC_FAILED
+#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
+#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
+#define POLARSSL_ERR_SSL_NO_RNG MBEDTLS_ERR_SSL_NO_RNG
+#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
+#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
+#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
+#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
+#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER MBEDTLS_ERR_SSL_UNKNOWN_CIPHER
+#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
+#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
+#define POLARSSL_ERR_THREADING_BAD_INPUT_DATA MBEDTLS_ERR_THREADING_BAD_INPUT_DATA
+#define POLARSSL_ERR_THREADING_FEATURE_UNAVAILABLE MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_THREADING_MUTEX_ERROR MBEDTLS_ERR_THREADING_MUTEX_ERROR
+#define POLARSSL_ERR_X509_BAD_INPUT_DATA MBEDTLS_ERR_X509_BAD_INPUT_DATA
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
+#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_X509_FILE_IO_ERROR MBEDTLS_ERR_X509_FILE_IO_ERROR
+#define POLARSSL_ERR_X509_INVALID_ALG MBEDTLS_ERR_X509_INVALID_ALG
+#define POLARSSL_ERR_X509_INVALID_DATE MBEDTLS_ERR_X509_INVALID_DATE
+#define POLARSSL_ERR_X509_INVALID_EXTENSIONS MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+#define POLARSSL_ERR_X509_INVALID_FORMAT MBEDTLS_ERR_X509_INVALID_FORMAT
+#define POLARSSL_ERR_X509_INVALID_NAME MBEDTLS_ERR_X509_INVALID_NAME
+#define POLARSSL_ERR_X509_INVALID_SERIAL MBEDTLS_ERR_X509_INVALID_SERIAL
+#define POLARSSL_ERR_X509_INVALID_SIGNATURE MBEDTLS_ERR_X509_INVALID_SIGNATURE
+#define POLARSSL_ERR_X509_INVALID_VERSION MBEDTLS_ERR_X509_INVALID_VERSION
+#define POLARSSL_ERR_X509_MALLOC_FAILED MBEDTLS_ERR_X509_ALLOC_FAILED
+#define POLARSSL_ERR_X509_SIG_MISMATCH MBEDTLS_ERR_X509_SIG_MISMATCH
+#define POLARSSL_ERR_X509_UNKNOWN_OID MBEDTLS_ERR_X509_UNKNOWN_OID
+#define POLARSSL_ERR_X509_UNKNOWN_SIG_ALG MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+#define POLARSSL_ERR_X509_UNKNOWN_VERSION MBEDTLS_ERR_X509_UNKNOWN_VERSION
+#define POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH
+#define POLARSSL_GCM_H MBEDTLS_GCM_H
+#define POLARSSL_HAVEGE_H MBEDTLS_HAVEGE_H
+#define POLARSSL_HAVE_INT32 MBEDTLS_HAVE_INT32
+#define POLARSSL_HAVE_INT64 MBEDTLS_HAVE_INT64
+#define POLARSSL_HAVE_UDBL MBEDTLS_HAVE_UDBL
+#define POLARSSL_HAVE_X86 MBEDTLS_HAVE_X86
+#define POLARSSL_HAVE_X86_64 MBEDTLS_HAVE_X86_64
+#define POLARSSL_HMAC_DRBG_H MBEDTLS_HMAC_DRBG_H
+#define POLARSSL_HMAC_DRBG_PR_OFF MBEDTLS_HMAC_DRBG_PR_OFF
+#define POLARSSL_HMAC_DRBG_PR_ON MBEDTLS_HMAC_DRBG_PR_ON
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK MBEDTLS_KEY_EXCHANGE_DHE_PSK
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA MBEDTLS_KEY_EXCHANGE_DHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA MBEDTLS_KEY_EXCHANGE_ECDH_RSA
+#define POLARSSL_KEY_EXCHANGE_NONE MBEDTLS_KEY_EXCHANGE_NONE
+#define POLARSSL_KEY_EXCHANGE_PSK MBEDTLS_KEY_EXCHANGE_PSK
+#define POLARSSL_KEY_EXCHANGE_RSA MBEDTLS_KEY_EXCHANGE_RSA
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK MBEDTLS_KEY_EXCHANGE_RSA_PSK
+#define POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED
+#define POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
+#define POLARSSL_KEY_LENGTH_DES MBEDTLS_KEY_LENGTH_DES
+#define POLARSSL_KEY_LENGTH_DES_EDE MBEDTLS_KEY_LENGTH_DES_EDE
+#define POLARSSL_KEY_LENGTH_DES_EDE3 MBEDTLS_KEY_LENGTH_DES_EDE3
+#define POLARSSL_KEY_LENGTH_NONE MBEDTLS_KEY_LENGTH_NONE
+#define POLARSSL_MAX_BLOCK_LENGTH MBEDTLS_MAX_BLOCK_LENGTH
+#define POLARSSL_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
+#define POLARSSL_MD2_H MBEDTLS_MD2_H
+#define POLARSSL_MD4_H MBEDTLS_MD4_H
+#define POLARSSL_MD5_H MBEDTLS_MD5_H
+#define POLARSSL_MD_H MBEDTLS_MD_H
+#define POLARSSL_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
+#define POLARSSL_MD_MD2 MBEDTLS_MD_MD2
+#define POLARSSL_MD_MD4 MBEDTLS_MD_MD4
+#define POLARSSL_MD_MD5 MBEDTLS_MD_MD5
+#define POLARSSL_MD_NONE MBEDTLS_MD_NONE
+#define POLARSSL_MD_RIPEMD160 MBEDTLS_MD_RIPEMD160
+#define POLARSSL_MD_SHA1 MBEDTLS_MD_SHA1
+#define POLARSSL_MD_SHA224 MBEDTLS_MD_SHA224
+#define POLARSSL_MD_SHA256 MBEDTLS_MD_SHA256
+#define POLARSSL_MD_SHA384 MBEDTLS_MD_SHA384
+#define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512
+#define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H
+#define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC
+#define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM
+#define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB
+#define POLARSSL_MODE_CTR MBEDTLS_MODE_CTR
+#define POLARSSL_MODE_ECB MBEDTLS_MODE_ECB
+#define POLARSSL_MODE_GCM MBEDTLS_MODE_GCM
+#define POLARSSL_MODE_NONE MBEDTLS_MODE_NONE
+#define POLARSSL_MODE_OFB MBEDTLS_MODE_OFB
+#define POLARSSL_MODE_STREAM MBEDTLS_MODE_STREAM
+#define POLARSSL_MPI_MAX_BITS MBEDTLS_MPI_MAX_BITS
+#define POLARSSL_MPI_MAX_BITS_SCALE100 MBEDTLS_MPI_MAX_BITS_SCALE100
+#define POLARSSL_MPI_MAX_LIMBS MBEDTLS_MPI_MAX_LIMBS
+#define POLARSSL_MPI_RW_BUFFER_SIZE MBEDTLS_MPI_RW_BUFFER_SIZE
+#define POLARSSL_NET_H MBEDTLS_NET_SOCKETS_H
+#define POLARSSL_NET_LISTEN_BACKLOG MBEDTLS_NET_LISTEN_BACKLOG
+#define POLARSSL_OID_H MBEDTLS_OID_H
+#define POLARSSL_OPERATION_NONE MBEDTLS_OPERATION_NONE
+#define POLARSSL_PADDING_NONE MBEDTLS_PADDING_NONE
+#define POLARSSL_PADDING_ONE_AND_ZEROS MBEDTLS_PADDING_ONE_AND_ZEROS
+#define POLARSSL_PADDING_PKCS7 MBEDTLS_PADDING_PKCS7
+#define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS
+#define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN
+#define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H
+#define POLARSSL_PEM_H MBEDTLS_PEM_H
+#define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H
+#define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H
+#define POLARSSL_PKCS5_H MBEDTLS_PKCS5_H
+#define POLARSSL_PK_DEBUG_ECP MBEDTLS_PK_DEBUG_ECP
+#define POLARSSL_PK_DEBUG_MAX_ITEMS MBEDTLS_PK_DEBUG_MAX_ITEMS
+#define POLARSSL_PK_DEBUG_MPI MBEDTLS_PK_DEBUG_MPI
+#define POLARSSL_PK_DEBUG_NONE MBEDTLS_PK_DEBUG_NONE
+#define POLARSSL_PK_ECDSA MBEDTLS_PK_ECDSA
+#define POLARSSL_PK_ECKEY MBEDTLS_PK_ECKEY
+#define POLARSSL_PK_ECKEY_DH MBEDTLS_PK_ECKEY_DH
+#define POLARSSL_PK_H MBEDTLS_PK_H
+#define POLARSSL_PK_NONE MBEDTLS_PK_NONE
+#define POLARSSL_PK_RSA MBEDTLS_PK_RSA
+#define POLARSSL_PK_RSASSA_PSS MBEDTLS_PK_RSASSA_PSS
+#define POLARSSL_PK_RSA_ALT MBEDTLS_PK_RSA_ALT
+#define POLARSSL_PK_WRAP_H MBEDTLS_PK_WRAP_H
+#define POLARSSL_PLATFORM_H MBEDTLS_PLATFORM_H
+#define POLARSSL_PREMASTER_SIZE MBEDTLS_PREMASTER_SIZE
+#define POLARSSL_RIPEMD160_H MBEDTLS_RIPEMD160_H
+#define POLARSSL_RSA_H MBEDTLS_RSA_H
+#define POLARSSL_SHA1_H MBEDTLS_SHA1_H
+#define POLARSSL_SHA256_H MBEDTLS_SHA256_H
+#define POLARSSL_SHA512_H MBEDTLS_SHA512_H
+#define POLARSSL_SSL_CACHE_H MBEDTLS_SSL_CACHE_H
+#define POLARSSL_SSL_CIPHERSUITES_H MBEDTLS_SSL_CIPHERSUITES_H
+#define POLARSSL_SSL_COOKIE_H MBEDTLS_SSL_COOKIE_H
+#define POLARSSL_SSL_H MBEDTLS_SSL_H
+#define POLARSSL_THREADING_H MBEDTLS_THREADING_H
+#define POLARSSL_THREADING_IMPL MBEDTLS_THREADING_IMPL
+#define POLARSSL_TIMING_H MBEDTLS_TIMING_H
+#define POLARSSL_VERSION_H MBEDTLS_VERSION_H
+#define POLARSSL_VERSION_MAJOR MBEDTLS_VERSION_MAJOR
+#define POLARSSL_VERSION_MINOR MBEDTLS_VERSION_MINOR
+#define POLARSSL_VERSION_NUMBER MBEDTLS_VERSION_NUMBER
+#define POLARSSL_VERSION_PATCH MBEDTLS_VERSION_PATCH
+#define POLARSSL_VERSION_STRING MBEDTLS_VERSION_STRING
+#define POLARSSL_VERSION_STRING_FULL MBEDTLS_VERSION_STRING_FULL
+#define POLARSSL_X509_CRL_H MBEDTLS_X509_CRL_H
+#define POLARSSL_X509_CRT_H MBEDTLS_X509_CRT_H
+#define POLARSSL_X509_CSR_H MBEDTLS_X509_CSR_H
+#define POLARSSL_X509_H MBEDTLS_X509_H
+#define POLARSSL_XTEA_H MBEDTLS_XTEA_H
+#define RSA_CRYPT MBEDTLS_RSA_CRYPT
+#define RSA_PKCS_V15 MBEDTLS_RSA_PKCS_V15
+#define RSA_PKCS_V21 MBEDTLS_RSA_PKCS_V21
+#define RSA_PRIVATE MBEDTLS_RSA_PRIVATE
+#define RSA_PUBLIC MBEDTLS_RSA_PUBLIC
+#define RSA_SALT_LEN_ANY MBEDTLS_RSA_SALT_LEN_ANY
+#define RSA_SIGN MBEDTLS_RSA_SIGN
+#define SSL_ALERT_LEVEL_FATAL MBEDTLS_SSL_ALERT_LEVEL_FATAL
+#define SSL_ALERT_LEVEL_WARNING MBEDTLS_SSL_ALERT_LEVEL_WARNING
+#define SSL_ALERT_MSG_ACCESS_DENIED MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
+#define SSL_ALERT_MSG_BAD_CERT MBEDTLS_SSL_ALERT_MSG_BAD_CERT
+#define SSL_ALERT_MSG_BAD_RECORD_MAC MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
+#define SSL_ALERT_MSG_CERT_EXPIRED MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
+#define SSL_ALERT_MSG_CERT_REVOKED MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
+#define SSL_ALERT_MSG_CERT_UNKNOWN MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
+#define SSL_ALERT_MSG_CLOSE_NOTIFY MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
+#define SSL_ALERT_MSG_DECODE_ERROR MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
+#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE
+#define SSL_ALERT_MSG_DECRYPTION_FAILED MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED
+#define SSL_ALERT_MSG_DECRYPT_ERROR MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
+#define SSL_ALERT_MSG_EXPORT_RESTRICTION MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION
+#define SSL_ALERT_MSG_HANDSHAKE_FAILURE MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
+#define SSL_ALERT_MSG_ILLEGAL_PARAMETER MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
+#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
+#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY
+#define SSL_ALERT_MSG_INTERNAL_ERROR MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
+#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
+#define SSL_ALERT_MSG_NO_CERT MBEDTLS_SSL_ALERT_MSG_NO_CERT
+#define SSL_ALERT_MSG_NO_RENEGOTIATION MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
+#define SSL_ALERT_MSG_PROTOCOL_VERSION MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
+#define SSL_ALERT_MSG_RECORD_OVERFLOW MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW
+#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
+#define SSL_ALERT_MSG_UNKNOWN_CA MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
+#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
+#define SSL_ALERT_MSG_UNRECOGNIZED_NAME MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
+#define SSL_ALERT_MSG_UNSUPPORTED_CERT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+#define SSL_ALERT_MSG_UNSUPPORTED_EXT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT
+#define SSL_ALERT_MSG_USER_CANCELED MBEDTLS_SSL_ALERT_MSG_USER_CANCELED
+#define SSL_ANTI_REPLAY_DISABLED MBEDTLS_SSL_ANTI_REPLAY_DISABLED
+#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
+#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
+#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
+#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
+                         ? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
+#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
+#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
+#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+#define SSL_CBC_RECORD_SPLITTING_ENABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
+#define SSL_CERTIFICATE_REQUEST MBEDTLS_SSL_CERTIFICATE_REQUEST
+#define SSL_CERTIFICATE_VERIFY MBEDTLS_SSL_CERTIFICATE_VERIFY
+#define SSL_CERT_TYPE_ECDSA_SIGN MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
+#define SSL_CERT_TYPE_RSA_SIGN MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
+#define SSL_CHANNEL_INBOUND MBEDTLS_SSL_CHANNEL_INBOUND
+#define SSL_CHANNEL_OUTBOUND MBEDTLS_SSL_CHANNEL_OUTBOUND
+#define SSL_CIPHERSUITES MBEDTLS_SSL_CIPHERSUITES
+#define SSL_CLIENT_CERTIFICATE MBEDTLS_SSL_CLIENT_CERTIFICATE
+#define SSL_CLIENT_CHANGE_CIPHER_SPEC MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
+#define SSL_CLIENT_FINISHED MBEDTLS_SSL_CLIENT_FINISHED
+#define SSL_CLIENT_HELLO MBEDTLS_SSL_CLIENT_HELLO
+#define SSL_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
+#define SSL_COMPRESSION_ADD MBEDTLS_SSL_COMPRESSION_ADD
+#define SSL_COMPRESS_DEFLATE MBEDTLS_SSL_COMPRESS_DEFLATE
+#define SSL_COMPRESS_NULL MBEDTLS_SSL_COMPRESS_NULL
+#define SSL_DEBUG_BUF MBEDTLS_SSL_DEBUG_BUF
+#define SSL_DEBUG_CRT MBEDTLS_SSL_DEBUG_CRT
+#define SSL_DEBUG_ECP MBEDTLS_SSL_DEBUG_ECP
+#define SSL_DEBUG_MPI MBEDTLS_SSL_DEBUG_MPI
+#define SSL_DEBUG_MSG MBEDTLS_SSL_DEBUG_MSG
+#define SSL_DEBUG_RET MBEDTLS_SSL_DEBUG_RET
+#define SSL_DEFAULT_TICKET_LIFETIME MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME
+#define SSL_DTLS_TIMEOUT_DFL_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
+#define SSL_DTLS_TIMEOUT_DFL_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
+#define SSL_EMPTY_RENEGOTIATION_INFO MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
+#define SSL_ETM_DISABLED MBEDTLS_SSL_ETM_DISABLED
+#define SSL_ETM_ENABLED MBEDTLS_SSL_ETM_ENABLED
+#define SSL_EXTENDED_MS_DISABLED MBEDTLS_SSL_EXTENDED_MS_DISABLED
+#define SSL_EXTENDED_MS_ENABLED MBEDTLS_SSL_EXTENDED_MS_ENABLED
+#define SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#define SSL_FLUSH_BUFFERS MBEDTLS_SSL_FLUSH_BUFFERS
+#define SSL_HANDSHAKE_OVER MBEDTLS_SSL_HANDSHAKE_OVER
+#define SSL_HANDSHAKE_WRAPUP MBEDTLS_SSL_HANDSHAKE_WRAPUP
+#define SSL_HASH_MD5 MBEDTLS_SSL_HASH_MD5
+#define SSL_HASH_NONE MBEDTLS_SSL_HASH_NONE
+#define SSL_HASH_SHA1 MBEDTLS_SSL_HASH_SHA1
+#define SSL_HASH_SHA224 MBEDTLS_SSL_HASH_SHA224
+#define SSL_HASH_SHA256 MBEDTLS_SSL_HASH_SHA256
+#define SSL_HASH_SHA384 MBEDTLS_SSL_HASH_SHA384
+#define SSL_HASH_SHA512 MBEDTLS_SSL_HASH_SHA512
+#define SSL_HELLO_REQUEST MBEDTLS_SSL_HELLO_REQUEST
+#define SSL_HS_CERTIFICATE MBEDTLS_SSL_HS_CERTIFICATE
+#define SSL_HS_CERTIFICATE_REQUEST MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
+#define SSL_HS_CERTIFICATE_VERIFY MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
+#define SSL_HS_CLIENT_HELLO MBEDTLS_SSL_HS_CLIENT_HELLO
+#define SSL_HS_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
+#define SSL_HS_FINISHED MBEDTLS_SSL_HS_FINISHED
+#define SSL_HS_HELLO_REQUEST MBEDTLS_SSL_HS_HELLO_REQUEST
+#define SSL_HS_HELLO_VERIFY_REQUEST MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
+#define SSL_HS_NEW_SESSION_TICKET MBEDTLS_SSL_HS_NEW_SESSION_TICKET
+#define SSL_HS_SERVER_HELLO MBEDTLS_SSL_HS_SERVER_HELLO
+#define SSL_HS_SERVER_HELLO_DONE MBEDTLS_SSL_HS_SERVER_HELLO_DONE
+#define SSL_HS_SERVER_KEY_EXCHANGE MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
+#define SSL_INITIAL_HANDSHAKE MBEDTLS_SSL_INITIAL_HANDSHAKE
+#define SSL_IS_CLIENT MBEDTLS_SSL_IS_CLIENT
+#define SSL_IS_FALLBACK MBEDTLS_SSL_IS_FALLBACK
+#define SSL_IS_NOT_FALLBACK MBEDTLS_SSL_IS_NOT_FALLBACK
+#define SSL_IS_SERVER MBEDTLS_SSL_IS_SERVER
+#define SSL_LEGACY_ALLOW_RENEGOTIATION MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
+#define SSL_LEGACY_BREAK_HANDSHAKE MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
+#define SSL_LEGACY_NO_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
+#define SSL_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_RENEGOTIATION
+#define SSL_MAC_ADD MBEDTLS_SSL_MAC_ADD
+#define SSL_MAJOR_VERSION_3 MBEDTLS_SSL_MAJOR_VERSION_3
+#define SSL_MAX_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#define SSL_MAX_FRAG_LEN_1024 MBEDTLS_SSL_MAX_FRAG_LEN_1024
+#define SSL_MAX_FRAG_LEN_2048 MBEDTLS_SSL_MAX_FRAG_LEN_2048
+#define SSL_MAX_FRAG_LEN_4096 MBEDTLS_SSL_MAX_FRAG_LEN_4096
+#define SSL_MAX_FRAG_LEN_512 MBEDTLS_SSL_MAX_FRAG_LEN_512
+#define SSL_MAX_FRAG_LEN_INVALID MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
+#define SSL_MAX_FRAG_LEN_NONE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
+#define SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAX_MAJOR_VERSION
+#define SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MAX_MINOR_VERSION
+#define SSL_MINOR_VERSION_0 MBEDTLS_SSL_MINOR_VERSION_0
+#define SSL_MINOR_VERSION_1 MBEDTLS_SSL_MINOR_VERSION_1
+#define SSL_MINOR_VERSION_2 MBEDTLS_SSL_MINOR_VERSION_2
+#define SSL_MINOR_VERSION_3 MBEDTLS_SSL_MINOR_VERSION_3
+#define SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MIN_MAJOR_VERSION
+#define SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MIN_MINOR_VERSION
+#define SSL_MSG_ALERT MBEDTLS_SSL_MSG_ALERT
+#define SSL_MSG_APPLICATION_DATA MBEDTLS_SSL_MSG_APPLICATION_DATA
+#define SSL_MSG_CHANGE_CIPHER_SPEC MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
+#define SSL_MSG_HANDSHAKE MBEDTLS_SSL_MSG_HANDSHAKE
+#define SSL_PADDING_ADD MBEDTLS_SSL_PADDING_ADD
+#define SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#define SSL_RENEGOTIATION_DISABLED MBEDTLS_SSL_RENEGOTIATION_DISABLED
+#define SSL_RENEGOTIATION_DONE MBEDTLS_SSL_RENEGOTIATION_DONE
+#define SSL_RENEGOTIATION_ENABLED MBEDTLS_SSL_RENEGOTIATION_ENABLED
+#define SSL_RENEGOTIATION_NOT_ENFORCED MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED
+#define SSL_RENEGOTIATION_PENDING MBEDTLS_SSL_RENEGOTIATION_PENDING
+#define SSL_RENEGO_MAX_RECORDS_DEFAULT MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
+#define SSL_RETRANS_FINISHED MBEDTLS_SSL_RETRANS_FINISHED
+#define SSL_RETRANS_PREPARING MBEDTLS_SSL_RETRANS_PREPARING
+#define SSL_RETRANS_SENDING MBEDTLS_SSL_RETRANS_SENDING
+#define SSL_RETRANS_WAITING MBEDTLS_SSL_RETRANS_WAITING
+#define SSL_SECURE_RENEGOTIATION MBEDTLS_SSL_SECURE_RENEGOTIATION
+#define SSL_SERVER_CERTIFICATE MBEDTLS_SSL_SERVER_CERTIFICATE
+#define SSL_SERVER_CHANGE_CIPHER_SPEC MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
+#define SSL_SERVER_FINISHED MBEDTLS_SSL_SERVER_FINISHED
+#define SSL_SERVER_HELLO MBEDTLS_SSL_SERVER_HELLO
+#define SSL_SERVER_HELLO_DONE MBEDTLS_SSL_SERVER_HELLO_DONE
+#define SSL_SERVER_HELLO_VERIFY_REQUEST_SENT MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
+#define SSL_SERVER_KEY_EXCHANGE MBEDTLS_SSL_SERVER_KEY_EXCHANGE
+#define SSL_SERVER_NEW_SESSION_TICKET MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
+#define SSL_SESSION_TICKETS_DISABLED MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+#define SSL_SESSION_TICKETS_ENABLED MBEDTLS_SSL_SESSION_TICKETS_ENABLED
+#define SSL_SIG_ANON MBEDTLS_SSL_SIG_ANON
+#define SSL_SIG_ECDSA MBEDTLS_SSL_SIG_ECDSA
+#define SSL_SIG_RSA MBEDTLS_SSL_SIG_RSA
+#define SSL_TRANSPORT_DATAGRAM MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#define SSL_TRANSPORT_STREAM MBEDTLS_SSL_TRANSPORT_STREAM
+#define SSL_TRUNCATED_HMAC_LEN MBEDTLS_SSL_TRUNCATED_HMAC_LEN
+#define SSL_TRUNC_HMAC_DISABLED MBEDTLS_SSL_TRUNC_HMAC_DISABLED
+#define SSL_TRUNC_HMAC_ENABLED MBEDTLS_SSL_TRUNC_HMAC_ENABLED
+#define SSL_VERIFY_DATA_MAX_LEN MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
+#define SSL_VERIFY_NONE MBEDTLS_SSL_VERIFY_NONE
+#define SSL_VERIFY_OPTIONAL MBEDTLS_SSL_VERIFY_OPTIONAL
+#define SSL_VERIFY_REQUIRED MBEDTLS_SSL_VERIFY_REQUIRED
+#define TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_AES_128_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM
+#define TLS_DHE_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8
+#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_AES_256_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM
+#define TLS_DHE_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8
+#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+#define TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+#define TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+#define TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_128_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM
+#define TLS_DHE_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8
+#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM
+#define TLS_DHE_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8
+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+#define TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+#define TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+#define TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+#define TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+#define TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+#define TLS_EXT_ALPN MBEDTLS_TLS_EXT_ALPN
+#define TLS_EXT_ENCRYPT_THEN_MAC MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
+#define TLS_EXT_EXTENDED_MASTER_SECRET MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
+#define TLS_EXT_MAX_FRAGMENT_LENGTH MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
+#define TLS_EXT_RENEGOTIATION_INFO MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
+#define TLS_EXT_SERVERNAME MBEDTLS_TLS_EXT_SERVERNAME
+#define TLS_EXT_SERVERNAME_HOSTNAME MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
+#define TLS_EXT_SESSION_TICKET MBEDTLS_TLS_EXT_SESSION_TICKET
+#define TLS_EXT_SIG_ALG MBEDTLS_TLS_EXT_SIG_ALG
+#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
+#define TLS_EXT_SUPPORTED_POINT_FORMATS MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
+#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
+#define TLS_EXT_TRUNCATED_HMAC MBEDTLS_TLS_EXT_TRUNCATED_HMAC
+#define TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_PSK_WITH_AES_128_CCM MBEDTLS_TLS_PSK_WITH_AES_128_CCM
+#define TLS_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
+#define TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+#define TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_PSK_WITH_AES_256_CCM MBEDTLS_TLS_PSK_WITH_AES_256_CCM
+#define TLS_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8
+#define TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA
+#define TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+#define TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+#define TLS_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+#define TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+#define TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+#define TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_WITH_AES_128_CCM MBEDTLS_TLS_RSA_WITH_AES_128_CCM
+#define TLS_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8
+#define TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+#define TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_RSA_WITH_AES_256_CCM MBEDTLS_TLS_RSA_WITH_AES_256_CCM
+#define TLS_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8
+#define TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+#define TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_WITH_NULL_MD5
+#define TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA
+#define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+#define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+#define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+#define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1
+#define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2
+#define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3
+#define X509_FORMAT_DER MBEDTLS_X509_FORMAT_DER
+#define X509_FORMAT_PEM MBEDTLS_X509_FORMAT_PEM
+#define X509_MAX_DN_NAME_SIZE MBEDTLS_X509_MAX_DN_NAME_SIZE
+#define X509_RFC5280_MAX_SERIAL_LEN MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
+#define X509_RFC5280_UTC_TIME_LEN MBEDTLS_X509_RFC5280_UTC_TIME_LEN
+#define XTEA_DECRYPT MBEDTLS_XTEA_DECRYPT
+#define XTEA_ENCRYPT MBEDTLS_XTEA_ENCRYPT
+#define _asn1_bitstring mbedtls_asn1_bitstring
+#define _asn1_buf mbedtls_asn1_buf
+#define _asn1_named_data mbedtls_asn1_named_data
+#define _asn1_sequence mbedtls_asn1_sequence
+#define _ssl_cache_context mbedtls_ssl_cache_context
+#define _ssl_cache_entry mbedtls_ssl_cache_entry
+#define _ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define _ssl_context mbedtls_ssl_context
+#define _ssl_flight_item mbedtls_ssl_flight_item
+#define _ssl_handshake_params mbedtls_ssl_handshake_params
+#define _ssl_key_cert mbedtls_ssl_key_cert
+#define _ssl_premaster_secret mbedtls_ssl_premaster_secret
+#define _ssl_session mbedtls_ssl_session
+#define _ssl_transform mbedtls_ssl_transform
+#define _x509_crl mbedtls_x509_crl
+#define _x509_crl_entry mbedtls_x509_crl_entry
+#define _x509_crt mbedtls_x509_crt
+#define _x509_csr mbedtls_x509_csr
+#define _x509_time mbedtls_x509_time
+#define _x509write_cert mbedtls_x509write_cert
+#define _x509write_csr mbedtls_x509write_csr
+#define aes_context mbedtls_aes_context
+#define aes_crypt_cbc mbedtls_aes_crypt_cbc
+#define aes_crypt_cfb128 mbedtls_aes_crypt_cfb128
+#define aes_crypt_cfb8 mbedtls_aes_crypt_cfb8
+#define aes_crypt_ctr mbedtls_aes_crypt_ctr
+#define aes_crypt_ecb mbedtls_aes_crypt_ecb
+#define aes_free mbedtls_aes_free
+#define aes_init mbedtls_aes_init
+#define aes_self_test mbedtls_aes_self_test
+#define aes_setkey_dec mbedtls_aes_setkey_dec
+#define aes_setkey_enc mbedtls_aes_setkey_enc
+#define aesni_crypt_ecb mbedtls_aesni_crypt_ecb
+#define aesni_gcm_mult mbedtls_aesni_gcm_mult
+#define aesni_inverse_key mbedtls_aesni_inverse_key
+#define aesni_setkey_enc mbedtls_aesni_setkey_enc
+#define aesni_supports mbedtls_aesni_has_support
+#define alarmed mbedtls_timing_alarmed
+#define arc4_context mbedtls_arc4_context
+#define arc4_crypt mbedtls_arc4_crypt
+#define arc4_free mbedtls_arc4_free
+#define arc4_init mbedtls_arc4_init
+#define arc4_self_test mbedtls_arc4_self_test
+#define arc4_setup mbedtls_arc4_setup
+#define asn1_bitstring mbedtls_asn1_bitstring
+#define asn1_buf mbedtls_asn1_buf
+#define asn1_find_named_data mbedtls_asn1_find_named_data
+#define asn1_free_named_data mbedtls_asn1_free_named_data
+#define asn1_free_named_data_list mbedtls_asn1_free_named_data_list
+#define asn1_get_alg mbedtls_asn1_get_alg
+#define asn1_get_alg_null mbedtls_asn1_get_alg_null
+#define asn1_get_bitstring mbedtls_asn1_get_bitstring
+#define asn1_get_bitstring_null mbedtls_asn1_get_bitstring_null
+#define asn1_get_bool mbedtls_asn1_get_bool
+#define asn1_get_int mbedtls_asn1_get_int
+#define asn1_get_len mbedtls_asn1_get_len
+#define asn1_get_mpi mbedtls_asn1_get_mpi
+#define asn1_get_sequence_of mbedtls_asn1_get_sequence_of
+#define asn1_get_tag mbedtls_asn1_get_tag
+#define asn1_named_data mbedtls_asn1_named_data
+#define asn1_sequence mbedtls_asn1_sequence
+#define asn1_store_named_data mbedtls_asn1_store_named_data
+#define asn1_write_algorithm_identifier mbedtls_asn1_write_algorithm_identifier
+#define asn1_write_bitstring mbedtls_asn1_write_bitstring
+#define asn1_write_bool mbedtls_asn1_write_bool
+#define asn1_write_ia5_string mbedtls_asn1_write_ia5_string
+#define asn1_write_int mbedtls_asn1_write_int
+#define asn1_write_len mbedtls_asn1_write_len
+#define asn1_write_mpi mbedtls_asn1_write_mpi
+#define asn1_write_null mbedtls_asn1_write_null
+#define asn1_write_octet_string mbedtls_asn1_write_octet_string
+#define asn1_write_oid mbedtls_asn1_write_oid
+#define asn1_write_printable_string mbedtls_asn1_write_printable_string
+#define asn1_write_raw_buffer mbedtls_asn1_write_raw_buffer
+#define asn1_write_tag mbedtls_asn1_write_tag
+#define base64_decode mbedtls_base64_decode
+#define base64_encode mbedtls_base64_encode
+#define base64_self_test mbedtls_base64_self_test
+#define blowfish_context mbedtls_blowfish_context
+#define blowfish_crypt_cbc mbedtls_blowfish_crypt_cbc
+#define blowfish_crypt_cfb64 mbedtls_blowfish_crypt_cfb64
+#define blowfish_crypt_ctr mbedtls_blowfish_crypt_ctr
+#define blowfish_crypt_ecb mbedtls_blowfish_crypt_ecb
+#define blowfish_free mbedtls_blowfish_free
+#define blowfish_init mbedtls_blowfish_init
+#define blowfish_setkey mbedtls_blowfish_setkey
+#define camellia_context mbedtls_camellia_context
+#define camellia_crypt_cbc mbedtls_camellia_crypt_cbc
+#define camellia_crypt_cfb128 mbedtls_camellia_crypt_cfb128
+#define camellia_crypt_ctr mbedtls_camellia_crypt_ctr
+#define camellia_crypt_ecb mbedtls_camellia_crypt_ecb
+#define camellia_free mbedtls_camellia_free
+#define camellia_init mbedtls_camellia_init
+#define camellia_self_test mbedtls_camellia_self_test
+#define camellia_setkey_dec mbedtls_camellia_setkey_dec
+#define camellia_setkey_enc mbedtls_camellia_setkey_enc
+#define ccm_auth_decrypt mbedtls_ccm_auth_decrypt
+#define ccm_context mbedtls_ccm_context
+#define ccm_encrypt_and_tag mbedtls_ccm_encrypt_and_tag
+#define ccm_free mbedtls_ccm_free
+#define ccm_init mbedtls_ccm_init
+#define ccm_self_test mbedtls_ccm_self_test
+#define cipher_auth_decrypt mbedtls_cipher_auth_decrypt
+#define cipher_auth_encrypt mbedtls_cipher_auth_encrypt
+#define cipher_base_t mbedtls_cipher_base_t
+#define cipher_check_tag mbedtls_cipher_check_tag
+#define cipher_context_t mbedtls_cipher_context_t
+#define cipher_crypt mbedtls_cipher_crypt
+#define cipher_definition_t mbedtls_cipher_definition_t
+#define cipher_definitions mbedtls_cipher_definitions
+#define cipher_finish mbedtls_cipher_finish
+#define cipher_free mbedtls_cipher_free
+#define cipher_get_block_size mbedtls_cipher_get_block_size
+#define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode
+#define cipher_get_iv_size mbedtls_cipher_get_iv_size
+#define cipher_get_key_size mbedtls_cipher_get_key_bitlen
+#define cipher_get_name mbedtls_cipher_get_name
+#define cipher_get_operation mbedtls_cipher_get_operation
+#define cipher_get_type mbedtls_cipher_get_type
+#define cipher_id_t mbedtls_cipher_id_t
+#define cipher_info_from_string mbedtls_cipher_info_from_string
+#define cipher_info_from_type mbedtls_cipher_info_from_type
+#define cipher_info_from_values mbedtls_cipher_info_from_values
+#define cipher_info_t mbedtls_cipher_info_t
+#define cipher_init mbedtls_cipher_init
+#define cipher_init_ctx mbedtls_cipher_setup
+#define cipher_list mbedtls_cipher_list
+#define cipher_mode_t mbedtls_cipher_mode_t
+#define cipher_padding_t mbedtls_cipher_padding_t
+#define cipher_reset mbedtls_cipher_reset
+#define cipher_set_iv mbedtls_cipher_set_iv
+#define cipher_set_padding_mode mbedtls_cipher_set_padding_mode
+#define cipher_setkey mbedtls_cipher_setkey
+#define cipher_type_t mbedtls_cipher_type_t
+#define cipher_update mbedtls_cipher_update
+#define cipher_update_ad mbedtls_cipher_update_ad
+#define cipher_write_tag mbedtls_cipher_write_tag
+#define ctr_drbg_context mbedtls_ctr_drbg_context
+#define ctr_drbg_free mbedtls_ctr_drbg_free
+#define ctr_drbg_init mbedtls_ctr_drbg_init
+#define ctr_drbg_random mbedtls_ctr_drbg_random
+#define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add
+#define ctr_drbg_reseed mbedtls_ctr_drbg_reseed
+#define ctr_drbg_self_test mbedtls_ctr_drbg_self_test
+#define ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
+#define ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
+#define ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
+#define ctr_drbg_update mbedtls_ctr_drbg_update
+#define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
+#define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
+#define debug_print_buf mbedtls_debug_print_buf
+#define debug_print_crt mbedtls_debug_print_crt
+#define debug_print_ecp mbedtls_debug_print_ecp
+#define debug_print_mpi mbedtls_debug_print_mpi
+#define debug_print_msg mbedtls_debug_print_msg
+#define debug_print_ret mbedtls_debug_print_ret
+#define debug_set_threshold mbedtls_debug_set_threshold
+#define des3_context mbedtls_des3_context
+#define des3_crypt_cbc mbedtls_des3_crypt_cbc
+#define des3_crypt_ecb mbedtls_des3_crypt_ecb
+#define des3_free mbedtls_des3_free
+#define des3_init mbedtls_des3_init
+#define des3_set2key_dec mbedtls_des3_set2key_dec
+#define des3_set2key_enc mbedtls_des3_set2key_enc
+#define des3_set3key_dec mbedtls_des3_set3key_dec
+#define des3_set3key_enc mbedtls_des3_set3key_enc
+#define des_context mbedtls_des_context
+#define des_crypt_cbc mbedtls_des_crypt_cbc
+#define des_crypt_ecb mbedtls_des_crypt_ecb
+#define des_free mbedtls_des_free
+#define des_init mbedtls_des_init
+#define des_key_check_key_parity mbedtls_des_key_check_key_parity
+#define des_key_check_weak mbedtls_des_key_check_weak
+#define des_key_set_parity mbedtls_des_key_set_parity
+#define des_self_test mbedtls_des_self_test
+#define des_setkey_dec mbedtls_des_setkey_dec
+#define des_setkey_enc mbedtls_des_setkey_enc
+#define dhm_calc_secret mbedtls_dhm_calc_secret
+#define dhm_context mbedtls_dhm_context
+#define dhm_free mbedtls_dhm_free
+#define dhm_init mbedtls_dhm_init
+#define dhm_make_params mbedtls_dhm_make_params
+#define dhm_make_public mbedtls_dhm_make_public
+#define dhm_parse_dhm mbedtls_dhm_parse_dhm
+#define dhm_parse_dhmfile mbedtls_dhm_parse_dhmfile
+#define dhm_read_params mbedtls_dhm_read_params
+#define dhm_read_public mbedtls_dhm_read_public
+#define dhm_self_test mbedtls_dhm_self_test
+#define ecdh_calc_secret mbedtls_ecdh_calc_secret
+#define ecdh_compute_shared mbedtls_ecdh_compute_shared
+#define ecdh_context mbedtls_ecdh_context
+#define ecdh_free mbedtls_ecdh_free
+#define ecdh_gen_public mbedtls_ecdh_gen_public
+#define ecdh_get_params mbedtls_ecdh_get_params
+#define ecdh_init mbedtls_ecdh_init
+#define ecdh_make_params mbedtls_ecdh_make_params
+#define ecdh_make_public mbedtls_ecdh_make_public
+#define ecdh_read_params mbedtls_ecdh_read_params
+#define ecdh_read_public mbedtls_ecdh_read_public
+#define ecdh_side mbedtls_ecdh_side
+#define ecdsa_context mbedtls_ecdsa_context
+#define ecdsa_free mbedtls_ecdsa_free
+#define ecdsa_from_keypair mbedtls_ecdsa_from_keypair
+#define ecdsa_genkey mbedtls_ecdsa_genkey
+#define ecdsa_info mbedtls_ecdsa_info
+#define ecdsa_init mbedtls_ecdsa_init
+#define ecdsa_read_signature mbedtls_ecdsa_read_signature
+#define ecdsa_sign mbedtls_ecdsa_sign
+#define ecdsa_sign_det mbedtls_ecdsa_sign_det
+#define ecdsa_verify mbedtls_ecdsa_verify
+#define ecdsa_write_signature mbedtls_ecdsa_write_signature
+#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
+#define eckey_info mbedtls_eckey_info
+#define eckeydh_info mbedtls_eckeydh_info
+#define ecp_check_privkey mbedtls_ecp_check_privkey
+#define ecp_check_pub_priv mbedtls_ecp_check_pub_priv
+#define ecp_check_pubkey mbedtls_ecp_check_pubkey
+#define ecp_copy mbedtls_ecp_copy
+#define ecp_curve_info mbedtls_ecp_curve_info
+#define ecp_curve_info_from_grp_id mbedtls_ecp_curve_info_from_grp_id
+#define ecp_curve_info_from_name mbedtls_ecp_curve_info_from_name
+#define ecp_curve_info_from_tls_id mbedtls_ecp_curve_info_from_tls_id
+#define ecp_curve_list mbedtls_ecp_curve_list
+#define ecp_gen_key mbedtls_ecp_gen_key
+#define ecp_gen_keypair mbedtls_ecp_gen_keypair
+#define ecp_group mbedtls_ecp_group
+#define ecp_group_copy mbedtls_ecp_group_copy
+#define ecp_group_free mbedtls_ecp_group_free
+#define ecp_group_id mbedtls_ecp_group_id
+#define ecp_group_init mbedtls_ecp_group_init
+#define ecp_grp_id_list mbedtls_ecp_grp_id_list
+#define ecp_is_zero mbedtls_ecp_is_zero
+#define ecp_keypair mbedtls_ecp_keypair
+#define ecp_keypair_free mbedtls_ecp_keypair_free
+#define ecp_keypair_init mbedtls_ecp_keypair_init
+#define ecp_mul mbedtls_ecp_mul
+#define ecp_point mbedtls_ecp_point
+#define ecp_point_free mbedtls_ecp_point_free
+#define ecp_point_init mbedtls_ecp_point_init
+#define ecp_point_read_binary mbedtls_ecp_point_read_binary
+#define ecp_point_read_string mbedtls_ecp_point_read_string
+#define ecp_point_write_binary mbedtls_ecp_point_write_binary
+#define ecp_self_test mbedtls_ecp_self_test
+#define ecp_set_zero mbedtls_ecp_set_zero
+#define ecp_tls_read_group mbedtls_ecp_tls_read_group
+#define ecp_tls_read_point mbedtls_ecp_tls_read_point
+#define ecp_tls_write_group mbedtls_ecp_tls_write_group
+#define ecp_tls_write_point mbedtls_ecp_tls_write_point
+#define ecp_use_known_dp mbedtls_ecp_group_load
+#define entropy_add_source mbedtls_entropy_add_source
+#define entropy_context mbedtls_entropy_context
+#define entropy_free mbedtls_entropy_free
+#define entropy_func mbedtls_entropy_func
+#define entropy_gather mbedtls_entropy_gather
+#define entropy_init mbedtls_entropy_init
+#define entropy_self_test mbedtls_entropy_self_test
+#define entropy_update_manual mbedtls_entropy_update_manual
+#define entropy_update_seed_file mbedtls_entropy_update_seed_file
+#define entropy_write_seed_file mbedtls_entropy_write_seed_file
+#define error_strerror mbedtls_strerror
+#define f_source_ptr mbedtls_entropy_f_source_ptr
+#define gcm_auth_decrypt mbedtls_gcm_auth_decrypt
+#define gcm_context mbedtls_gcm_context
+#define gcm_crypt_and_tag mbedtls_gcm_crypt_and_tag
+#define gcm_finish mbedtls_gcm_finish
+#define gcm_free mbedtls_gcm_free
+#define gcm_init mbedtls_gcm_init
+#define gcm_self_test mbedtls_gcm_self_test
+#define gcm_starts mbedtls_gcm_starts
+#define gcm_update mbedtls_gcm_update
+#define get_timer mbedtls_timing_get_timer
+#define hardclock mbedtls_timing_hardclock
+#define hardclock_poll mbedtls_hardclock_poll
+#define havege_free mbedtls_havege_free
+#define havege_init mbedtls_havege_init
+#define havege_poll mbedtls_havege_poll
+#define havege_random mbedtls_havege_random
+#define havege_state mbedtls_havege_state
+#define hmac_drbg_context mbedtls_hmac_drbg_context
+#define hmac_drbg_free mbedtls_hmac_drbg_free
+#define hmac_drbg_init mbedtls_hmac_drbg_init
+#define hmac_drbg_random mbedtls_hmac_drbg_random
+#define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add
+#define hmac_drbg_reseed mbedtls_hmac_drbg_reseed
+#define hmac_drbg_self_test mbedtls_hmac_drbg_self_test
+#define hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
+#define hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
+#define hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
+#define hmac_drbg_update mbedtls_hmac_drbg_update
+#define hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
+#define hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
+#define hr_time mbedtls_timing_hr_time
+#define key_exchange_type_t mbedtls_key_exchange_type_t
+#define md mbedtls_md
+#define md2 mbedtls_md2
+#define md2_context mbedtls_md2_context
+#define md2_finish mbedtls_md2_finish
+#define md2_free mbedtls_md2_free
+#define md2_info mbedtls_md2_info
+#define md2_init mbedtls_md2_init
+#define md2_process mbedtls_md2_process
+#define md2_self_test mbedtls_md2_self_test
+#define md2_starts mbedtls_md2_starts
+#define md2_update mbedtls_md2_update
+#define md4 mbedtls_md4
+#define md4_context mbedtls_md4_context
+#define md4_finish mbedtls_md4_finish
+#define md4_free mbedtls_md4_free
+#define md4_info mbedtls_md4_info
+#define md4_init mbedtls_md4_init
+#define md4_process mbedtls_md4_process
+#define md4_self_test mbedtls_md4_self_test
+#define md4_starts mbedtls_md4_starts
+#define md4_update mbedtls_md4_update
+#define md5 mbedtls_md5
+#define md5_context mbedtls_md5_context
+#define md5_finish mbedtls_md5_finish
+#define md5_free mbedtls_md5_free
+#define md5_info mbedtls_md5_info
+#define md5_init mbedtls_md5_init
+#define md5_process mbedtls_md5_process
+#define md5_self_test mbedtls_md5_self_test
+#define md5_starts mbedtls_md5_starts
+#define md5_update mbedtls_md5_update
+#define md_context_t mbedtls_md_context_t
+#define md_file mbedtls_md_file
+#define md_finish mbedtls_md_finish
+#define md_free mbedtls_md_free
+#define md_get_name mbedtls_md_get_name
+#define md_get_size mbedtls_md_get_size
+#define md_get_type mbedtls_md_get_type
+#define md_hmac mbedtls_md_hmac
+#define md_hmac_finish mbedtls_md_hmac_finish
+#define md_hmac_reset mbedtls_md_hmac_reset
+#define md_hmac_starts mbedtls_md_hmac_starts
+#define md_hmac_update mbedtls_md_hmac_update
+#define md_info_from_string mbedtls_md_info_from_string
+#define md_info_from_type mbedtls_md_info_from_type
+#define md_info_t mbedtls_md_info_t
+#define md_init mbedtls_md_init
+#define md_init_ctx mbedtls_md_init_ctx
+#define md_list mbedtls_md_list
+#define md_process mbedtls_md_process
+#define md_starts mbedtls_md_starts
+#define md_type_t mbedtls_md_type_t
+#define md_update mbedtls_md_update
+#define memory_buffer_alloc_cur_get mbedtls_memory_buffer_alloc_cur_get
+#define memory_buffer_alloc_free mbedtls_memory_buffer_alloc_free
+#define memory_buffer_alloc_init mbedtls_memory_buffer_alloc_init
+#define memory_buffer_alloc_max_get mbedtls_memory_buffer_alloc_max_get
+#define memory_buffer_alloc_max_reset mbedtls_memory_buffer_alloc_max_reset
+#define memory_buffer_alloc_self_test mbedtls_memory_buffer_alloc_self_test
+#define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status
+#define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify
+#define memory_buffer_set_verify mbedtls_memory_buffer_set_verify
+#define mpi mbedtls_mpi
+#define mpi_add_abs mbedtls_mpi_add_abs
+#define mpi_add_int mbedtls_mpi_add_int
+#define mpi_add_mpi mbedtls_mpi_add_mpi
+#define mpi_cmp_abs mbedtls_mpi_cmp_abs
+#define mpi_cmp_int mbedtls_mpi_cmp_int
+#define mpi_cmp_mpi mbedtls_mpi_cmp_mpi
+#define mpi_copy mbedtls_mpi_copy
+#define mpi_div_int mbedtls_mpi_div_int
+#define mpi_div_mpi mbedtls_mpi_div_mpi
+#define mpi_exp_mod mbedtls_mpi_exp_mod
+#define mpi_fill_random mbedtls_mpi_fill_random
+#define mpi_free mbedtls_mpi_free
+#define mpi_gcd mbedtls_mpi_gcd
+#define mpi_gen_prime mbedtls_mpi_gen_prime
+#define mpi_get_bit mbedtls_mpi_get_bit
+#define mpi_grow mbedtls_mpi_grow
+#define mpi_init mbedtls_mpi_init
+#define mpi_inv_mod mbedtls_mpi_inv_mod
+#define mpi_is_prime mbedtls_mpi_is_prime
+#define mpi_lsb mbedtls_mpi_lsb
+#define mpi_lset mbedtls_mpi_lset
+#define mpi_mod_int mbedtls_mpi_mod_int
+#define mpi_mod_mpi mbedtls_mpi_mod_mpi
+#define mpi_msb mbedtls_mpi_bitlen
+#define mpi_mul_int mbedtls_mpi_mul_int
+#define mpi_mul_mpi mbedtls_mpi_mul_mpi
+#define mpi_read_binary mbedtls_mpi_read_binary
+#define mpi_read_file mbedtls_mpi_read_file
+#define mpi_read_string mbedtls_mpi_read_string
+#define mpi_safe_cond_assign mbedtls_mpi_safe_cond_assign
+#define mpi_safe_cond_swap mbedtls_mpi_safe_cond_swap
+#define mpi_self_test mbedtls_mpi_self_test
+#define mpi_set_bit mbedtls_mpi_set_bit
+#define mpi_shift_l mbedtls_mpi_shift_l
+#define mpi_shift_r mbedtls_mpi_shift_r
+#define mpi_shrink mbedtls_mpi_shrink
+#define mpi_size mbedtls_mpi_size
+#define mpi_sub_abs mbedtls_mpi_sub_abs
+#define mpi_sub_int mbedtls_mpi_sub_int
+#define mpi_sub_mpi mbedtls_mpi_sub_mpi
+#define mpi_swap mbedtls_mpi_swap
+#define mpi_write_binary mbedtls_mpi_write_binary
+#define mpi_write_file mbedtls_mpi_write_file
+#define mpi_write_string mbedtls_mpi_write_string
+#define net_accept mbedtls_net_accept
+#define net_bind mbedtls_net_bind
+#define net_close mbedtls_net_free
+#define net_connect mbedtls_net_connect
+#define net_recv mbedtls_net_recv
+#define net_recv_timeout mbedtls_net_recv_timeout
+#define net_send mbedtls_net_send
+#define net_set_block mbedtls_net_set_block
+#define net_set_nonblock mbedtls_net_set_nonblock
+#define net_usleep mbedtls_net_usleep
+#define oid_descriptor_t mbedtls_oid_descriptor_t
+#define oid_get_attr_short_name mbedtls_oid_get_attr_short_name
+#define oid_get_cipher_alg mbedtls_oid_get_cipher_alg
+#define oid_get_ec_grp mbedtls_oid_get_ec_grp
+#define oid_get_extended_key_usage mbedtls_oid_get_extended_key_usage
+#define oid_get_md_alg mbedtls_oid_get_md_alg
+#define oid_get_numeric_string mbedtls_oid_get_numeric_string
+#define oid_get_oid_by_ec_grp mbedtls_oid_get_oid_by_ec_grp
+#define oid_get_oid_by_md mbedtls_oid_get_oid_by_md
+#define oid_get_oid_by_pk_alg mbedtls_oid_get_oid_by_pk_alg
+#define oid_get_oid_by_sig_alg mbedtls_oid_get_oid_by_sig_alg
+#define oid_get_pk_alg mbedtls_oid_get_pk_alg
+#define oid_get_pkcs12_pbe_alg mbedtls_oid_get_pkcs12_pbe_alg
+#define oid_get_sig_alg mbedtls_oid_get_sig_alg
+#define oid_get_sig_alg_desc mbedtls_oid_get_sig_alg_desc
+#define oid_get_x509_ext_type mbedtls_oid_get_x509_ext_type
+#define operation_t mbedtls_operation_t
+#define padlock_supports mbedtls_padlock_has_support
+#define padlock_xcryptcbc mbedtls_padlock_xcryptcbc
+#define padlock_xcryptecb mbedtls_padlock_xcryptecb
+#define pem_context mbedtls_pem_context
+#define pem_free mbedtls_pem_free
+#define pem_init mbedtls_pem_init
+#define pem_read_buffer mbedtls_pem_read_buffer
+#define pem_write_buffer mbedtls_pem_write_buffer
+#define pk_can_do mbedtls_pk_can_do
+#define pk_check_pair mbedtls_pk_check_pair
+#define pk_context mbedtls_pk_context
+#define pk_debug mbedtls_pk_debug
+#define pk_debug_item mbedtls_pk_debug_item
+#define pk_debug_type mbedtls_pk_debug_type
+#define pk_decrypt mbedtls_pk_decrypt
+#define pk_ec mbedtls_pk_ec
+#define pk_encrypt mbedtls_pk_encrypt
+#define pk_free mbedtls_pk_free
+#define pk_get_len mbedtls_pk_get_len
+#define pk_get_name mbedtls_pk_get_name
+#define pk_get_size mbedtls_pk_get_bitlen
+#define pk_get_type mbedtls_pk_get_type
+#define pk_info_from_type mbedtls_pk_info_from_type
+#define pk_info_t mbedtls_pk_info_t
+#define pk_init mbedtls_pk_init
+#define pk_init_ctx mbedtls_pk_setup
+#define pk_init_ctx_rsa_alt mbedtls_pk_setup_rsa_alt
+#define pk_load_file mbedtls_pk_load_file
+#define pk_parse_key mbedtls_pk_parse_key
+#define pk_parse_keyfile mbedtls_pk_parse_keyfile
+#define pk_parse_public_key mbedtls_pk_parse_public_key
+#define pk_parse_public_keyfile mbedtls_pk_parse_public_keyfile
+#define pk_parse_subpubkey mbedtls_pk_parse_subpubkey
+#define pk_rsa mbedtls_pk_rsa
+#define pk_rsa_alt_decrypt_func mbedtls_pk_rsa_alt_decrypt_func
+#define pk_rsa_alt_key_len_func mbedtls_pk_rsa_alt_key_len_func
+#define pk_rsa_alt_sign_func mbedtls_pk_rsa_alt_sign_func
+#define pk_rsassa_pss_options mbedtls_pk_rsassa_pss_options
+#define pk_sign mbedtls_pk_sign
+#define pk_type_t mbedtls_pk_type_t
+#define pk_verify mbedtls_pk_verify
+#define pk_verify_ext mbedtls_pk_verify_ext
+#define pk_write_key_der mbedtls_pk_write_key_der
+#define pk_write_key_pem mbedtls_pk_write_key_pem
+#define pk_write_pubkey mbedtls_pk_write_pubkey
+#define pk_write_pubkey_der mbedtls_pk_write_pubkey_der
+#define pk_write_pubkey_pem mbedtls_pk_write_pubkey_pem
+#define pkcs11_context mbedtls_pkcs11_context
+#define pkcs11_decrypt mbedtls_pkcs11_decrypt
+#define pkcs11_priv_key_free mbedtls_pkcs11_priv_key_free
+#define pkcs11_priv_key_init mbedtls_pkcs11_priv_key_bind
+#define pkcs11_sign mbedtls_pkcs11_sign
+#define pkcs11_x509_cert_init mbedtls_pkcs11_x509_cert_bind
+#define pkcs12_derivation mbedtls_pkcs12_derivation
+#define pkcs12_pbe mbedtls_pkcs12_pbe
+#define pkcs12_pbe_sha1_rc4_128 mbedtls_pkcs12_pbe_sha1_rc4_128
+#define pkcs5_pbes2 mbedtls_pkcs5_pbes2
+#define pkcs5_pbkdf2_hmac mbedtls_pkcs5_pbkdf2_hmac
+#define pkcs5_self_test mbedtls_pkcs5_self_test
+#define platform_entropy_poll mbedtls_platform_entropy_poll
+#define platform_set_exit mbedtls_platform_set_exit
+#define platform_set_fprintf mbedtls_platform_set_fprintf
+#define platform_set_printf mbedtls_platform_set_printf
+#define platform_set_snprintf mbedtls_platform_set_snprintf
+#define polarssl_exit mbedtls_exit
+#define polarssl_fprintf mbedtls_fprintf
+#define polarssl_free mbedtls_free
+#define polarssl_mutex_free mbedtls_mutex_free
+#define polarssl_mutex_init mbedtls_mutex_init
+#define polarssl_mutex_lock mbedtls_mutex_lock
+#define polarssl_mutex_unlock mbedtls_mutex_unlock
+#define polarssl_printf mbedtls_printf
+#define polarssl_snprintf mbedtls_snprintf
+#define polarssl_strerror mbedtls_strerror
+#define ripemd160 mbedtls_ripemd160
+#define ripemd160_context mbedtls_ripemd160_context
+#define ripemd160_finish mbedtls_ripemd160_finish
+#define ripemd160_free mbedtls_ripemd160_free
+#define ripemd160_info mbedtls_ripemd160_info
+#define ripemd160_init mbedtls_ripemd160_init
+#define ripemd160_process mbedtls_ripemd160_process
+#define ripemd160_self_test mbedtls_ripemd160_self_test
+#define ripemd160_starts mbedtls_ripemd160_starts
+#define ripemd160_update mbedtls_ripemd160_update
+#define rsa_alt_context mbedtls_rsa_alt_context
+#define rsa_alt_info mbedtls_rsa_alt_info
+#define rsa_check_privkey mbedtls_rsa_check_privkey
+#define rsa_check_pub_priv mbedtls_rsa_check_pub_priv
+#define rsa_check_pubkey mbedtls_rsa_check_pubkey
+#define rsa_context mbedtls_rsa_context
+#define rsa_copy mbedtls_rsa_copy
+#define rsa_free mbedtls_rsa_free
+#define rsa_gen_key mbedtls_rsa_gen_key
+#define rsa_info mbedtls_rsa_info
+#define rsa_init mbedtls_rsa_init
+#define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt
+#define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt
+#define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign
+#define rsa_pkcs1_verify mbedtls_rsa_pkcs1_verify
+#define rsa_private mbedtls_rsa_private
+#define rsa_public mbedtls_rsa_public
+#define rsa_rsaes_oaep_decrypt mbedtls_rsa_rsaes_oaep_decrypt
+#define rsa_rsaes_oaep_encrypt mbedtls_rsa_rsaes_oaep_encrypt
+#define rsa_rsaes_pkcs1_v15_decrypt mbedtls_rsa_rsaes_pkcs1_v15_decrypt
+#define rsa_rsaes_pkcs1_v15_encrypt mbedtls_rsa_rsaes_pkcs1_v15_encrypt
+#define rsa_rsassa_pkcs1_v15_sign mbedtls_rsa_rsassa_pkcs1_v15_sign
+#define rsa_rsassa_pkcs1_v15_verify mbedtls_rsa_rsassa_pkcs1_v15_verify
+#define rsa_rsassa_pss_sign mbedtls_rsa_rsassa_pss_sign
+#define rsa_rsassa_pss_verify mbedtls_rsa_rsassa_pss_verify
+#define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext
+#define rsa_self_test mbedtls_rsa_self_test
+#define rsa_set_padding mbedtls_rsa_set_padding
+#define safer_memcmp mbedtls_ssl_safer_memcmp
+#define set_alarm mbedtls_set_alarm
+#define sha1 mbedtls_sha1
+#define sha1_context mbedtls_sha1_context
+#define sha1_finish mbedtls_sha1_finish
+#define sha1_free mbedtls_sha1_free
+#define sha1_info mbedtls_sha1_info
+#define sha1_init mbedtls_sha1_init
+#define sha1_process mbedtls_sha1_process
+#define sha1_self_test mbedtls_sha1_self_test
+#define sha1_starts mbedtls_sha1_starts
+#define sha1_update mbedtls_sha1_update
+#define sha224_info mbedtls_sha224_info
+#define sha256 mbedtls_sha256
+#define sha256_context mbedtls_sha256_context
+#define sha256_finish mbedtls_sha256_finish
+#define sha256_free mbedtls_sha256_free
+#define sha256_info mbedtls_sha256_info
+#define sha256_init mbedtls_sha256_init
+#define sha256_process mbedtls_sha256_process
+#define sha256_self_test mbedtls_sha256_self_test
+#define sha256_starts mbedtls_sha256_starts
+#define sha256_update mbedtls_sha256_update
+#define sha384_info mbedtls_sha384_info
+#define sha512 mbedtls_sha512
+#define sha512_context mbedtls_sha512_context
+#define sha512_finish mbedtls_sha512_finish
+#define sha512_free mbedtls_sha512_free
+#define sha512_info mbedtls_sha512_info
+#define sha512_init mbedtls_sha512_init
+#define sha512_process mbedtls_sha512_process
+#define sha512_self_test mbedtls_sha512_self_test
+#define sha512_starts mbedtls_sha512_starts
+#define sha512_update mbedtls_sha512_update
+#define source_state mbedtls_entropy_source_state
+#define ssl_cache_context mbedtls_ssl_cache_context
+#define ssl_cache_entry mbedtls_ssl_cache_entry
+#define ssl_cache_free mbedtls_ssl_cache_free
+#define ssl_cache_get mbedtls_ssl_cache_get
+#define ssl_cache_init mbedtls_ssl_cache_init
+#define ssl_cache_set mbedtls_ssl_cache_set
+#define ssl_cache_set_max_entries mbedtls_ssl_cache_set_max_entries
+#define ssl_cache_set_timeout mbedtls_ssl_cache_set_timeout
+#define ssl_check_cert_usage mbedtls_ssl_check_cert_usage
+#define ssl_ciphersuite_from_id mbedtls_ssl_ciphersuite_from_id
+#define ssl_ciphersuite_from_string mbedtls_ssl_ciphersuite_from_string
+#define ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define ssl_ciphersuite_uses_ec mbedtls_ssl_ciphersuite_uses_ec
+#define ssl_ciphersuite_uses_psk mbedtls_ssl_ciphersuite_uses_psk
+#define ssl_close_notify mbedtls_ssl_close_notify
+#define ssl_context mbedtls_ssl_context
+#define ssl_cookie_check mbedtls_ssl_cookie_check
+#define ssl_cookie_check_t mbedtls_ssl_cookie_check_t
+#define ssl_cookie_ctx mbedtls_ssl_cookie_ctx
+#define ssl_cookie_free mbedtls_ssl_cookie_free
+#define ssl_cookie_init mbedtls_ssl_cookie_init
+#define ssl_cookie_set_timeout mbedtls_ssl_cookie_set_timeout
+#define ssl_cookie_setup mbedtls_ssl_cookie_setup
+#define ssl_cookie_write mbedtls_ssl_cookie_write
+#define ssl_cookie_write_t mbedtls_ssl_cookie_write_t
+#define ssl_derive_keys mbedtls_ssl_derive_keys
+#define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check
+#define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update
+#define ssl_fetch_input mbedtls_ssl_fetch_input
+#define ssl_flight_item mbedtls_ssl_flight_item
+#define ssl_flush_output mbedtls_ssl_flush_output
+#define ssl_free mbedtls_ssl_free
+#define ssl_get_alpn_protocol mbedtls_ssl_get_alpn_protocol
+#define ssl_get_bytes_avail mbedtls_ssl_get_bytes_avail
+#define ssl_get_ciphersuite mbedtls_ssl_get_ciphersuite
+#define ssl_get_ciphersuite_id mbedtls_ssl_get_ciphersuite_id
+#define ssl_get_ciphersuite_name mbedtls_ssl_get_ciphersuite_name
+#define ssl_get_ciphersuite_sig_pk_alg mbedtls_ssl_get_ciphersuite_sig_pk_alg
+#define ssl_get_peer_cert mbedtls_ssl_get_peer_cert
+#define ssl_get_record_expansion mbedtls_ssl_get_record_expansion
+#define ssl_get_session mbedtls_ssl_get_session
+#define ssl_get_verify_result mbedtls_ssl_get_verify_result
+#define ssl_get_version mbedtls_ssl_get_version
+#define ssl_handshake mbedtls_ssl_handshake
+#define ssl_handshake_client_step mbedtls_ssl_handshake_client_step
+#define ssl_handshake_free mbedtls_ssl_handshake_free
+#define ssl_handshake_params mbedtls_ssl_handshake_params
+#define ssl_handshake_server_step mbedtls_ssl_handshake_server_step
+#define ssl_handshake_step mbedtls_ssl_handshake_step
+#define ssl_handshake_wrapup mbedtls_ssl_handshake_wrapup
+#define ssl_hdr_len mbedtls_ssl_hdr_len
+#define ssl_hs_hdr_len mbedtls_ssl_hs_hdr_len
+#define ssl_hw_record_activate mbedtls_ssl_hw_record_activate
+#define ssl_hw_record_finish mbedtls_ssl_hw_record_finish
+#define ssl_hw_record_init mbedtls_ssl_hw_record_init
+#define ssl_hw_record_read mbedtls_ssl_hw_record_read
+#define ssl_hw_record_reset mbedtls_ssl_hw_record_reset
+#define ssl_hw_record_write mbedtls_ssl_hw_record_write
+#define ssl_init mbedtls_ssl_init
+#define ssl_key_cert mbedtls_ssl_key_cert
+#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
+#define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
+#define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
+#define ssl_optimize_checksum mbedtls_ssl_optimize_checksum
+#define ssl_own_cert mbedtls_ssl_own_cert
+#define ssl_own_key mbedtls_ssl_own_key
+#define ssl_parse_certificate mbedtls_ssl_parse_certificate
+#define ssl_parse_change_cipher_spec mbedtls_ssl_parse_change_cipher_spec
+#define ssl_parse_finished mbedtls_ssl_parse_finished
+#define ssl_pk_alg_from_sig mbedtls_ssl_pk_alg_from_sig
+#define ssl_pkcs11_decrypt mbedtls_ssl_pkcs11_decrypt
+#define ssl_pkcs11_key_len mbedtls_ssl_pkcs11_key_len
+#define ssl_pkcs11_sign mbedtls_ssl_pkcs11_sign
+#define ssl_psk_derive_premaster mbedtls_ssl_psk_derive_premaster
+#define ssl_read mbedtls_ssl_read
+#define ssl_read_record mbedtls_ssl_read_record
+#define ssl_read_version mbedtls_ssl_read_version
+#define ssl_recv_flight_completed mbedtls_ssl_recv_flight_completed
+#define ssl_renegotiate mbedtls_ssl_renegotiate
+#define ssl_resend mbedtls_ssl_resend
+#define ssl_reset_checksum mbedtls_ssl_reset_checksum
+#define ssl_send_alert_message mbedtls_ssl_send_alert_message
+#define ssl_send_fatal_handshake_failure mbedtls_ssl_send_fatal_handshake_failure
+#define ssl_send_flight_completed mbedtls_ssl_send_flight_completed
+#define ssl_session mbedtls_ssl_session
+#define ssl_session_free mbedtls_ssl_session_free
+#define ssl_session_init mbedtls_ssl_session_init
+#define ssl_session_reset mbedtls_ssl_session_reset
+#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
+#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
+#define ssl_set_authmode mbedtls_ssl_conf_authmode
+#define ssl_set_bio mbedtls_ssl_set_bio
+#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
+#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
+#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
+#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
+#define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
+#define ssl_set_curves mbedtls_ssl_conf_curves
+#define ssl_set_dbg mbedtls_ssl_conf_dbg
+#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
+#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
+#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
+#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
+#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
+#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
+#define ssl_set_endpoint mbedtls_ssl_conf_endpoint
+#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
+#define ssl_set_fallback mbedtls_ssl_conf_fallback
+#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
+#define ssl_set_hostname mbedtls_ssl_set_hostname
+#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
+#define ssl_set_max_version mbedtls_ssl_conf_max_version
+#define ssl_set_min_version mbedtls_ssl_conf_min_version
+#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
+#define ssl_set_psk mbedtls_ssl_conf_psk
+#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
+#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
+#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
+#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
+#define ssl_set_rng mbedtls_ssl_conf_rng
+#define ssl_set_session mbedtls_ssl_set_session
+#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
+#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
+#define ssl_set_sni mbedtls_ssl_conf_sni
+#define ssl_set_transport mbedtls_ssl_conf_transport
+#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
+#define ssl_set_verify mbedtls_ssl_conf_verify
+#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
+#define ssl_states mbedtls_ssl_states
+#define ssl_transform mbedtls_ssl_transform
+#define ssl_transform_free mbedtls_ssl_transform_free
+#define ssl_write mbedtls_ssl_write
+#define ssl_write_certificate mbedtls_ssl_write_certificate
+#define ssl_write_change_cipher_spec mbedtls_ssl_write_change_cipher_spec
+#define ssl_write_finished mbedtls_ssl_write_finished
+#define ssl_write_record mbedtls_ssl_write_record
+#define ssl_write_version mbedtls_ssl_write_version
+#define supported_ciphers mbedtls_cipher_supported
+#define t_sint mbedtls_mpi_sint
+#define t_udbl mbedtls_t_udbl
+#define t_uint mbedtls_mpi_uint
+#define test_ca_crt mbedtls_test_ca_crt
+#define test_ca_crt_ec mbedtls_test_ca_crt_ec
+#define test_ca_crt_rsa mbedtls_test_ca_crt_rsa
+#define test_ca_key mbedtls_test_ca_key
+#define test_ca_key_ec mbedtls_test_ca_key_ec
+#define test_ca_key_rsa mbedtls_test_ca_key_rsa
+#define test_ca_list mbedtls_test_cas_pem
+#define test_ca_pwd mbedtls_test_ca_pwd
+#define test_ca_pwd_ec mbedtls_test_ca_pwd_ec
+#define test_ca_pwd_rsa mbedtls_test_ca_pwd_rsa
+#define test_cli_crt mbedtls_test_cli_crt
+#define test_cli_crt_ec mbedtls_test_cli_crt_ec
+#define test_cli_crt_rsa mbedtls_test_cli_crt_rsa
+#define test_cli_key mbedtls_test_cli_key
+#define test_cli_key_ec mbedtls_test_cli_key_ec
+#define test_cli_key_rsa mbedtls_test_cli_key_rsa
+#define test_srv_crt mbedtls_test_srv_crt
+#define test_srv_crt_ec mbedtls_test_srv_crt_ec
+#define test_srv_crt_rsa mbedtls_test_srv_crt_rsa
+#define test_srv_key mbedtls_test_srv_key
+#define test_srv_key_ec mbedtls_test_srv_key_ec
+#define test_srv_key_rsa mbedtls_test_srv_key_rsa
+#define threading_mutex_t mbedtls_threading_mutex_t
+#define threading_set_alt mbedtls_threading_set_alt
+#define timing_self_test mbedtls_timing_self_test
+#define version_check_feature mbedtls_version_check_feature
+#define version_get_number mbedtls_version_get_number
+#define version_get_string mbedtls_version_get_string
+#define version_get_string_full mbedtls_version_get_string_full
+#define x509_bitstring mbedtls_x509_bitstring
+#define x509_buf mbedtls_x509_buf
+#define x509_crl mbedtls_x509_crl
+#define x509_crl_entry mbedtls_x509_crl_entry
+#define x509_crl_free mbedtls_x509_crl_free
+#define x509_crl_info mbedtls_x509_crl_info
+#define x509_crl_init mbedtls_x509_crl_init
+#define x509_crl_parse mbedtls_x509_crl_parse
+#define x509_crl_parse_der mbedtls_x509_crl_parse_der
+#define x509_crl_parse_file mbedtls_x509_crl_parse_file
+#define x509_crt mbedtls_x509_crt
+#define x509_crt_check_extended_key_usage mbedtls_x509_crt_check_extended_key_usage
+#define x509_crt_check_key_usage mbedtls_x509_crt_check_key_usage
+#define x509_crt_free mbedtls_x509_crt_free
+#define x509_crt_info mbedtls_x509_crt_info
+#define x509_crt_init mbedtls_x509_crt_init
+#define x509_crt_parse mbedtls_x509_crt_parse
+#define x509_crt_parse_der mbedtls_x509_crt_parse_der
+#define x509_crt_parse_file mbedtls_x509_crt_parse_file
+#define x509_crt_parse_path mbedtls_x509_crt_parse_path
+#define x509_crt_revoked mbedtls_x509_crt_is_revoked
+#define x509_crt_verify mbedtls_x509_crt_verify
+#define x509_csr mbedtls_x509_csr
+#define x509_csr_free mbedtls_x509_csr_free
+#define x509_csr_info mbedtls_x509_csr_info
+#define x509_csr_init mbedtls_x509_csr_init
+#define x509_csr_parse mbedtls_x509_csr_parse
+#define x509_csr_parse_der mbedtls_x509_csr_parse_der
+#define x509_csr_parse_file mbedtls_x509_csr_parse_file
+#define x509_dn_gets mbedtls_x509_dn_gets
+#define x509_get_alg mbedtls_x509_get_alg
+#define x509_get_alg_null mbedtls_x509_get_alg_null
+#define x509_get_ext mbedtls_x509_get_ext
+#define x509_get_name mbedtls_x509_get_name
+#define x509_get_rsassa_pss_params mbedtls_x509_get_rsassa_pss_params
+#define x509_get_serial mbedtls_x509_get_serial
+#define x509_get_sig mbedtls_x509_get_sig
+#define x509_get_sig_alg mbedtls_x509_get_sig_alg
+#define x509_get_time mbedtls_x509_get_time
+#define x509_key_size_helper mbedtls_x509_key_size_helper
+#define x509_name mbedtls_x509_name
+#define x509_self_test mbedtls_x509_self_test
+#define x509_sequence mbedtls_x509_sequence
+#define x509_serial_gets mbedtls_x509_serial_gets
+#define x509_set_extension mbedtls_x509_set_extension
+#define x509_sig_alg_gets mbedtls_x509_sig_alg_gets
+#define x509_string_to_names mbedtls_x509_string_to_names
+#define x509_time mbedtls_x509_time
+#define x509_time_expired mbedtls_x509_time_is_past
+#define x509_time_future mbedtls_x509_time_is_future
+#define x509_write_extensions mbedtls_x509_write_extensions
+#define x509_write_names mbedtls_x509_write_names
+#define x509_write_sig mbedtls_x509_write_sig
+#define x509write_cert mbedtls_x509write_cert
+#define x509write_crt_der mbedtls_x509write_crt_der
+#define x509write_crt_free mbedtls_x509write_crt_free
+#define x509write_crt_init mbedtls_x509write_crt_init
+#define x509write_crt_pem mbedtls_x509write_crt_pem
+#define x509write_crt_set_authority_key_identifier mbedtls_x509write_crt_set_authority_key_identifier
+#define x509write_crt_set_basic_constraints mbedtls_x509write_crt_set_basic_constraints
+#define x509write_crt_set_extension mbedtls_x509write_crt_set_extension
+#define x509write_crt_set_issuer_key mbedtls_x509write_crt_set_issuer_key
+#define x509write_crt_set_issuer_name mbedtls_x509write_crt_set_issuer_name
+#define x509write_crt_set_key_usage mbedtls_x509write_crt_set_key_usage
+#define x509write_crt_set_md_alg mbedtls_x509write_crt_set_md_alg
+#define x509write_crt_set_ns_cert_type mbedtls_x509write_crt_set_ns_cert_type
+#define x509write_crt_set_serial mbedtls_x509write_crt_set_serial
+#define x509write_crt_set_subject_key mbedtls_x509write_crt_set_subject_key
+#define x509write_crt_set_subject_key_identifier mbedtls_x509write_crt_set_subject_key_identifier
+#define x509write_crt_set_subject_name mbedtls_x509write_crt_set_subject_name
+#define x509write_crt_set_validity mbedtls_x509write_crt_set_validity
+#define x509write_crt_set_version mbedtls_x509write_crt_set_version
+#define x509write_csr mbedtls_x509write_csr
+#define x509write_csr_der mbedtls_x509write_csr_der
+#define x509write_csr_free mbedtls_x509write_csr_free
+#define x509write_csr_init mbedtls_x509write_csr_init
+#define x509write_csr_pem mbedtls_x509write_csr_pem
+#define x509write_csr_set_extension mbedtls_x509write_csr_set_extension
+#define x509write_csr_set_key mbedtls_x509write_csr_set_key
+#define x509write_csr_set_key_usage mbedtls_x509write_csr_set_key_usage
+#define x509write_csr_set_md_alg mbedtls_x509write_csr_set_md_alg
+#define x509write_csr_set_ns_cert_type mbedtls_x509write_csr_set_ns_cert_type
+#define x509write_csr_set_subject_name mbedtls_x509write_csr_set_subject_name
+#define xtea_context mbedtls_xtea_context
+#define xtea_crypt_cbc mbedtls_xtea_crypt_cbc
+#define xtea_crypt_ecb mbedtls_xtea_crypt_ecb
+#define xtea_free mbedtls_xtea_free
+#define xtea_init mbedtls_xtea_init
+#define xtea_self_test mbedtls_xtea_self_test
+#define xtea_setup mbedtls_xtea_setup
+
+#endif /* compat-1.3.h */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
diff --git a/common/mbedtls/config.h b/common/mbedtls/config.h
index 707c493d7..e6138bc6b 100644
--- a/common/mbedtls/config.h
+++ b/common/mbedtls/config.h
@@ -8,24 +8,20 @@
  *  memory footprint.
  */
 /*
- *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_CONFIG_H
@@ -139,12 +135,21 @@
 /**
  * \def MBEDTLS_HAVE_TIME_DATE
  *
- * System has time.h and time(), gmtime() and the clock is correct.
- * The time needs to be correct (not necesarily very accurate, but at least
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
+ * The time needs to be correct (not necessarily very accurate, but at least
  * the date should be correct). This is used to verify the validity period of
  * X.509 certificates.
  *
  * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
  */
 //#define MBEDTLS_HAVE_TIME_DATE
 
@@ -219,36 +224,103 @@
 //#define MBEDTLS_PLATFORM_FPRINTF_ALT
 //#define MBEDTLS_PLATFORM_PRINTF_ALT
 //#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
 //#define MBEDTLS_PLATFORM_NV_SEED_ALT
 //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
 
 /**
  * \def MBEDTLS_DEPRECATED_WARNING
  *
- * Mark deprecated functions so that they generate a warning if used.
- * Functions deprecated in one version will usually be removed in the next
- * version. You can enable this to help you prepare the transition to a new
- * major version by making sure your code is not using these functions.
+ * Mark deprecated functions and features so that they generate a warning if
+ * used. Functionality deprecated in one version will usually be removed in the
+ * next version. You can enable this to help you prepare the transition to a
+ * new major version by making sure your code is not using this functionality.
  *
  * This only works with GCC and Clang. With other compilers, you may want to
  * use MBEDTLS_DEPRECATED_REMOVED
  *
- * Uncomment to get warnings on using deprecated functions.
+ * Uncomment to get warnings on using deprecated functions and features.
  */
 //#define MBEDTLS_DEPRECATED_WARNING
 
 /**
  * \def MBEDTLS_DEPRECATED_REMOVED
  *
- * Remove deprecated functions so that they generate an error if used.
- * Functions deprecated in one version will usually be removed in the next
- * version. You can enable this to help you prepare the transition to a new
- * major version by making sure your code is not using these functions.
+ * Remove deprecated functions and features so that they generate an error if
+ * used. Functionality deprecated in one version will usually be removed in the
+ * next version. You can enable this to help you prepare the transition to a
+ * new major version by making sure your code is not using this functionality.
  *
- * Uncomment to get errors on using deprecated functions.
+ * Uncomment to get errors on using deprecated functions and features.
  */
 //#define MBEDTLS_DEPRECATED_REMOVED
 
+/**
+ * \def MBEDTLS_CHECK_PARAMS
+ *
+ * This configuration option controls whether the library validates more of
+ * the parameters passed to it.
+ *
+ * When this flag is not defined, the library only attempts to validate an
+ * input parameter if: (1) they may come from the outside world (such as the
+ * network, the filesystem, etc.) or (2) not validating them could result in
+ * internal memory errors such as overflowing a buffer controlled by the
+ * library. On the other hand, it doesn't attempt to validate parameters whose
+ * values are fully controlled by the application (such as pointers).
+ *
+ * When this flag is defined, the library additionally attempts to validate
+ * parameters that are fully controlled by the application, and should always
+ * be valid if the application code is fully correct and trusted.
+ *
+ * For example, when a function accepts as input a pointer to a buffer that may
+ * contain untrusted data, and its documentation mentions that this pointer
+ * must not be NULL:
+ * - The pointer is checked to be non-NULL only if this option is enabled.
+ * - The content of the buffer is always validated.
+ *
+ * When this flag is defined, if a library function receives a parameter that
+ * is invalid:
+ * 1. The function will invoke the macro MBEDTLS_PARAM_FAILED().
+ * 2. If MBEDTLS_PARAM_FAILED() did not terminate the program, the function
+ *   will immediately return. If the function returns an Mbed TLS error code,
+ *   the error code in this case is MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
+ *
+ * When defining this flag, you also need to arrange a definition for
+ * MBEDTLS_PARAM_FAILED(). You can do this by any of the following methods:
+ * - By default, the library defines MBEDTLS_PARAM_FAILED() to call a
+ *   function mbedtls_param_failed(), but the library does not define this
+ *   function. If you do not make any other arrangements, you must provide
+ *   the function mbedtls_param_failed() in your application.
+ *   See `platform_util.h` for its prototype.
+ * - If you enable the macro #MBEDTLS_CHECK_PARAMS_ASSERT, then the
+ *   library defines MBEDTLS_PARAM_FAILED(\c cond) to be `assert(cond)`.
+ *   You can still supply an alternative definition of
+ *   MBEDTLS_PARAM_FAILED(), which may call `assert`.
+ * - If you define a macro MBEDTLS_PARAM_FAILED() before including `config.h`
+ *   or you uncomment the definition of MBEDTLS_PARAM_FAILED() in `config.h`,
+ *   the library will call the macro that you defined and will not supply
+ *   its own version. Note that if MBEDTLS_PARAM_FAILED() calls `assert`,
+ *   you need to enable #MBEDTLS_CHECK_PARAMS_ASSERT so that library source
+ *   files include `<assert.h>`.
+ *
+ * Uncomment to enable validation of application-controlled parameters.
+ */
+//#define MBEDTLS_CHECK_PARAMS
+
+/**
+ * \def MBEDTLS_CHECK_PARAMS_ASSERT
+ *
+ * Allow MBEDTLS_PARAM_FAILED() to call `assert`, and make it default to
+ * `assert`. This macro is only used if #MBEDTLS_CHECK_PARAMS is defined.
+ *
+ * If this macro is not defined, then MBEDTLS_PARAM_FAILED() defaults to
+ * calling a function mbedtls_param_failed(). See the documentation of
+ * #MBEDTLS_CHECK_PARAMS for details.
+ *
+ * Uncomment to allow MBEDTLS_PARAM_FAILED() to call `assert`.
+ */
+//#define MBEDTLS_CHECK_PARAMS_ASSERT
+
 /* \} name SECTION: System support */
 
 /**
@@ -352,7 +424,7 @@
  * \note Because of a signature change, the core AES encryption and decryption routines are
  *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
  *       respectively. When setting up alternative implementations, these functions should
- *       be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
+ *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
  *       must stay untouched.
  *
  * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
@@ -367,6 +439,16 @@
  *            dependencies on them, and considering stronger message digests
  *            and ciphers instead.
  *
+ * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
+ *            enabled, then the deterministic ECDH signature functions pass the
+ *            the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
+ *            alternative implementations should use the RNG only for generating
+ *            the ephemeral key and nothing else. If this is not possible, then
+ *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
+ *            implementation should be provided for mbedtls_ecdsa_sign_det_ext()
+ *            (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
+ *            desirable).
+ *
  */
 //#define MBEDTLS_MD2_PROCESS_ALT
 //#define MBEDTLS_MD4_PROCESS_ALT
@@ -402,34 +484,46 @@
  * is still present and it is used for group structures not supported by the
  * alternative.
  *
+ * The original implementation can in addition be removed by setting the
+ * MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which the
+ * corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not be
+ * able to fallback to curves not supported by the alternative implementation.
+ *
  * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
  * and implementing the following functions:
  *      unsigned char mbedtls_internal_ecp_grp_capable(
  *          const mbedtls_ecp_group *grp )
  *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
- *      void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
+ *      void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
  * The mbedtls_internal_ecp_grp_capable function should return 1 if the
  * replacement functions implement arithmetic for the given group and 0
  * otherwise.
- * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
  * called before and after each point operation and provide an opportunity to
  * implement optimized set up and tear down instructions.
  *
- * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
- * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
- * function, but will use your mbedtls_internal_ecp_double_jac if the group is
- * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
- * receives it as an argument). If the group is not supported then the original
- * implementation is used. The other functions and the definition of
- * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
- * implementation of mbedtls_internal_ecp_double_jac and
- * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
+ * Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and
+ * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac()
+ * function, but will use your mbedtls_internal_ecp_double_jac() if the group
+ * for the operation is supported by your implementation (i.e. your
+ * mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the
+ * group is not supported by your implementation, then the original mbed TLS
+ * implementation of ecp_double_jac() is used instead, unless this fallback
+ * behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case
+ * ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE).
+ *
+ * The function prototypes and the definition of mbedtls_ecp_group and
+ * mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so your
+ * implementation of mbedtls_internal_ecp__function_name__ must be compatible
+ * with their definitions.
  *
  * Uncomment a macro to enable alternate implementation of the corresponding
  * function.
  */
 /* Required for all the functions in this section */
 //#define MBEDTLS_ECP_INTERNAL_ALT
+/* Turn off software fallback for curves not supported in hardware */
+//#define MBEDTLS_ECP_NO_FALLBACK
 /* Support for Weierstrass curves with Jacobi representation */
 //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
 //#define MBEDTLS_ECP_ADD_MIXED_ALT
@@ -606,6 +700,13 @@
 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
 #define MBEDTLS_CIPHER_PADDING_ZEROS
 
+/** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ *
+ * Uncomment this macro to use a 128-bit key in the CTR_DRBG module.
+ * By default, CTR_DRBG uses a 256-bit key.
+ */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+
 /**
  * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
  *
@@ -637,6 +738,26 @@
  */
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
 /**
  * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
  *
@@ -645,6 +766,7 @@
  *
  * Comment macros to disable the curve and functions for it
  */
+/* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
 #define MBEDTLS_ECP_DP_SECP128R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
@@ -657,6 +779,7 @@
 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
+/* Montgomery curves (supporting ECP) */
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #define MBEDTLS_ECP_DP_CURVE448_ENABLED
 
@@ -671,6 +794,81 @@
  */
 #define MBEDTLS_ECP_NIST_OPTIM
 
+/**
+ * \def MBEDTLS_ECP_NO_INTERNAL_RNG
+ *
+ * When this option is disabled, mbedtls_ecp_mul() will make use of an
+ * internal RNG when called with a NULL \c f_rng argument, in order to protect
+ * against some side-channel attacks.
+ *
+ * This protection introduces a dependency of the ECP module on one of the
+ * DRBG modules. For very constrained implementations that don't require this
+ * protection (for example, because you're only doing signature verification,
+ * so not manipulating any secret, or because local/physical side-channel
+ * attacks are outside your threat model), it might be desirable to get rid of
+ * that dependency.
+ *
+ * \warning Enabling this option makes some uses of ECP vulnerable to some
+ * side-channel attacks. Only enable it if you know that's not a problem for
+ * your use case.
+ *
+ * Uncomment this macro to disable some counter-measures in ECP.
+ */
+//#define MBEDTLS_ECP_NO_INTERNAL_RNG
+
+/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ *
+ * \note  This option only works with the default software implementation of
+ *        elliptic curve functionality. It is incompatible with
+ *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT
+ *        and MBEDTLS_ECDH_LEGACY_CONTEXT.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
+/**
+ * \def MBEDTLS_ECDH_LEGACY_CONTEXT
+ *
+ * Use a backward compatible ECDH context.
+ *
+ * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context
+ * defined in `ecdh.h`). For most applications, the choice of format makes
+ * no difference, since all library functions can work with either format,
+ * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
+
+ * The new format used when this option is disabled is smaller
+ * (56 bytes on a 32-bit platform). In future versions of the library, it
+ * will support alternative implementations of ECDH operations.
+ * The new format is incompatible with applications that access
+ * context fields directly and with restartable ECP operations.
+ *
+ * Define this macro if you enable MBEDTLS_ECP_RESTARTABLE or if you
+ * want to access ECDH context fields directly. Otherwise you should
+ * comment out this macro definition.
+ *
+ * This option has no effect if #MBEDTLS_ECDH_C is not enabled.
+ *
+ * \note This configuration option is experimental. Future versions of the
+ *       library may modify the way the ECDH context layout is configured
+ *       and may modify the layout of the new context type.
+ */
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+
 /**
  * \def MBEDTLS_ECDSA_DETERMINISTIC
  *
@@ -679,7 +877,7 @@
  * may result in a compromise of the long-term signing key. This is avoided by
  * the deterministic variant.
  *
- * Requires: MBEDTLS_HMAC_DRBG_C
+ * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
  *
  * Comment this macro to disable deterministic ECDSA.
  */
@@ -898,7 +1096,7 @@
  *
  * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
  *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -922,7 +1120,7 @@
  *
  * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
  *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1073,6 +1271,18 @@
  */
 //#define MBEDTLS_ENTROPY_NV_SEED
 
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
+ * which is currently hard-coded to be int32_t.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice. It is incompatible with MBEDTLS_USE_PSA_CRYPTO.
+ */
+//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
 /**
  * \def MBEDTLS_MEMORY_DEBUG
  *
@@ -1129,6 +1339,98 @@
  */
 #define MBEDTLS_PKCS1_V21
 
+/** \def MBEDTLS_PSA_CRYPTO_CLIENT
+ *
+ * Enable support for PSA crypto client.
+ *
+ * \note This option allows to include the code necessary for a PSA
+ *       crypto client when the PSA crypto implementation is not included in
+ *       the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
+ *       code to set and get PSA key attributes.
+ *       The development of PSA drivers partially relying on the library to
+ *       fulfill the hardware gaps is another possible usage of this option.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CLIENT
+
+/** \def MBEDTLS_PSA_CRYPTO_DRIVERS
+ *
+ * Enable support for the experimental PSA crypto driver interface.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_DRIVERS
+
+/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+ *
+ * Make the PSA Crypto module use an external random generator provided
+ * by a driver, instead of Mbed TLS's entropy and DRBG modules.
+ *
+ * \note This random generator must deliver random numbers with cryptographic
+ *       quality and high performance. It must supply unpredictable numbers
+ *       with a uniform distribution. The implementation of this function
+ *       is responsible for ensuring that the random generator is seeded
+ *       with sufficient entropy. If you have a hardware TRNG which is slow
+ *       or delivers non-uniform output, declare it as an entropy source
+ *       with mbedtls_entropy_add_source() instead of enabling this option.
+ *
+ * If you enable this option, you must configure the type
+ * ::mbedtls_psa_external_random_context_t in psa/crypto_platform.h
+ * and define a function called mbedtls_psa_external_get_random()
+ * with the following prototype:
+ * ```
+ * psa_status_t mbedtls_psa_external_get_random(
+ *     mbedtls_psa_external_random_context_t *context,
+ *     uint8_t *output, size_t output_size, size_t *output_length);
+ * );
+ * ```
+ * The \c context value is initialized to 0 before the first call.
+ * The function must fill the \c output buffer with \p output_size bytes
+ * of random data and set \c *output_length to \p output_size.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ * \warning If you enable this option, code that uses the PSA cryptography
+ *          interface will not use any of the entropy sources set up for
+ *          the entropy module, nor the NV seed that MBEDTLS_ENTROPY_NV_SEED
+ *          enables.
+ *
+ * \note This option is experimental and may be removed without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * Module:  library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_SPM
+
+/**
+ * \def MBEDTLS_PSA_INJECT_ENTROPY
+ *
+ * Enable support for entropy injection at first boot. This feature is
+ * required on systems that do not have a built-in entropy source (TRNG).
+ * This feature is currently not supported on systems that have a built-in
+ * entropy source.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_STORAGE_C, MBEDTLS_ENTROPY_NV_SEED
+ *
+ */
+//#define MBEDTLS_PSA_INJECT_ENTROPY
+
 /**
  * \def MBEDTLS_RSA_NO_CRT
  *
@@ -1163,6 +1465,28 @@
  */
 //#define MBEDTLS_SHA256_SMALLER
 
+/**
+ * \def MBEDTLS_SHA512_SMALLER
+ *
+ * Enable an implementation of SHA-512 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * Uncomment to enable the smaller implementation of SHA512.
+ */
+//#define MBEDTLS_SHA512_SMALLER
+
+/**
+ * \def MBEDTLS_SHA512_NO_SHA384
+ *
+ * Disable the SHA-384 option of the SHA-512 module. Use this to save some
+ * code size on devices that don't use SHA-384.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Uncomment to disable SHA-384
+ */
+//#define MBEDTLS_SHA512_NO_SHA384
+
 /**
  * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
  *
@@ -1177,6 +1501,48 @@
  */
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 
+/**
+ * \def MBEDTLS_SSL_RECORD_CHECKING
+ *
+ * Enable the function mbedtls_ssl_check_record() which can be used to check
+ * the validity and authenticity of an incoming record, to verify that it has
+ * not been seen before. These checks are performed without modifying the
+ * externally visible state of the SSL context.
+ *
+ * See mbedtls_ssl_check_record() for more information.
+ *
+ * Uncomment to enable support for record checking.
+ */
+#define MBEDTLS_SSL_RECORD_CHECKING
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
+ *
+ * Enable support for the DTLS Connection ID extension
+ * (version draft-ietf-tls-dtls-connection-id-05,
+ * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
+ * which allows to identify DTLS connections across changes
+ * in the underlying transport.
+ *
+ * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
+ * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
+ * See the corresponding documentation for more information.
+ *
+ * \warning The Connection ID extension is still in draft state.
+ *          We make no stability promises for the availability
+ *          or the shape of the API controlled by this option.
+ *
+ * The maximum lengths of outgoing and incoming CIDs can be configured
+ * through the options
+ * - MBEDTLS_SSL_CID_OUT_LEN_MAX
+ * - MBEDTLS_SSL_CID_IN_LEN_MAX.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Uncomment to enable the Connection ID extension.
+ */
+//#define MBEDTLS_SSL_DTLS_CONNECTION_ID
+
 /**
  * \def MBEDTLS_SSL_ASYNC_PRIVATE
  *
@@ -1188,6 +1554,33 @@
  */
 //#define MBEDTLS_SSL_ASYNC_PRIVATE
 
+/**
+ * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
+ *
+ * Enable serialization of the TLS context structures, through use of the
+ * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
+ *
+ * This pair of functions allows one side of a connection to serialize the
+ * context associated with the connection, then free or re-use that context
+ * while the serialized state is persisted elsewhere, and finally deserialize
+ * that state to a live context for resuming read/write operations on the
+ * connection. From a protocol perspective, the state of the connection is
+ * unaffected, in particular this is entirely transparent to the peer.
+ *
+ * Note: this is distinct from TLS session resumption, which is part of the
+ * protocol and fully visible by the peer. TLS session resumption enables
+ * establishing new connections associated to a saved session with shorter,
+ * lighter handshakes, while context serialization is a local optimization in
+ * handling a single, potentially long-lived connection.
+ *
+ * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are
+ * saved after the handshake to allow for more efficient serialization, so if
+ * you don't need this feature you'll save RAM by disabling it.
+ *
+ * Comment to disable the context serialization APIs.
+ */
+#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
+
 /**
  * \def MBEDTLS_SSL_DEBUG_ALL
  *
@@ -1224,8 +1617,8 @@
 
 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
  *
- * Enable support for Extended Master Secret, aka Session Hash
- * (draft-ietf-tls-session-hash-02).
+ * Enable support for RFC 7627: Session Hash and Extended Master Secret
+ * Extension.
  *
  * This was introduced as "the proper fix" to the Triple Handshake familiy of
  * attacks, but it is recommended to always use it (even if you disable
@@ -1243,7 +1636,8 @@
 /**
  * \def MBEDTLS_SSL_FALLBACK_SCSV
  *
- * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV)
+ * for Preventing Protocol Downgrade Attacks.
  *
  * For servers, it is recommended to always enable this, unless you support
  * only one version of TLS, or know for sure that none of your clients
@@ -1257,12 +1651,37 @@
  */
 #define MBEDTLS_SSL_FALLBACK_SCSV
 
+/**
+ * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+ *
+ * This option controls the availability of the API mbedtls_ssl_get_peer_cert()
+ * giving access to the peer's certificate after completion of the handshake.
+ *
+ * Unless you need mbedtls_ssl_peer_cert() in your application, it is
+ * recommended to disable this option for reduced RAM usage.
+ *
+ * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
+ *       defined, but always returns \c NULL.
+ *
+ * \note This option has no influence on the protection against the
+ *       triple handshake attack. Even if it is disabled, Mbed TLS will
+ *       still ensure that certificates do not change during renegotiation,
+ *       for exaple by keeping a hash of the peer's certificate.
+ *
+ * Comment this macro to disable storing the peer's certificate
+ * after the handshake.
+ */
+#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+
 /**
  * \def MBEDTLS_SSL_HW_RECORD_ACCEL
  *
  * Enable hooking functions in SSL module for hardware acceleration of
  * individual records.
  *
+ * \deprecated This option is deprecated and will be removed in a future
+ *             version of Mbed TLS.
+ *
  * Uncomment this macro to enable hooking functions.
  */
 //#define MBEDTLS_SSL_HW_RECORD_ACCEL
@@ -1282,7 +1701,7 @@
 /**
  * \def MBEDTLS_SSL_RENEGOTIATION
  *
- * Disable support for TLS renegotiation.
+ * Enable support for TLS renegotiation.
  *
  * The two main uses of renegotiation are (1) refresh keys on long-lived
  * connections and (2) client authentication after the initial handshake.
@@ -1307,6 +1726,9 @@
  * Enable support for receiving and parsing SSLv2 Client Hello messages for the
  * SSL Server module (MBEDTLS_SSL_SRV_C).
  *
+ * \deprecated This option is deprecated and will be removed in a future
+ *             version of Mbed TLS.
+ *
  * Uncomment this macro to enable support for SSLv2 Client Hello messages.
  */
 //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@@ -1338,6 +1760,9 @@
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
  *
+ * \deprecated This option is deprecated and will be removed in a future
+ *             version of Mbed TLS.
+ *
  * Comment this macro to disable support for SSL 3.0
  */
 //#define MBEDTLS_SSL_PROTO_SSL3
@@ -1378,6 +1803,25 @@
  */
 #define MBEDTLS_SSL_PROTO_TLS1_2
 
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
+ *
+ * This macro is used to selectively enable experimental parts
+ * of the code that contribute to the ongoing development of
+ * the prototype TLS 1.3 and DTLS 1.3 implementation, and provide
+ * no other purpose.
+ *
+ * \warning TLS 1.3 and DTLS 1.3 aren't yet supported in Mbed TLS,
+ *          and no feature exposed through this macro is part of the
+ *          public API. In particular, features under the control
+ *          of this macro are experimental and don't come with any
+ *          stability guarantees.
+ *
+ * Uncomment this macro to enable experimental and partial
+ * functionality specific to TLS 1.3.
+ */
+//#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
+
 /**
  * \def MBEDTLS_SSL_PROTO_DTLS
  *
@@ -1435,6 +1879,37 @@
  */
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
 
+/**
+ * \def MBEDTLS_SSL_DTLS_SRTP
+ *
+ * Enable support for negotation of DTLS-SRTP (RFC 5764)
+ * through the use_srtp extension.
+ *
+ * \note This feature provides the minimum functionality required
+ * to negotiate the use of DTLS-SRTP and to allow the derivation of
+ * the associated SRTP packet protection key material.
+ * In particular, the SRTP packet protection itself, as well as the
+ * demultiplexing of RTP and DTLS packets at the datagram layer
+ * (see Section 5 of RFC 5764), are not handled by this feature.
+ * Instead, after successful completion of a handshake negotiating
+ * the use of DTLS-SRTP, the extended key exporter API
+ * mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement
+ * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
+ * (this is implemented in the SSL example programs).
+ * The resulting key should then be passed to an SRTP stack.
+ *
+ * Setting this option enables the runtime API
+ * mbedtls_ssl_conf_dtls_srtp_protection_profiles()
+ * through which the supported DTLS-SRTP protection
+ * profiles can be configured. You must call this API at
+ * runtime if you wish to negotiate the use of DTLS-SRTP.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Uncomment this to enable support for use_srtp extension.
+ */
+//#define MBEDTLS_SSL_DTLS_SRTP
+
 /**
  * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
  *
@@ -1466,7 +1941,7 @@
  * \def MBEDTLS_SSL_SESSION_TICKETS
  *
  * Enable support for RFC 5077 session tickets in SSL.
- * Client-side, provides full support for session tickets (maintainance of a
+ * Client-side, provides full support for session tickets (maintenance of a
  * session store remains the responsibility of the application, though).
  * Server-side, you also need to provide callbacks for writing and parsing
  * tickets, including authenticated encryption and key management. Example
@@ -1511,8 +1986,8 @@
  *
  * Fallback to old (pre-2.7), non-conforming implementation of the truncated
  * HMAC extension which also truncates the HMAC key. Note that this option is
- * only meant for a transitory upgrade period and is likely to be removed in
- * a future version of the library.
+ * only meant for a transitory upgrade period and will be removed in a future
+ * version of the library.
  *
  * \warning The old implementation is non-compliant and has a security weakness
  *          (2^80 brute force attack on the HMAC key used for a single,
@@ -1521,7 +1996,7 @@
  *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
  *          the fixed implementation yet (pre-2.7).
  *
- * \deprecated This option is deprecated and will likely be removed in a
+ * \deprecated This option is deprecated and will be removed in a
  *             future version of Mbed TLS.
  *
  * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
@@ -1530,6 +2005,72 @@
  */
 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
 
+/**
+ * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
+ *
+ * When this option is enabled, the SSL buffer will be resized automatically
+ * based on the negotiated maximum fragment length in each direction.
+ *
+ * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+ */
+//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * clang's MemorySanitizer. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires compiling with clang -fsanitize=memory. The test
+ * suites can then be run normally.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * valgrind's memcheck tool. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires valgrind headers for building, and is only useful for
+ * testing if the tests suites are run with valgrind's memcheck. This can be
+ * done for an individual test suite with 'valgrind ./test_suite_xxx', or when
+ * using CMake, this can be done for all test suites with 'make memcheck'.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+
+/**
+ * \def MBEDTLS_TEST_HOOKS
+ *
+ * Enable features for invasive testing such as introspection functions and
+ * hooks for fault injection. This enables additional unit tests.
+ *
+ * Merely enabling this feature should not change the behavior of the product.
+ * It only adds new code, and new branching points where the default behavior
+ * is the same as when this feature is disabled.
+ * However, this feature increases the attack surface: there is an added
+ * risk of vulnerabilities, and more gadgets that can make exploits easier.
+ * Therefore this feature must never be enabled in production.
+ *
+ * See `docs/architecture/testing/mbed-crypto-invasive-testing.md` for more
+ * information.
+ *
+ * Uncomment to enable invasive tests.
+ */
+//#define MBEDTLS_TEST_HOOKS
+
 /**
  * \def MBEDTLS_THREADING_ALT
  *
@@ -1552,6 +2093,51 @@
  */
 //#define MBEDTLS_THREADING_PTHREAD
 
+/**
+ * \def MBEDTLS_USE_PSA_CRYPTO
+ *
+ * Make the X.509 and TLS library use PSA for cryptographic operations, and
+ * enable new APIs for using keys handled by PSA Crypto.
+ *
+ * \note Development of this option is currently in progress, and parts of Mbed
+ * TLS's X.509 and TLS modules are not ported to PSA yet. However, these parts
+ * will still continue to work as usual, so enabling this option should not
+ * break backwards compatibility.
+ *
+ * \warning The PSA Crypto API is in beta stage. While you're welcome to
+ * experiment using it, incompatible API changes are still possible, and some
+ * parts may not have reached the same quality as the rest of Mbed TLS yet.
+ *
+ * \warning This option enables new Mbed TLS APIs that are dependent on the
+ * PSA Crypto API, so can't come with the same stability guarantees as the
+ * rest of the Mbed TLS APIs. You're welcome to experiment with them, but for
+ * now, access to these APIs is opt-in (via enabling the present option), in
+ * order to clearly differentiate them from the stable Mbed TLS APIs.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * Uncomment this to enable internal use of PSA Crypto and new associated APIs.
+ */
+//#define MBEDTLS_USE_PSA_CRYPTO
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * Uncomment this to enable use of PSA Crypto configuration settings which
+ * can be found in include/psa/crypto_config.h.
+ *
+ * If you enable this option and write your own configuration file, you must
+ * include mbedtls/config_psa.h in your configuration file. The default
+ * provided mbedtls/config.h contains the necessary inclusion.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG
+
 /**
  * \def MBEDTLS_VERSION_FEATURES
  *
@@ -1587,6 +2173,25 @@
  */
 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 
+/**
+ * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+ *
+ * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
+ * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
+ * the set of trusted certificates through a callback instead of a linked
+ * list.
+ *
+ * This is useful for example in environments where a large number of trusted
+ * certificates is present and storing them in a linked list isn't efficient
+ * enough, or when the set of trusted certificates changes frequently.
+ *
+ * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
+ * `mbedtls_ssl_conf_ca_cb()` for more information.
+ *
+ * Uncomment to enable trusted certificate callbacks.
+ */
+//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+
 /**
  * \def MBEDTLS_X509_CHECK_KEY_USAGE
  *
@@ -1632,7 +2237,7 @@
  *
  * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
  * CRIME attack. Before enabling this option, you should examine with care if
- * CRIME or similar exploits may be a applicable to your use case.
+ * CRIME or similar exploits may be applicable to your use case.
  *
  * \note Currently compression can't be used with DTLS.
  *
@@ -2021,14 +2626,20 @@
 /**
  * \def MBEDTLS_CTR_DRBG_C
  *
- * Enable the CTR_DRBG AES-256-based random generator.
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
+ *
+ * \note To achieve a 256-bit security strength with CTR_DRBG,
+ *       you must use AES-256 *and* use sufficient entropy.
+ *       See ctr_drbg.h for more details.
  *
  * Module:  library/ctr_drbg.c
  * Caller:
  *
  * Requires: MBEDTLS_AES_C
  *
- * This module provides the CTR_DRBG AES-256 random number generator.
+ * This module provides the CTR_DRBG AES random number generator.
  */
 #define MBEDTLS_CTR_DRBG_C
 
@@ -2123,7 +2734,9 @@
  * This module is used by the following key exchanges:
  *      ECDHE-ECDSA
  *
- * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C,
+ *           and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a
+ *           short Weierstrass curve.
  */
 #define MBEDTLS_ECDSA_C
 
@@ -2189,11 +2802,11 @@
 /**
  * \def MBEDTLS_GCM_C
  *
- * Enable the Galois/Counter Mode (GCM) for AES.
+ * Enable the Galois/Counter Mode (GCM).
  *
  * Module:  library/gcm.c
  *
- * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
  *
  * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
  * requisites are enabled as well.
@@ -2500,7 +3113,10 @@
 /**
  * \def MBEDTLS_PKCS11_C
  *
- * Enable wrapper for PKCS#11 smartcard support.
+ * Enable wrapper for PKCS#11 smartcard support via the pkcs11-helper library.
+ *
+ * \deprecated This option is deprecated and will be removed in a future
+ *             version of Mbed TLS.
  *
  * Module:  library/pkcs11.c
  * Caller:  library/pk.c
@@ -2558,6 +3174,65 @@
  */
 //#define MBEDTLS_POLY1305_C
 
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * \warning The PSA Crypto API is still beta status. While you're welcome to
+ * experiment using it, incompatible API changes are still possible, and some
+ * parts may not have reached the same quality as the rest of Mbed TLS yet.
+ *
+ * Module:  library/psa_crypto.c
+ *
+ * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
+ *           or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
+ *           or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SE_C
+ *
+ * Enable secure element support in the Platform Security Architecture
+ * cryptography API.
+ *
+ * \warning This feature is not yet suitable for production. It is provided
+ *          for API evaluation and testing purposes only.
+ *
+ * Module:  library/psa_crypto_se.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_SE_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module:  library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ *           the PSA ITS interface
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/**
+ * \def MBEDTLS_PSA_ITS_FILE_C
+ *
+ * Enable the emulation of the Platform Security Architecture
+ * Internal Trusted Storage (PSA ITS) over files.
+ *
+ * Module:  library/psa_its_file.c
+ *
+ * Requires: MBEDTLS_FS_IO
+ */
+#define MBEDTLS_PSA_ITS_FILE_C
+
 /**
  * \def MBEDTLS_RIPEMD160_C
  *
@@ -2763,7 +3438,7 @@
  *
  * This module is used by the HAVEGE random number generator.
  */
-#define MBEDTLS_TIMING_C
+//#define MBEDTLS_TIMING_C
 
 /**
  * \def MBEDTLS_VERSION_C
@@ -2904,7 +3579,7 @@
  */
 
 /* MPI / BIGNUM options */
-//#define MBEDTLS_MPI_WINDOW_SIZE            6 /**< Maximum windows size used. */
+//#define MBEDTLS_MPI_WINDOW_SIZE            6 /**< Maximum window size used. */
 //#define MBEDTLS_MPI_MAX_SIZE            1024 /**< Maximum number of bytes for usable MPIs. */
 
 /* CTR_DRBG options */
@@ -2941,7 +3616,7 @@
 //#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_PRINTF        printf /**< Default printf to use, can be undefined */
-/* Note: your snprintf must correclty zero-terminate the buffer! */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
 //#define MBEDTLS_PLATFORM_STD_SNPRINTF    snprintf /**< Default snprintf to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS       0 /**< Default exit value to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE       1 /**< Default exit value to use, can be undefined */
@@ -2958,11 +3633,72 @@
 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf /**< Default printf macro to use, can be undefined */
-/* Note: your snprintf must correclty zero-terminate the buffer! */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf /**< Default snprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO    vsnprintf /**< Default vsnprintf macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
 
+/**
+ * \brief       This macro is invoked by the library when an invalid parameter
+ *              is detected that is only checked with #MBEDTLS_CHECK_PARAMS
+ *              (see the documentation of that option for context).
+ *
+ *              When you leave this undefined here, the library provides
+ *              a default definition. If the macro #MBEDTLS_CHECK_PARAMS_ASSERT
+ *              is defined, the default definition is `assert(cond)`,
+ *              otherwise the default definition calls a function
+ *              mbedtls_param_failed(). This function is declared in
+ *              `platform_util.h` for the benefit of the library, but
+ *              you need to define in your application.
+ *
+ *              When you define this here, this replaces the default
+ *              definition in platform_util.h (which no longer declares the
+ *              function mbedtls_param_failed()) and it is your responsibility
+ *              to make sure this macro expands to something suitable (in
+ *              particular, that all the necessary declarations are visible
+ *              from within the library - you can ensure that by providing
+ *              them in this file next to the macro definition).
+ *              If you define this macro to call `assert`, also define
+ *              #MBEDTLS_CHECK_PARAMS_ASSERT so that library source files
+ *              include `<assert.h>`.
+ *
+ *              Note that you may define this macro to expand to nothing, in
+ *              which case you don't have to worry about declarations or
+ *              definitions. However, you will then be notified about invalid
+ *              parameters only in non-void functions, and void function will
+ *              just silently return early on invalid parameters, which
+ *              partially negates the benefits of enabling
+ *              #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
+ *
+ * \param cond  The expression that should evaluate to true, but doesn't.
+ */
+//#define MBEDTLS_PARAM_FAILED( cond )               assert( cond )
+
+/* PSA options */
+/**
+ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
+ * PSA crypto subsystem.
+ *
+ * If this option is unset:
+ * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG.
+ * - Otherwise, the PSA subsystem uses HMAC_DRBG with either
+ *   #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and
+ *   on unspecified heuristics.
+ */
+//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+
+/** \def MBEDTLS_PSA_KEY_SLOT_COUNT
+ * Restrict the PSA library to supporting a maximum amount of simultaneously
+ * loaded keys. A loaded key is a key stored by the PSA Crypto core as a
+ * volatile key, or a persistent key which is loaded temporarily by the
+ * library as part of a crypto operation in flight.
+ *
+ * If this option is unset, the library will fall back to a default value of
+ * 32 keys.
+ */
+//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
+
 /* SSL Cache options */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
@@ -2971,31 +3707,112 @@
 
 /** \def MBEDTLS_SSL_MAX_CONTENT_LEN
  *
- * Maximum fragment length in bytes.
+ * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
  *
- * Determines the size of both the incoming and outgoing TLS I/O buffers.
+ * This determines the size of both the incoming and outgoing TLS I/O buffers
+ * in such a way that both are capable of holding the specified amount of
+ * plaintext data, regardless of the protection mechanism used.
  *
- * Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
- * will override this length by setting maximum incoming and/or outgoing
- * fragment length, respectively.
+ * To configure incoming and outgoing I/O buffers separately, use
+ * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
+ * which overwrite the value set by this option.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of both
+ * incoming and outgoing I/O buffers.
  */
 //#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384
 
 /** \def MBEDTLS_SSL_IN_CONTENT_LEN
  *
- * Maximum incoming fragment length in bytes.
+ * Maximum length (in bytes) of incoming plaintext fragments.
  *
- * Uncomment to set the size of the inward TLS buffer independently of the
- * outward buffer.
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option is undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer
+ * independently of the outgoing I/O buffer.
  */
 //#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
 
+/** \def MBEDTLS_SSL_CID_IN_LEN_MAX
+ *
+ * The maximum length of CIDs used for incoming DTLS messages.
+ *
+ */
+//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32
+
+/** \def MBEDTLS_SSL_CID_OUT_LEN_MAX
+ *
+ * The maximum length of CIDs used for outgoing DTLS messages.
+ *
+ */
+//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
+
+/** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY
+ *
+ * This option controls the use of record plaintext padding
+ * when using the Connection ID extension in DTLS 1.2.
+ *
+ * The padding will always be chosen so that the length of the
+ * padded plaintext is a multiple of the value of this option.
+ *
+ * Note: A value of \c 1 means that no padding will be used
+ *       for outgoing records.
+ *
+ * Note: On systems lacking division instructions,
+ *       a power of two should be preferred.
+ *
+ */
+//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
+
+/** \def MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY
+ *
+ * This option controls the use of record plaintext padding
+ * in TLS 1.3.
+ *
+ * The padding will always be chosen so that the length of the
+ * padded plaintext is a multiple of the value of this option.
+ *
+ * Note: A value of \c 1 means that no padding will be used
+ *       for outgoing records.
+ *
+ * Note: On systems lacking division instructions,
+ *       a power of two should be preferred.
+ */
+//#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
+
 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN
  *
- * Maximum outgoing fragment length in bytes.
+ * Maximum length (in bytes) of outgoing plaintext fragments.
  *
- * Uncomment to set the size of the outward TLS buffer independently of the
- * inward buffer.
+ * This determines the size of the outgoing TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
  *
  * It is possible to save RAM by setting a smaller outward buffer, while keeping
  * the default inward 16384 byte buffer to conform to the TLS specification.
@@ -3005,11 +3822,8 @@
  * The specific size requirement depends on the configured ciphers and any
  * certificate data which is sent during the handshake.
  *
- * For absolute minimum RAM usage, it's best to enable
- * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
- * reduces both incoming and outgoing buffer sizes. However this is only
- * guaranteed if the other end of the connection also supports the TLS
- * max_fragment_len extension. Otherwise the connection may fail.
+ * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
+ * independently of the incoming I/O buffer.
  */
 //#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
 
@@ -3064,7 +3878,7 @@
  *            on it, and considering stronger message digests instead.
  *
  */
-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
 
 /**
  * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
@@ -3103,28 +3917,49 @@
  */
 //#define MBEDTLS_PLATFORM_ZEROIZE_ALT
 
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
+
+/**
+ * Enable the verified implementations of ECDH primitives from Project Everest
+ * (currently only Curve25519). This feature changes the layout of ECDH
+ * contexts and therefore is a compatibility break for applications that access
+ * fields of a mbedtls_ecdh_context structure directly. See also
+ * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
+ */
+//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
+
 /* \} name SECTION: Customisation configuration options */
 
-/* Target and application specific configurations */
-//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
-
-#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
-#endif
-
-/*
+/* Target and application specific configurations
+ *
  * Allow user to override any previous default.
  *
- * Use two macro names for that, as:
- * - with yotta the prefix YOTTA_CFG_ is forced
- * - without yotta is looks weird to have a YOTTA prefix.
  */
-#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
-#elif defined(MBEDTLS_USER_CONFIG_FILE)
+#if defined(MBEDTLS_USER_CONFIG_FILE)
 #include MBEDTLS_USER_CONFIG_FILE
 #endif
 
-#include "check_config.h"
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "mbedtls/config_psa.h"
+#endif
+
+#include "mbedtls/check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */
diff --git a/common/mbedtls/config_psa.h b/common/mbedtls/config_psa.h
new file mode 100644
index 000000000..73a3ea356
--- /dev/null
+++ b/common/mbedtls/config_psa.h
@@ -0,0 +1,544 @@
+/**
+ * \file mbedtls/config_psa.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ *  This set of compile-time options takes settings defined in
+ *  include/mbedtls/config.h and include/psa/crypto_config.h and uses
+ *  those definitions to define symbols used in the library code.
+ *
+ *  Users and integrators should not edit this file, please edit
+ *  include/mbedtls/config.h for MBETLS_XXX settings or
+ *  include/psa/crypto_config.h for PSA_WANT_XXX settings.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_CONFIG_PSA_H
+#define MBEDTLS_CONFIG_PSA_H
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "psa/crypto_config.h"
+#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_MD_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */
+#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
+
+#if defined(PSA_WANT_ALG_ECDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH */
+
+#if defined(PSA_WANT_ALG_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
+#define MBEDTLS_ECDSA_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */
+#endif /* PSA_WANT_ALG_ECDSA */
+
+#if defined(PSA_WANT_ALG_HKDF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
+#endif /* PSA_WANT_ALG_HKDF */
+
+#if defined(PSA_WANT_ALG_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
+
+#if defined(PSA_WANT_ALG_MD2) && !defined(MBEDTLS_PSA_ACCEL_ALG_MD2)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD2 1
+#define MBEDTLS_MD2_C
+#endif
+
+#if defined(PSA_WANT_ALG_MD4) && !defined(MBEDTLS_PSA_ACCEL_ALG_MD4)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD4 1
+#define MBEDTLS_MD4_C
+#endif
+
+#if defined(PSA_WANT_ALG_MD5) && !defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
+#define MBEDTLS_MD5_C
+#endif
+
+#if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
+#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
+#define MBEDTLS_RIPEMD160_C
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_MD_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
+#endif /* PSA_WANT_ALG_RSA_OAEP */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#define MBEDTLS_MD_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
+
+#if defined(PSA_WANT_ALG_RSA_PSS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_MD_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
+#endif /* PSA_WANT_ALG_RSA_PSS */
+
+#if defined(PSA_WANT_ALG_SHA_1) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
+#define MBEDTLS_SHA1_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
+#define MBEDTLS_SHA256_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
+#define MBEDTLS_SHA256_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
+#define MBEDTLS_SHA512_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
+#define MBEDTLS_SHA512_C
+#endif
+
+#if defined(PSA_WANT_ALG_TLS12_PRF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF */
+#endif /* PSA_WANT_ALG_TLS12_PRF */
+
+#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
+#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_GENPRIME
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
+
+/* If any of the block modes are requested that don't have an
+ * associated HW assist, define PSA_HAVE_SOFT_BLOCK_MODE for checking
+ * in the block cipher key types. */
+#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
+    (defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
+    (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
+    (defined(PSA_WANT_ALG_XTS) && !defined(MBEDTLS_PSA_ACCEL_ALG_XTS)) || \
+    defined(PSA_WANT_ALG_ECB_NO_PADDING) || \
+    (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
+     !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
+    (defined(PSA_WANT_ALG_CBC_PKCS7) && \
+     !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7))
+#define PSA_HAVE_SOFT_BLOCK_MODE 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_AES)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
+#define PSA_HAVE_SOFT_KEY_TYPE_AES 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
+#define MBEDTLS_AES_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_AES */
+
+#if defined(PSA_WANT_KEY_TYPE_ARC4)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4 1
+#define MBEDTLS_ARC4_C
+#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4 */
+#endif /* PSA_WANT_KEY_TYPE_ARC4 */
+
+#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
+#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
+#define MBEDTLS_CAMELLIA_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
+
+#if defined(PSA_WANT_KEY_TYPE_DES)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES)
+#define PSA_HAVE_SOFT_KEY_TYPE_DES 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
+#define MBEDTLS_DES_C
+#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_DES */
+
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
+#define MBEDTLS_CHACHA20_C
+#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */
+#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
+
+/* If any of the software block ciphers are selected, define
+ * PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these
+ * situations. */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
+#endif
+
+#if defined(PSA_WANT_ALG_STREAM_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#endif /* PSA_WANT_ALG_STREAM_CIPHER */
+
+#if defined(PSA_WANT_ALG_CTR)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
+#define MBEDTLS_CIPHER_MODE_CTR
+#endif
+#endif /* PSA_WANT_ALG_CTR */
+
+#if defined(PSA_WANT_ALG_CFB)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CFB) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
+#define MBEDTLS_CIPHER_MODE_CFB
+#endif
+#endif /* PSA_WANT_ALG_CFB */
+
+#if defined(PSA_WANT_ALG_OFB)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_OFB) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
+#define MBEDTLS_CIPHER_MODE_OFB
+#endif
+#endif /* PSA_WANT_ALG_OFB */
+
+#if defined(PSA_WANT_ALG_XTS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_XTS) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_XTS 1
+#define MBEDTLS_CIPHER_MODE_XTS
+#endif
+#endif /* PSA_WANT_ALG_XTS */
+
+#if defined(PSA_WANT_ALG_ECB_NO_PADDING)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
+#endif
+
+#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
+#endif
+#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
+
+#if defined(PSA_WANT_ALG_CBC_PKCS7)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#endif /* PSA_WANT_ALG_CBC_PKCS7 */
+
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#define MBEDTLS_CHACHAPOLY_C
+#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
+#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+
+#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+/*
+ * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
+ * is not defined
+ */
+
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
+#define PSA_WANT_ALG_ECDH 1
+#endif /* MBEDTLS_ECDH_C */
+
+#if defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
+#define PSA_WANT_ALG_ECDSA 1
+
+// Only add in DETERMINISTIC support if ECDSA is also enabled
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_HKDF_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define PSA_WANT_ALG_HMAC 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
+#define PSA_WANT_ALG_HKDF 1
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_MD_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_KEY_TYPE_HMAC
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_MD2_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD2 1
+#define PSA_WANT_ALG_MD2 1
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD4 1
+#define PSA_WANT_ALG_MD4 1
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
+#define PSA_WANT_ALG_MD5 1
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
+#define PSA_WANT_ALG_RIPEMD160 1
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PKCS1_V15)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
+#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
+#endif /* MBEDTLSS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
+#define PSA_WANT_ALG_RSA_OAEP 1
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
+#define PSA_WANT_ALG_RSA_PSS 1
+#endif /* MBEDTLS_PKCS1_V21 */
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SHA1_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
+#define PSA_WANT_ALG_SHA_1 1
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
+#define PSA_WANT_ALG_SHA_224 1
+#define PSA_WANT_ALG_SHA_256 1
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
+#define PSA_WANT_ALG_SHA_384 1
+#endif
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
+#define PSA_WANT_ALG_SHA_512 1
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#define PSA_WANT_KEY_TYPE_AES 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#define PSA_WANT_KEY_TYPE_ARC4 1
+#define PSA_WANT_ALG_STREAM_CIPHER 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4 1
+#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#define PSA_WANT_KEY_TYPE_CAMELLIA 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#define PSA_WANT_KEY_TYPE_DES 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#define PSA_WANT_KEY_TYPE_CHACHA20 1
+#define PSA_WANT_ALG_STREAM_CIPHER 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
+#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#define PSA_WANT_ALG_CHACHA20_POLY1305 1
+#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
+#endif
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
+#define PSA_WANT_ALG_CBC_NO_PADDING 1
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
+#define PSA_WANT_ALG_CBC_PKCS7 1
+#endif
+#endif
+
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
+    defined(MBEDTLS_CAMELLIA_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
+#define PSA_WANT_ALG_ECB_NO_PADDING 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
+#define PSA_WANT_ALG_CFB 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
+#define PSA_WANT_ALG_CTR 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
+#define PSA_WANT_ALG_OFB 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+#define MBEDTLS_PSA_BUILTIN_ALG_XTS 1
+#define PSA_WANT_ALG_XTS 1
+#endif
+
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+/* These features are always enabled. */
+#define PSA_WANT_KEY_TYPE_DERIVE 1
+#define PSA_WANT_KEY_TYPE_RAW_DATA 1
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CONFIG_PSA_H */
diff --git a/common/mbedtls/ctr_drbg.c b/common/mbedtls/ctr_drbg.c
index 7331d1045..f5d39d38d 100644
--- a/common/mbedtls/ctr_drbg.c
+++ b/common/mbedtls/ctr_drbg.c
@@ -1,24 +1,20 @@
 /*
  *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The NIST SP 800-90 DRBGs are described in the following publication.
@@ -26,16 +22,13 @@
  *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_CTR_DRBG_C)
 
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -57,84 +50,76 @@
  */
 void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx) {
     memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context));
+    /* Indicate that the entropy nonce length is not set explicitly.
+     * See mbedtls_ctr_drbg_set_nonce_len(). */
+    ctx->reseed_counter = -1;
 
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init(&ctx->mutex);
-#endif
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
 }
 
 /*
- * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
- * NIST tests to succeed (which require known length fixed entropy)
+ *  This function resets CTR_DRBG context to the state immediately
+ *  after initial call of mbedtls_ctr_drbg_init().
  */
-int mbedtls_ctr_drbg_seed_entropy_len(
-    mbedtls_ctr_drbg_context *ctx,
-    int (*f_entropy)(void *, unsigned char *, size_t),
-    void *p_entropy,
-    const unsigned char *custom,
-    size_t len,
-    size_t entropy_len) {
-    int ret;
-    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
-
-    memset(key, 0, MBEDTLS_CTR_DRBG_KEYSIZE);
-
-    mbedtls_aes_init(&ctx->aes_ctx);
-
-    ctx->f_entropy = f_entropy;
-    ctx->p_entropy = p_entropy;
-
-    ctx->entropy_len = entropy_len;
-    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
-
-    /*
-     * Initialize with an empty key
-     */
-    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
-        return (ret);
-    }
-
-    if ((ret = mbedtls_ctr_drbg_reseed(ctx, custom, len)) != 0) {
-        return (ret);
-    }
-    return (0);
-}
-
-int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
-                          int (*f_entropy)(void *, unsigned char *, size_t),
-                          void *p_entropy,
-                          const unsigned char *custom,
-                          size_t len) {
-    return (mbedtls_ctr_drbg_seed_entropy_len(ctx, f_entropy, p_entropy, custom, len,
-                                              MBEDTLS_CTR_DRBG_ENTROPY_LEN));
-}
-
 void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx) {
     if (ctx == NULL)
         return;
 
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_free(&ctx->mutex);
+    /* The mutex is initialized iff f_entropy is set. */
+    if (ctx->f_entropy != NULL)
+        mbedtls_mutex_free(&ctx->mutex);
 #endif
     mbedtls_aes_free(&ctx->aes_ctx);
     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context));
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+    ctx->reseed_counter = -1;
 }
 
-void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx, int resistance) {
+void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
+                                                int resistance) {
     ctx->prediction_resistance = resistance;
 }
 
-void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx, size_t len) {
+void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
+                                      size_t len) {
     ctx->entropy_len = len;
 }
 
-void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx, int interval) {
+int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
+                                   size_t len) {
+    /* If mbedtls_ctr_drbg_seed() has already been called, it's
+     * too late. Return the error code that's closest to making sense. */
+    if (ctx->f_entropy != NULL)
+        return (MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED);
+
+    if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+        return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
+#if SIZE_MAX > INT_MAX
+    /* This shouldn't be an issue because
+     * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
+     * configuration, but make sure anyway. */
+    if (len > INT_MAX)
+        return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
+#endif
+
+    /* For backward compatibility with Mbed TLS <= 2.19, store the
+     * entropy nonce length in a field that already exists, but isn't
+     * used until after the initial seeding. */
+    /* Due to the capping of len above, the value fits in an int. */
+    ctx->reseed_counter = (int) len;
+    return (0);
+}
+
+void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
+                                          int interval) {
     ctx->reseed_interval = interval;
 }
 
 static int block_cipher_df(unsigned char *output,
                            const unsigned char *data, size_t data_len) {
-    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
+                                                      MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
     unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
     unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
@@ -148,7 +133,8 @@ static int block_cipher_df(unsigned char *output,
     if (data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
         return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
 
-    memset(buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16);
+    memset(buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
+           MBEDTLS_CTR_DRBG_BLOCKSIZE + 16);
     mbedtls_aes_init(&aes_ctx);
 
     /*
@@ -173,7 +159,8 @@ static int block_cipher_df(unsigned char *output,
     for (i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++)
         key[i] = i;
 
-    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
         goto exit;
     }
 
@@ -192,7 +179,8 @@ static int block_cipher_df(unsigned char *output,
             use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ?
                        MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
 
-            if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain)) != 0) {
+            if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                             chain, chain)) != 0) {
                 goto exit;
             }
         }
@@ -208,14 +196,16 @@ static int block_cipher_df(unsigned char *output,
     /*
      * Do final encryption with reduced data
      */
-    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
         goto exit;
     }
     iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
     p = output;
 
     for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
-        if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv)) != 0) {
+        if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                         iv, iv)) != 0) {
             goto exit;
         }
         memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE);
@@ -240,6 +230,14 @@ exit:
     return (ret);
 }
 
+/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
+ * ctr_drbg_update_internal(ctx, provided_data)
+ * implements
+ * CTR_DRBG_Update(provided_data, Key, V)
+ * with inputs and outputs
+ *   ctx->aes_ctx = Key
+ *   ctx->counter = V
+ */
 static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
                                     const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN]) {
     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
@@ -260,8 +258,9 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
         /*
          * Crypt counter block
          */
-        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p)) != 0) {
-            return (ret);
+        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                         ctx->counter, p)) != 0) {
+            goto exit;
         }
 
         p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
@@ -273,77 +272,217 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
     /*
      * Update key and counter
      */
-    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
-        return (ret);
+    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+        goto exit;
     }
-    memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+    memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
+           MBEDTLS_CTR_DRBG_BLOCKSIZE);
 
-    return (0);
+exit:
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    return (ret);
 }
 
-void mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
-                             const unsigned char *additional, size_t add_len) {
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   ctx->counter = all-bits-0
+ *   ctx->aes_ctx = context from all-bits-0 key
+ *   additional[:add_len] = entropy_input || nonce || personalization_string
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
+                                const unsigned char *additional,
+                                size_t add_len) {
     unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if (add_len > 0) {
-        /* MAX_INPUT would be more logical here, but we have to match
-         * block_cipher_df()'s limits since we can't propagate errors */
-        if (add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
-            add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
+    if (add_len == 0)
+        return (0);
 
-        block_cipher_df(add_input, additional, add_len);
-        ctr_drbg_update_internal(ctx, add_input);
-    }
+    if ((ret = block_cipher_df(add_input, additional, add_len)) != 0)
+        goto exit;
+    if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0)
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize(add_input, sizeof(add_input));
+    return (ret);
 }
 
-int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
-                            const unsigned char *additional, size_t len) {
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
+                             const unsigned char *additional,
+                             size_t add_len) {
+    /* MAX_INPUT would be more logical here, but we have to match
+     * block_cipher_df()'s limits since we can't propagate errors */
+    if (add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+        add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
+    (void) mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
+ * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
+ *                -> new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   additional[:len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ *                              for (ctx->entropy_len + nonce_len) bytes
+ * and with output
+ *   ctx contains new_working_state
+ */
+static int mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context *ctx,
+                                            const unsigned char *additional,
+                                            size_t len,
+                                            size_t nonce_len) {
     unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
     size_t seedlen = 0;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if (ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
-            len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len)
+    if (ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+        return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
+    if (nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len)
+        return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
+    if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len)
         return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
 
     memset(seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT);
 
-    /*
-     * Gather entropy_len bytes of entropy to seed state
-     */
-    if (0 != ctx->f_entropy(ctx->p_entropy, seed,
-                            ctx->entropy_len)) {
+    /* Gather entropy_len bytes of entropy to seed state. */
+    if (0 != ctx->f_entropy(ctx->p_entropy, seed, ctx->entropy_len)) {
         return (MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED);
     }
-
     seedlen += ctx->entropy_len;
 
-    /*
-     * Add additional data
-     */
-    if (additional && len) {
+    /* Gather entropy for a nonce if requested. */
+    if (nonce_len != 0) {
+        if (0 != ctx->f_entropy(ctx->p_entropy, seed + seedlen, nonce_len)) {
+            return (MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED);
+        }
+        seedlen += nonce_len;
+    }
+
+    /* Add additional data if provided. */
+    if (additional != NULL && len != 0) {
         memcpy(seed + seedlen, additional, len);
         seedlen += len;
     }
 
-    /*
-     * Reduce to 384 bits
-     */
-    if ((ret = block_cipher_df(seed, seed, seedlen)) != 0) {
-        return (ret);
-    }
+    /* Reduce to 384 bits. */
+    if ((ret = block_cipher_df(seed, seed, seedlen)) != 0)
+        goto exit;
 
-    /*
-     * Update state
-     */
-    if ((ret = ctr_drbg_update_internal(ctx, seed)) != 0) {
-        return (ret);
-    }
+    /* Update state. */
+    if ((ret = ctr_drbg_update_internal(ctx, seed)) != 0)
+        goto exit;
     ctx->reseed_counter = 1;
 
+exit:
+    mbedtls_platform_zeroize(seed, sizeof(seed));
+    return (ret);
+}
+
+int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
+                            const unsigned char *additional, size_t len) {
+    return (mbedtls_ctr_drbg_reseed_internal(ctx, additional, len, 0));
+}
+
+/* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
+ * is sufficient to achieve the maximum security strength given the key
+ * size and entropy length. If there is enough entropy in the initial
+ * call to the entropy function to serve as both the entropy input and
+ * the nonce, don't make a second call to get a nonce. */
+static size_t good_nonce_len(size_t entropy_len) {
+    if (entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2)
+        return (0);
+    else
+        return ((entropy_len + 1) / 2);
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   custom[:len] = nonce || personalization_string
+ * where entropy_input comes from f_entropy for ctx->entropy_len bytes
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
+                          int (*f_entropy)(void *, unsigned char *, size_t),
+                          void *p_entropy,
+                          const unsigned char *custom,
+                          size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+    size_t nonce_len;
+
+    memset(key, 0, MBEDTLS_CTR_DRBG_KEYSIZE);
+
+    /* The mutex is initialized iff f_entropy is set. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    mbedtls_aes_init(&ctx->aes_ctx);
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if (ctx->entropy_len == 0)
+        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+    /* ctx->reseed_counter contains the desired amount of entropy to
+     * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
+     * If it's -1, indicating that the entropy nonce length was not set
+     * explicitly, use a sufficiently large nonce for security. */
+    nonce_len = (ctx->reseed_counter >= 0 ?
+                 (size_t) ctx->reseed_counter :
+                 good_nonce_len(ctx->entropy_len));
+
+    /* Initialize with an empty key. */
+    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+        return (ret);
+    }
+
+    /* Do the initial seeding. */
+    if ((ret = mbedtls_ctr_drbg_reseed_internal(ctx, custom, len,
+                                                nonce_len)) != 0) {
+        return (ret);
+    }
     return (0);
 }
 
+/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
+ * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
+ *                -> working_state_after_reseed
+ *                if required, then
+ * CTR_DRBG_Generate(working_state_after_reseed,
+ *                   requested_number_of_bits, additional_input)
+ *                -> status, returned_bits, new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   requested_number_of_bits = 8 * output_len
+ *   additional[:add_len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with outputs
+ *   status = SUCCESS (this function does the reseed internally)
+ *   returned_bits = output[:output_len]
+ *   ctx contains new_working_state
+ */
 int mbedtls_ctr_drbg_random_with_add(void *p_rng,
                                      unsigned char *output, size_t output_len,
                                      const unsigned char *additional, size_t add_len) {
@@ -372,12 +511,10 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
     }
 
     if (add_len > 0) {
-        if ((ret = block_cipher_df(add_input, additional, add_len)) != 0) {
-            return (ret);
-        }
-        if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
-            return (ret);
-        }
+        if ((ret = block_cipher_df(add_input, additional, add_len)) != 0)
+            goto exit;
+        if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0)
+            goto exit;
     }
 
     while (output_len > 0) {
@@ -391,12 +528,13 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
         /*
          * Crypt counter block
          */
-        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp)) != 0) {
-            return (ret);
+        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                         ctx->counter, tmp)) != 0) {
+            goto exit;
         }
 
-        use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
-                  output_len;
+        use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE)
+                  ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
         /*
          * Copy random block to destination
          */
@@ -405,17 +543,20 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
         output_len -= use_len;
     }
 
-    if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
-        return (ret);
-    }
+    if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0)
+        goto exit;
 
     ctx->reseed_counter++;
 
-    return (0);
+exit:
+    mbedtls_platform_zeroize(add_input, sizeof(add_input));
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    return (ret);
 }
 
-int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output, size_t output_len) {
-    int ret;
+int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output,
+                            size_t output_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
 
 #if defined(MBEDTLS_THREADING_C)
@@ -434,7 +575,8 @@ int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output, size_t output_le
 }
 
 #if defined(MBEDTLS_FS_IO)
-int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path) {
+int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx,
+                                     const char *path) {
     int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
     FILE *f;
     unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
@@ -442,13 +584,16 @@ int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *
     if ((f = fopen(path, "wb")) == NULL)
         return (MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR);
 
-    if ((ret = mbedtls_ctr_drbg_random(ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT)) != 0)
+    if ((ret = mbedtls_ctr_drbg_random(ctx, buf,
+                                       MBEDTLS_CTR_DRBG_MAX_INPUT)) != 0)
         goto exit;
 
-    if (fwrite(buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f) != MBEDTLS_CTR_DRBG_MAX_INPUT)
+    if (fwrite(buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f) !=
+            MBEDTLS_CTR_DRBG_MAX_INPUT) {
         ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    else
+    } else {
         ret = 0;
+    }
 
 exit:
     mbedtls_platform_zeroize(buf, sizeof(buf));
@@ -457,87 +602,184 @@ exit:
     return (ret);
 }
 
-int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path) {
+int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx,
+                                      const char *path) {
     int ret = 0;
-    FILE *f;
+    FILE *f = NULL;
     size_t n;
     unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+    unsigned char c;
 
     if ((f = fopen(path, "rb")) == NULL)
         return (MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR);
 
-    fseek(f, 0, SEEK_END);
-    n = (size_t) ftell(f);
-    fseek(f, 0, SEEK_SET);
-
-    if (n > MBEDTLS_CTR_DRBG_MAX_INPUT) {
-        fclose(f);
-        return (MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG);
+    n = fread(buf, 1, sizeof(buf), f);
+    if (fread(&c, 1, 1, f) != 0) {
+        ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+        goto exit;
     }
-
-    if (fread(buf, 1, n, f) != n)
+    if (n == 0 || ferror(f)) {
         ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    else
-        mbedtls_ctr_drbg_update(ctx, buf, n);
-
+        goto exit;
+    }
     fclose(f);
+    f = NULL;
 
+    ret = mbedtls_ctr_drbg_update_ret(ctx, buf, n);
+
+exit:
     mbedtls_platform_zeroize(buf, sizeof(buf));
-
+    if (f != NULL)
+        fclose(f);
     if (ret != 0)
         return (ret);
-
     return (mbedtls_ctr_drbg_write_seed_file(ctx, path));
 }
 #endif /* MBEDTLS_FS_IO */
 
 #if defined(MBEDTLS_SELF_TEST)
 
-static const unsigned char entropy_source_pr[96] = {
-    0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
-    0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
-    0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
-    0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
-    0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
-    0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
-    0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
-    0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
-    0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
-    0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
-    0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
-    0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68
+/* The CTR_DRBG NIST test vectors used here are available at
+ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
+ *
+ * The parameters used to derive the test data are:
+ *
+ * [AES-128 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 128]
+ * [NonceLen = 64]
+ * [PersonalizationStringLen = 128]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ * [AES-256 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 256]
+ * [NonceLen = 128]
+ * [PersonalizationStringLen = 256]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+static const unsigned char entropy_source_pr[] = {
+    0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
+    0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
+    0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
+    0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
+    0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
+    0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
+    0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8
 };
 
-static const unsigned char entropy_source_nopr[64] = {
-    0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
-    0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
-    0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
-    0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
-    0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
-    0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
-    0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
-    0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e
+static const unsigned char entropy_source_nopr[] = {
+    0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
+    0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
+    0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
+    0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
+    0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c
 };
 
-static const unsigned char nonce_pers_pr[16] = {
-    0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
-    0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c
+static const unsigned char pers_pr[] = {
+    0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
+    0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad
 };
 
-static const unsigned char nonce_pers_nopr[16] = {
-    0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
-    0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f
+static const unsigned char pers_nopr[] = {
+    0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
+    0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f
 };
 
-static const unsigned char result_pr[16] = {
-    0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
-    0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23
+static const unsigned char result_pr[] = {
+    0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
+    0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
+    0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
+    0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
+    0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
+    0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
+    0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
+    0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf
 };
 
-static const unsigned char result_nopr[16] = {
-    0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
-    0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f
+static const unsigned char result_nopr[] = {
+    0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
+    0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
+    0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
+    0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
+    0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
+    0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
+    0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
+    0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8
 };
+#else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+
+static const unsigned char entropy_source_pr[] = {
+    0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
+    0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
+    0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
+    0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
+    0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
+    0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
+    0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
+    0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
+    0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
+    0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
+    0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
+    0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
+    0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
+    0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe
+};
+
+static const unsigned char entropy_source_nopr[] = {
+    0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
+    0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
+    0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
+    0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
+    0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
+    0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
+    0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
+    0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
+    0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
+    0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7
+};
+
+static const unsigned char pers_pr[] = {
+    0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
+    0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
+    0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
+    0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9
+};
+
+static const unsigned char pers_nopr[] = {
+    0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
+    0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
+    0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
+    0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b
+};
+
+static const unsigned char result_pr[] = {
+    0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
+    0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
+    0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
+    0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
+    0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
+    0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
+    0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
+    0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43
+};
+
+static const unsigned char result_nopr[] = {
+    0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
+    0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
+    0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
+    0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
+    0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
+    0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
+    0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
+    0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98
+};
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
 
 static size_t test_offset;
 static int ctr_drbg_self_test_entropy(void *data, unsigned char *buf,
@@ -549,18 +791,20 @@ static int ctr_drbg_self_test_entropy(void *data, unsigned char *buf,
 }
 
 #define CHK( c )    if( (c) != 0 )                          \
-    {                                       \
-        if( verbose != 0 )                  \
-            mbedtls_printf( "failed\n" );  \
-        return( 1 );                        \
-    }
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+#define SELF_TEST_OUPUT_DISCARD_LENGTH 64
 
 /*
  * Checkup routine
  */
 int mbedtls_ctr_drbg_self_test(int verbose) {
     mbedtls_ctr_drbg_context ctx;
-    unsigned char buf[16];
+    unsigned char buf[ sizeof(result_pr) ];
 
     mbedtls_ctr_drbg_init(&ctx);
 
@@ -571,12 +815,16 @@ int mbedtls_ctr_drbg_self_test(int verbose) {
         mbedtls_printf("  CTR_DRBG (PR = TRUE) : ");
 
     test_offset = 0;
-    CHK(mbedtls_ctr_drbg_seed_entropy_len(&ctx, ctr_drbg_self_test_entropy,
-                                          (void *) entropy_source_pr, nonce_pers_pr, 16, 32));
+    mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+    mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
+    CHK(mbedtls_ctr_drbg_seed(&ctx,
+                              ctr_drbg_self_test_entropy,
+                              (void *) entropy_source_pr,
+                              pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE));
     mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE));
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE));
-    CHK(memcmp(buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_pr)));
+    CHK(memcmp(buf, result_pr, sizeof(result_pr)));
 
     mbedtls_ctr_drbg_free(&ctx);
 
@@ -592,12 +840,16 @@ int mbedtls_ctr_drbg_self_test(int verbose) {
     mbedtls_ctr_drbg_init(&ctx);
 
     test_offset = 0;
-    CHK(mbedtls_ctr_drbg_seed_entropy_len(&ctx, ctr_drbg_self_test_entropy,
-                                          (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32));
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, 16));
+    mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+    mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
+    CHK(mbedtls_ctr_drbg_seed(&ctx,
+                              ctr_drbg_self_test_entropy,
+                              (void *) entropy_source_nopr,
+                              pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE));
     CHK(mbedtls_ctr_drbg_reseed(&ctx, NULL, 0));
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, 16));
-    CHK(memcmp(buf, result_nopr, 16));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_nopr)));
+    CHK(memcmp(buf, result_nopr, sizeof(result_nopr)));
 
     mbedtls_ctr_drbg_free(&ctx);
 
diff --git a/common/mbedtls/ctr_drbg.h b/common/mbedtls/ctr_drbg.h
index ddb699140..1c54fd894 100644
--- a/common/mbedtls/ctr_drbg.h
+++ b/common/mbedtls/ctr_drbg.h
@@ -1,44 +1,56 @@
 /**
  * \file ctr_drbg.h
  *
- * \brief    This file contains CTR_DRBG definitions and functions.
+ * \brief    This file contains definitions and functions for the
+ *           CTR_DRBG pseudorandom generator.
  *
  * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
  * in counter mode operation, as defined in <em>NIST SP 800-90A:
  * Recommendation for Random Number Generation Using Deterministic Random
  * Bit Generators</em>.
  *
- * The Mbed TLS implementation of CTR_DRBG uses AES-256 as the underlying
- * block cipher.
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
+ * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
+ * as the underlying block cipher, with a derivation function.
+ *
+ * The security strength as defined in NIST SP 800-90A is
+ * 128 bits when AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
+ * and 256 bits otherwise, provided that #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
+ * kept at its default value (and not overridden in config.h) and that the
+ * DRBG instance is set up with default parameters.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more
+ * information.
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_CTR_DRBG_H
 #define MBEDTLS_CTR_DRBG_H
 
-#include "aes.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/aes.h"
 
 #if defined(MBEDTLS_THREADING_C)
-#include "threading.h"
+#include "mbedtls/threading.h"
 #endif
 
 #define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
@@ -47,7 +59,23 @@
 #define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read or write error in file. */
 
 #define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
-#define MBEDTLS_CTR_DRBG_KEYSIZE            32 /**< The key size used by the cipher. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYSIZE            16
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 16 bytes (128 bits)
+ * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
+ */
+#else
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 32 bytes (256 bits)
+ * because \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled.
+ */
+#endif
+
 #define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
 #define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
 
@@ -60,21 +88,31 @@
  * \{
  */
 
+/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
+ *
+ * \brief The amount of entropy used per seed by default, in bytes.
+ */
 #if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
 #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+/** This is 48 bytes because the entropy module uses SHA-512
+ * (\c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled).
+ */
 #define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
-/**< The amount of entropy used per seed by default:
- * <ul><li>48 with SHA-512.</li>
- * <li>32 with SHA-256.</li></ul>
+
+#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+
+/** This is 32 bytes because the entropy module uses SHA-256
+ * (the SHA512 module is disabled or
+ * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
  */
-#else
+#if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+/** \warning To achieve a 256-bit security strength, you must pass a nonce
+ *           to mbedtls_ctr_drbg_seed().
+ */
+#endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
 #define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
-/**< Amount of entropy used per seed by default:
- * <ul><li>48 with SHA-512.</li>
- * <li>32 with SHA-256.</li></ul>
- */
-#endif
-#endif
+#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
 
 #if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
 #define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
@@ -93,7 +131,7 @@
 
 #if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
 #define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
-/**< The maximum size of seed or reseed buffer. */
+/**< The maximum size of seed or reseed buffer in bytes. */
 #endif
 
 /* \} name SECTION: Module settings */
@@ -107,19 +145,48 @@
 extern "C" {
 #endif
 
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+/** The default length of the nonce read from the entropy source.
+ *
+ * This is \c 0 because a single read from the entropy source is sufficient
+ * to include a nonce.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more information.
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN 0
+#else
+/** The default length of the nonce read from the entropy source.
+ *
+ * This is half of the default entropy length because a single read from
+ * the entropy source does not provide enough material to form a nonce.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more information.
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN ( MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1 ) / 2
+#endif
+
 /**
  * \brief          The CTR_DRBG context structure.
  */
 typedef struct mbedtls_ctr_drbg_context {
     unsigned char counter[16];  /*!< The counter (V). */
-    int reseed_counter;         /*!< The reseed counter. */
+    int reseed_counter;         /*!< The reseed counter.
+                                 * This is the number of requests that have
+                                 * been made since the last (re)seeding,
+                                 * minus one.
+                                 * Before the initial seeding, this field
+                                 * contains the amount of entropy in bytes
+                                 * to use as a nonce for the initial seeding,
+                                 * or -1 if no nonce length has been explicitly
+                                 * set (see mbedtls_ctr_drbg_set_nonce_len()).
+                                 */
     int prediction_resistance;  /*!< This determines whether prediction
                                      resistance is enabled, that is
                                      whether to systematically reseed before
                                      each random generation. */
     size_t entropy_len;         /*!< The amount of entropy grabbed on each
-                                     seed or reseed operation. */
-    int reseed_interval;        /*!< The reseed interval. */
+                                     seed or reseed operation, in bytes. */
+    int reseed_interval;        /*!< The reseed interval.
+                                 * This is the maximum number of requests
+                                 * that can be made between reseedings. */
 
     mbedtls_aes_context aes_ctx;        /*!< The AES context. */
 
@@ -132,6 +199,13 @@ typedef struct mbedtls_ctr_drbg_context {
     void *p_entropy;            /*!< The context for the entropy function. */
 
 #if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
+     * This means that the mutex is initialized during the initial seeding
+     * in mbedtls_ctr_drbg_seed() and freed in mbedtls_ctr_drbg_free().
+     *
+     * Note that this invariant may change without notice. Do not rely on it
+     * and do not access the mutex directly in application code.
+     */
     mbedtls_threading_mutex_t mutex;
 #endif
 }
@@ -142,6 +216,11 @@ mbedtls_ctr_drbg_context;
  *                      and prepares it for mbedtls_ctr_drbg_seed()
  *                      or mbedtls_ctr_drbg_free().
  *
+ * \note                The reseed interval is
+ *                      #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default.
+ *                      You can override it by calling
+ *                      mbedtls_ctr_drbg_set_reseed_interval().
+ *
  * \param ctx           The CTR_DRBG context to initialize.
  */
 void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx);
@@ -150,17 +229,97 @@ void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx);
  * \brief               This function seeds and sets up the CTR_DRBG
  *                      entropy source for future reseeds.
  *
- * \note Personalization data can be provided in addition to the more generic
- *       entropy source, to make this instantiation as unique as possible.
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
+ * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
+ *
+ * The entropy nonce length is:
+ * - \c 0 if the entropy length is at least 3/2 times the entropy length,
+ *   which guarantees that the security strength is the maximum permitted
+ *   by the key size and entropy length according to NIST SP 800-90A §10.2.1;
+ * - Half the entropy length otherwise.
+ * You can override it by calling mbedtls_ctr_drbg_set_nonce_len().
+ * With the default entropy length, the entropy nonce length is
+ * #MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.
+ *
+ * You can provide a nonce and personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ * See SP 800-90A §8.6.7 for more details about nonces.
+ *
+ * The _seed_material_ value passed to the derivation function in
+ * the CTR_DRBG Instantiate Process described in NIST SP 800-90A §10.2.1.3.2
+ * is the concatenation of the following strings:
+ * - A string obtained by calling \p f_entropy function for the entropy
+ *   length.
+ */
+#if MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN == 0
+/**
+ * - If mbedtls_ctr_drbg_set_nonce_len() has been called, a string
+ *   obtained by calling \p f_entropy function for the specified length.
+ */
+#else
+/**
+ * - A string obtained by calling \p f_entropy function for the entropy nonce
+ *   length. If the entropy nonce length is \c 0, this function does not
+ *   make a second call to \p f_entropy.
+ */
+#endif
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * - The \p custom string.
+ *
+ * \note                To achieve the nominal security strength permitted
+ *                      by CTR_DRBG, the entropy length must be:
+ *                      - at least 16 bytes for a 128-bit strength
+ *                      (maximum achievable strength when using AES-128);
+ *                      - at least 32 bytes for a 256-bit strength
+ *                      (maximum achievable strength when using AES-256).
+ *
+ *                      In addition, if you do not pass a nonce in \p custom,
+ *                      the sum of the entropy length
+ *                      and the entropy nonce length must be:
+ *                      - at least 24 bytes for a 128-bit strength
+ *                      (maximum achievable strength when using AES-128);
+ *                      - at least 48 bytes for a 256-bit strength
+ *                      (maximum achievable strength when using AES-256).
  *
  * \param ctx           The CTR_DRBG context to seed.
+ *                      It must have been initialized with
+ *                      mbedtls_ctr_drbg_init().
+ *                      After a successful call to mbedtls_ctr_drbg_seed(),
+ *                      you may not call mbedtls_ctr_drbg_seed() again on
+ *                      the same context unless you call
+ *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
+ *                      again first.
+ *                      After a failed call to mbedtls_ctr_drbg_seed(),
+ *                      you must call mbedtls_ctr_drbg_free().
  * \param f_entropy     The entropy callback, taking as arguments the
  *                      \p p_entropy context, the buffer to fill, and the
-                        length of the buffer.
- * \param p_entropy     The entropy context.
- * \param custom        Personalization data, that is device-specific
-                        identifiers. Can be NULL.
- * \param len           The length of the personalization data.
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a buffer size
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
@@ -172,7 +331,8 @@ int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
                           size_t len);
 
 /**
- * \brief               This function clears CTR_CRBG context data.
+ * \brief               This function resets CTR_DRBG context to the state immediately
+ *                      after initial call of mbedtls_ctr_drbg_init().
  *
  * \param ctx           The CTR_DRBG context to clear.
  */
@@ -183,7 +343,8 @@ void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx);
  *                      The default value is off.
  *
  * \note                If enabled, entropy is gathered at the beginning of
- *                      every call to mbedtls_ctr_drbg_random_with_add().
+ *                      every call to mbedtls_ctr_drbg_random_with_add()
+ *                      or mbedtls_ctr_drbg_random().
  *                      Only use this if your entropy source has sufficient
  *                      throughput.
  *
@@ -195,18 +356,61 @@ void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
 
 /**
  * \brief               This function sets the amount of entropy grabbed on each
- *                      seed or reseed. The default value is
- *                      #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *                      seed or reseed.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \note                The security strength of CTR_DRBG is bounded by the
+ *                      entropy length. Thus:
+ *                      - When using AES-256
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
+ *                        which is the default),
+ *                        \p len must be at least 32 (in bytes)
+ *                        to achieve a 256-bit strength.
+ *                      - When using AES-128
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
+ *                        \p len must be at least 16 (in bytes)
+ *                        to achieve a 128-bit strength.
  *
  * \param ctx           The CTR_DRBG context.
- * \param len           The amount of entropy to grab.
+ * \param len           The amount of entropy to grab, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      and at most the maximum length accepted by the
+ *                      entropy function that is set in the context.
  */
 void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
                                       size_t len);
 
+/**
+ * \brief               This function sets the amount of entropy grabbed
+ *                      as a nonce for the initial seeding.
+ *
+ * Call this function before calling mbedtls_ctr_drbg_seed() to read
+ * a nonce from the entropy source during the initial seeding.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param len           The amount of entropy to grab for the nonce, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      and at most the maximum length accepted by the
+ *                      entropy function that is set in the context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is
+ *                      more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the initial seeding has already taken place.
+ */
+int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
+                                   size_t len);
+
 /**
  * \brief               This function sets the reseed interval.
- *                      The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
+ *
+ * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
+ * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
  *
  * \param ctx           The CTR_DRBG context.
  * \param interval      The reseed interval.
@@ -218,9 +422,18 @@ void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
  * \brief               This function reseeds the CTR_DRBG context, that is
  *                      extracts data from the entropy source.
  *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
  * \param ctx           The CTR_DRBG context.
- * \param additional    Additional data to add to the state. Can be NULL.
+ * \param additional    Additional data to add to the state. Can be \c NULL.
  * \param len           The length of the additional data.
+ *                      This must be less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
@@ -231,31 +444,53 @@ int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
 /**
  * \brief              This function updates the state of the CTR_DRBG context.
  *
- * \note               If \p add_len is greater than
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
- *                     The remaining Bytes are silently discarded.
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
  *
  * \param ctx          The CTR_DRBG context.
- * \param additional   The data to update the state with.
- * \param add_len      Length of \p additional data.
+ * \param additional   The data to update the state with. This must not be
+ *                     \c NULL unless \p add_len is \c 0.
+ * \param add_len      Length of \p additional in bytes. This must be at
+ *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
  *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                     \p add_len is more than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return             An error from the underlying AES cipher on failure.
  */
-void mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
-                             const unsigned char *additional, size_t add_len);
+int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
+                                const unsigned char *additional,
+                                size_t add_len);
 
 /**
  * \brief   This function updates a CTR_DRBG instance with additional
  *          data and uses it to generate random data.
  *
- * \note    The function automatically reseeds if the reseed counter is exceeded.
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
  *
  * \param p_rng         The CTR_DRBG context. This must be a pointer to a
  *                      #mbedtls_ctr_drbg_context structure.
  * \param output        The buffer to fill.
- * \param output_len    The length of the buffer.
- * \param additional    Additional data to update. Can be NULL.
- * \param add_len       The length of the additional data.
+ * \param output_len    The length of the buffer in bytes.
+ * \param additional    Additional data to update. Can be \c NULL, in which
+ *                      case the additional data is empty regardless of
+ *                      the value of \p add_len.
+ * \param add_len       The length of the additional data
+ *                      if \p additional is not \c NULL.
+ *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
+ *                      and less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
  *
  * \return    \c 0 on success.
  * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
@@ -268,12 +503,22 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
 /**
  * \brief   This function uses CTR_DRBG to generate random data.
  *
- * \note    The function automatically reseeds if the reseed counter is exceeded.
- *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
  * \param p_rng         The CTR_DRBG context. This must be a pointer to a
  *                      #mbedtls_ctr_drbg_context structure.
  * \param output        The buffer to fill.
- * \param output_len    The length of the buffer.
+ * \param output_len    The length of the buffer in bytes.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
@@ -282,6 +527,35 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
 int mbedtls_ctr_drbg_random(void *p_rng,
                             unsigned char *output, size_t output_len);
 
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
+ *                     in 2.16.0.
+ *
+ * \note               If \p add_len is greater than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ *                     The remaining Bytes are silently discarded.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with.
+ * \param add_len      Length of \p additional data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
+    mbedtls_ctr_drbg_context *ctx,
+    const unsigned char *additional,
+    size_t add_len);
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               This function writes a seed file.
@@ -291,7 +565,7 @@ int mbedtls_ctr_drbg_random(void *p_rng,
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
  *                      failure.
  */
 int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path);
@@ -305,12 +579,16 @@ int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
- *                      #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG on failure.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
  */
 int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path);
 #endif /* MBEDTLS_FS_IO */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief               The CTR_DRBG checkup routine.
  *
@@ -319,10 +597,7 @@ int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char
  */
 int mbedtls_ctr_drbg_self_test(int verbose);
 
-/* Internal functions (do not call directly) */
-int mbedtls_ctr_drbg_seed_entropy_len(mbedtls_ctr_drbg_context *,
-                                      int (*)(void *, unsigned char *, size_t), void *,
-                                      const unsigned char *, size_t, size_t);
+#endif /* MBEDTLS_SELF_TEST */
 
 #ifdef __cplusplus
 }
diff --git a/common/mbedtls/debug.c b/common/mbedtls/debug.c
new file mode 100644
index 000000000..0af8c085c
--- /dev/null
+++ b/common/mbedtls/debug.c
@@ -0,0 +1,400 @@
+/*
+ *  Debugging routines
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc      calloc
+#define mbedtls_free        free
+#define mbedtls_time_t      time_t
+#define mbedtls_snprintf    snprintf
+#define mbedtls_vsnprintf   vsnprintf
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/error.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define DEBUG_BUF_SIZE      512
+
+static int debug_threshold = 0;
+
+void mbedtls_debug_set_threshold(int threshold) {
+    debug_threshold = threshold;
+}
+
+/*
+ * All calls to f_dbg must be made via this function
+ */
+static inline void debug_send_line(const mbedtls_ssl_context *ssl, int level,
+                                   const char *file, int line,
+                                   const char *str) {
+    /*
+     * If in a threaded environment, we need a thread identifier.
+     * Since there is no portable way to get one, use the address of the ssl
+     * context instead, as it shouldn't be shared between threads.
+     */
+#if defined(MBEDTLS_THREADING_C)
+    char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
+    mbedtls_snprintf(idstr, sizeof(idstr), "%p: %s", (void *)ssl, str);
+    ssl->conf->f_dbg(ssl->conf->p_dbg, level, file, line, idstr);
+#else
+    ssl->conf->f_dbg(ssl->conf->p_dbg, level, file, line, str);
+#endif
+}
+
+MBEDTLS_PRINTF_ATTRIBUTE(5, 6)
+void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *format, ...) {
+    va_list argp;
+    char str[DEBUG_BUF_SIZE];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (NULL == ssl              ||
+            NULL == ssl->conf        ||
+            NULL == ssl->conf->f_dbg ||
+            level > debug_threshold) {
+        return;
+    }
+
+    va_start(argp, format);
+    ret = mbedtls_vsnprintf(str, DEBUG_BUF_SIZE, format, argp);
+    va_end(argp);
+
+    if (ret >= 0 && ret < DEBUG_BUF_SIZE - 1) {
+        str[ret]     = '\n';
+        str[ret + 1] = '\0';
+    }
+
+    debug_send_line(ssl, level, file, line, str);
+}
+
+void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, int ret) {
+    char str[DEBUG_BUF_SIZE];
+
+    if (NULL == ssl              ||
+            NULL == ssl->conf        ||
+            NULL == ssl->conf->f_dbg ||
+            level > debug_threshold) {
+        return;
+    }
+
+    /*
+     * With non-blocking I/O and examples that just retry immediately,
+     * the logs would be quickly flooded with WANT_READ, so ignore that.
+     * Don't ignore WANT_WRITE however, since is is usually rare.
+     */
+    if (ret == MBEDTLS_ERR_SSL_WANT_READ)
+        return;
+
+    mbedtls_snprintf(str, sizeof(str), "%s() returned %d (-0x%04x)\n",
+                     text, ret, (unsigned int) - ret);
+
+    debug_send_line(ssl, level, file, line, str);
+}
+
+void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line, const char *text,
+                             const unsigned char *buf, size_t len) {
+    char str[DEBUG_BUF_SIZE];
+    char txt[17];
+    size_t i, idx = 0;
+
+    if (NULL == ssl              ||
+            NULL == ssl->conf        ||
+            NULL == ssl->conf->f_dbg ||
+            level > debug_threshold) {
+        return;
+    }
+
+    mbedtls_snprintf(str + idx, sizeof(str) - idx, "dumping '%s' (%u bytes)\n",
+                     text, (unsigned int) len);
+
+    debug_send_line(ssl, level, file, line, str);
+
+    idx = 0;
+    memset(txt, 0, sizeof(txt));
+    for (i = 0; i < len; i++) {
+        if (i >= 4096)
+            break;
+
+        if (i % 16 == 0) {
+            if (i > 0) {
+                mbedtls_snprintf(str + idx, sizeof(str) - idx, "  %s\n", txt);
+                debug_send_line(ssl, level, file, line, str);
+
+                idx = 0;
+                memset(txt, 0, sizeof(txt));
+            }
+
+            idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, "%04x: ",
+                                    (unsigned int) i);
+
+        }
+
+        idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x",
+                                (unsigned int) buf[i]);
+        txt[i % 16] = (buf[i] > 31 && buf[i] < 127) ? buf[i] : '.' ;
+    }
+
+    if (len > 0) {
+        for (/* i = i */; i % 16 != 0; i++)
+            idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, "   ");
+
+        mbedtls_snprintf(str + idx, sizeof(str) - idx, "  %s\n", txt);
+        debug_send_line(ssl, level, file, line, str);
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_ecp_point *X) {
+    char str[DEBUG_BUF_SIZE];
+
+    if (NULL == ssl              ||
+            NULL == ssl->conf        ||
+            NULL == ssl->conf->f_dbg ||
+            level > debug_threshold) {
+        return;
+    }
+
+    mbedtls_snprintf(str, sizeof(str), "%s(X)", text);
+    mbedtls_debug_print_mpi(ssl, level, file, line, str, &X->X);
+
+    mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
+    mbedtls_debug_print_mpi(ssl, level, file, line, str, &X->Y);
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_mpi *X) {
+    char str[DEBUG_BUF_SIZE];
+    int j, k, zeros = 1;
+    size_t i, n, idx = 0;
+
+    if (NULL == ssl              ||
+            NULL == ssl->conf        ||
+            NULL == ssl->conf->f_dbg ||
+            NULL == X                ||
+            level > debug_threshold) {
+        return;
+    }
+
+    for (n = X->n - 1; n > 0; n--)
+        if (X->p[n] != 0)
+            break;
+
+    for (j = (sizeof(mbedtls_mpi_uint) << 3) - 1; j >= 0; j--)
+        if (((X->p[n] >> j) & 1) != 0)
+            break;
+
+    mbedtls_snprintf(str + idx, sizeof(str) - idx, "value of '%s' (%d bits) is:\n",
+                     text, (int)((n * (sizeof(mbedtls_mpi_uint) << 3)) + j + 1));
+
+    debug_send_line(ssl, level, file, line, str);
+
+    idx = 0;
+    for (i = n + 1, j = 0; i > 0; i--) {
+        if (zeros && X->p[i - 1] == 0)
+            continue;
+
+        for (k = sizeof(mbedtls_mpi_uint) - 1; k >= 0; k--) {
+            if (zeros && ((X->p[i - 1] >> (k << 3)) & 0xFF) == 0)
+                continue;
+            else
+                zeros = 0;
+
+            if (j % 16 == 0) {
+                if (j > 0) {
+                    mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n");
+                    debug_send_line(ssl, level, file, line, str);
+                    idx = 0;
+                }
+            }
+
+            idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x", (unsigned int)
+                                    (X->p[i - 1] >> (k << 3)) & 0xFF);
+
+            j++;
+        }
+
+    }
+
+    if (zeros == 1)
+        idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " 00");
+
+    mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n");
+    debug_send_line(ssl, level, file, line, str);
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void debug_print_pk(const mbedtls_ssl_context *ssl, int level,
+                           const char *file, int line,
+                           const char *text, const mbedtls_pk_context *pk) {
+    size_t i;
+    mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
+    char name[16];
+
+    memset(items, 0, sizeof(items));
+
+    if (mbedtls_pk_debug(pk, items) != 0) {
+        debug_send_line(ssl, level, file, line,
+                        "invalid PK context\n");
+        return;
+    }
+
+    for (i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++) {
+        if (items[i].type == MBEDTLS_PK_DEBUG_NONE)
+            return;
+
+        mbedtls_snprintf(name, sizeof(name), "%s%s", text, items[i].name);
+        name[sizeof(name) - 1] = '\0';
+
+        if (items[i].type == MBEDTLS_PK_DEBUG_MPI)
+            mbedtls_debug_print_mpi(ssl, level, file, line, name, items[i].value);
+        else
+#if defined(MBEDTLS_ECP_C)
+            if (items[i].type == MBEDTLS_PK_DEBUG_ECP)
+                mbedtls_debug_print_ecp(ssl, level, file, line, name, items[i].value);
+            else
+#endif
+                debug_send_line(ssl, level, file, line,
+                                "should not happen\n");
+    }
+}
+
+static void debug_print_line_by_line(const mbedtls_ssl_context *ssl, int level,
+                                     const char *file, int line, const char *text) {
+    char str[DEBUG_BUF_SIZE];
+    const char *start, *cur;
+
+    start = text;
+    for (cur = text; *cur != '\0'; cur++) {
+        if (*cur == '\n') {
+            size_t len = cur - start + 1;
+            if (len > DEBUG_BUF_SIZE - 1)
+                len = DEBUG_BUF_SIZE - 1;
+
+            memcpy(str, start, len);
+            str[len] = '\0';
+
+            debug_send_line(ssl, level, file, line, str);
+
+            start = cur + 1;
+        }
+    }
+}
+
+void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_x509_crt *crt) {
+    char str[DEBUG_BUF_SIZE];
+    int i = 0;
+
+    if (NULL == ssl              ||
+            NULL == ssl->conf        ||
+            NULL == ssl->conf->f_dbg ||
+            NULL == crt              ||
+            level > debug_threshold) {
+        return;
+    }
+
+    while (crt != NULL) {
+        char buf[1024];
+
+        mbedtls_snprintf(str, sizeof(str), "%s #%d:\n", text, ++i);
+        debug_send_line(ssl, level, file, line, str);
+
+        mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt);
+        debug_print_line_by_line(ssl, level, file, line, buf);
+
+        debug_print_pk(ssl, level, file, line, "crt->", &crt->pk);
+
+        crt = crt->next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_ECDH_C)
+static void mbedtls_debug_printf_ecdh_internal(const mbedtls_ssl_context *ssl,
+                                               int level, const char *file,
+                                               int line,
+                                               const mbedtls_ecdh_context *ecdh,
+                                               mbedtls_debug_ecdh_attr attr) {
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    const mbedtls_ecdh_context *ctx = ecdh;
+#else
+    const mbedtls_ecdh_context_mbed *ctx = &ecdh->ctx.mbed_ecdh;
+#endif
+
+    switch (attr) {
+        case MBEDTLS_DEBUG_ECDH_Q:
+            mbedtls_debug_print_ecp(ssl, level, file, line, "ECDH: Q",
+                                    &ctx->Q);
+            break;
+        case MBEDTLS_DEBUG_ECDH_QP:
+            mbedtls_debug_print_ecp(ssl, level, file, line, "ECDH: Qp",
+                                    &ctx->Qp);
+            break;
+        case MBEDTLS_DEBUG_ECDH_Z:
+            mbedtls_debug_print_mpi(ssl, level, file, line, "ECDH: z",
+                                    &ctx->z);
+            break;
+        default:
+            break;
+    }
+}
+
+void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
+                               const char *file, int line,
+                               const mbedtls_ecdh_context *ecdh,
+                               mbedtls_debug_ecdh_attr attr) {
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_debug_printf_ecdh_internal(ssl, level, file, line, ecdh, attr);
+#else
+    switch (ecdh->var) {
+        default:
+            mbedtls_debug_printf_ecdh_internal(ssl, level, file, line, ecdh,
+                                               attr);
+    }
+#endif
+}
+#endif /* MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_C */
diff --git a/common/mbedtls/debug.h b/common/mbedtls/debug.h
new file mode 100644
index 000000000..d48057fef
--- /dev/null
+++ b/common/mbedtls/debug.h
@@ -0,0 +1,305 @@
+/**
+ * \file debug.h
+ *
+ * \brief Functions for controlling and providing debug output from the library.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_DEBUG_H
+#define MBEDTLS_DEBUG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#define MBEDTLS_DEBUG_STRIP_PARENS( ... )   __VA_ARGS__
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )                    \
+    mbedtls_debug_print_msg( ssl, level, __FILE__, __LINE__,    \
+                             MBEDTLS_DEBUG_STRIP_PARENS args )
+
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )                \
+    mbedtls_debug_print_ret( ssl, level, __FILE__, __LINE__, text, ret )
+
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )           \
+    mbedtls_debug_print_buf( ssl, level, __FILE__, __LINE__, text, buf, len )
+
+#if defined(MBEDTLS_BIGNUM_C)
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )                  \
+    mbedtls_debug_print_mpi( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )                  \
+    mbedtls_debug_print_ecp( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )                \
+    mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )               \
+    mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
+#endif
+
+#else /* MBEDTLS_DEBUG_C */
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )            do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )  do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )     do { } while( 0 )
+
+#endif /* MBEDTLS_DEBUG_C */
+
+/**
+ * \def MBEDTLS_PRINTF_ATTRIBUTE
+ *
+ * Mark a function as having printf attributes, and thus enable checking
+ * via -wFormat and other flags. This does nothing on builds with compilers
+ * that do not support the format attribute
+ *
+ * Module:  library/debug.c
+ * Caller:
+ *
+ * This module provides debugging functions.
+ */
+#if defined(__has_attribute)
+#if __has_attribute(format)
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check)    \
+    __attribute__((format (printf, string_index, first_to_check)))
+#else /* __has_attribute(format) */
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check)
+#endif /* __has_attribute(format) */
+#else /* defined(__has_attribute) */
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check)
+#endif
+
+/**
+ * \def MBEDTLS_PRINTF_SIZET
+ *
+ * MBEDTLS_PRINTF_xxx: Due to issues with older window compilers
+ * and MinGW we need to define the printf specifier for size_t
+ * and long long per platform.
+ *
+ * Module:  library/debug.c
+ * Caller:
+ *
+ * This module provides debugging functions.
+ */
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1800)
+#include <inttypes.h>
+#define MBEDTLS_PRINTF_SIZET     PRIuPTR
+#define MBEDTLS_PRINTF_LONGLONG  "I64d"
+#else /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1800) */
+#define MBEDTLS_PRINTF_SIZET     "zu"
+#define MBEDTLS_PRINTF_LONGLONG  "lld"
+#endif /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1800) */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Set the threshold error level to handle globally all debug output.
+ *          Debug messages that have a level over the threshold value are
+ *          discarded.
+ *          (Default value: 0 = No debug )
+ *
+ * \param threshold     theshold level of messages to filter on. Messages at a
+ *                      higher level will be discarded.
+ *                          - Debug levels
+ *                              - 0 No debug
+ *                              - 1 Error
+ *                              - 2 State change
+ *                              - 3 Informational
+ *                              - 4 Verbose
+ */
+void mbedtls_debug_set_threshold(int threshold);
+
+/**
+ * \brief    Print a message to the debug output. This function is always used
+ *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ *          context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the message has occurred in
+ * \param line      line number the message has occurred at
+ * \param format    format specifier, in printf format
+ * \param ...       variables used by the format specifier
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
+
+/**
+ * \brief   Print the return value of a function to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      the name of the function that returned the error
+ * \param ret       the return code value
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, int ret);
+
+/**
+ * \brief   Output a buffer of size len bytes to the debug output. This function
+ *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the buffer being dumped. Normally the
+ *                  variable or buffer name
+ * \param buf       the buffer to be outputted
+ * \param len       length of the buffer
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line, const char *text,
+                             const unsigned char *buf, size_t len);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief   Print a MPI variable to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the MPI being output. Normally the
+ *                  variable name
+ * \param X         the MPI variable
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_mpi *X);
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief   Print an ECP point to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the ECP point being output. Normally the
+ *                  variable name
+ * \param X         the ECP point
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_ecp_point *X);
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief   Print a X.509 certificate structure to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the certificate being output
+ * \param crt       X.509 certificate structure
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_x509_crt *crt);
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+typedef enum {
+    MBEDTLS_DEBUG_ECDH_Q,
+    MBEDTLS_DEBUG_ECDH_QP,
+    MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief   Print a field of the ECDH structure in the SSL context to the debug
+ *          output. This function is always used through the
+ *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ *          and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param ecdh      the ECDH context
+ * \param attr      the identifier of the attribute being output
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
+                               const char *file, int line,
+                               const mbedtls_ecdh_context *ecdh,
+                               mbedtls_debug_ecdh_attr attr);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* debug.h */
diff --git a/common/mbedtls/des.c b/common/mbedtls/des.c
index d9ff262c0..4b0e395e5 100644
--- a/common/mbedtls/des.c
+++ b/common/mbedtls/des.c
@@ -1,24 +1,20 @@
 /*
  *  FIPS-46-3 compliant Triple-DES implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  DES, on which TDES is based, was originally designed by Horst Feistel
@@ -27,11 +23,7 @@
  *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_DES_C)
 
@@ -56,22 +48,22 @@
  */
 #ifndef GET_UINT32_BE
 #define GET_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-              | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 3]       );            \
-    }
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
 #endif
 
 #ifndef PUT_UINT32_BE
 #define PUT_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-    }
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
 #endif
 
 /*
@@ -249,50 +241,57 @@ static const uint32_t RHs[16] = {
 /*
  * Initial Permutation macro
  */
-#define DES_IP(X,Y)                                             \
-    {                                                               \
-        T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
-        T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
-        T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
-        T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
-        Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF;                    \
-        T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T;                   \
-        X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF;                    \
-    }
+#define DES_IP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
+        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
+    } while( 0 )
 
 /*
  * Final Permutation macro
  */
-#define DES_FP(X,Y)                                             \
-    {                                                               \
-        X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF;                    \
-        T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T;                   \
-        Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF;                    \
-        T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
-        T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
-        T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
-        T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
-    }
+#define DES_FP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
+        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+    } while( 0 )
 
 /*
  * DES round macro
  */
-#define DES_ROUND(X,Y)                          \
+#define DES_ROUND(X,Y)                              \
+    do                                              \
     {                                               \
-        T = *SK++ ^ X;                              \
-        Y ^= SB8[ (T      ) & 0x3F ] ^              \
-             SB6[ (T >>  8) & 0x3F ] ^              \
-             SB4[ (T >> 16) & 0x3F ] ^              \
-             SB2[ (T >> 24) & 0x3F ];               \
-        \
-        T = *SK++ ^ ((X << 28) | (X >> 4));         \
-        Y ^= SB7[ (T      ) & 0x3F ] ^              \
-             SB5[ (T >>  8) & 0x3F ] ^              \
-             SB3[ (T >> 16) & 0x3F ] ^              \
-             SB1[ (T >> 24) & 0x3F ];               \
-    }
+        T = *SK++ ^ (X);                            \
+        (Y) ^= SB8[ (T      ) & 0x3F ] ^            \
+               SB6[ (T >>  8) & 0x3F ] ^            \
+               SB4[ (T >> 16) & 0x3F ] ^            \
+               SB2[ (T >> 24) & 0x3F ];             \
+                                                    \
+        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
+        (Y) ^= SB7[ (T      ) & 0x3F ] ^            \
+               SB5[ (T >>  8) & 0x3F ] ^            \
+               SB3[ (T >> 16) & 0x3F ] ^            \
+               SB1[ (T >> 24) & 0x3F ];             \
+    } while( 0 )
 
-#define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
+#define SWAP(a,b)                                       \
+    do                                                  \
+    {                                                   \
+        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
+    } while( 0 )
 
 void mbedtls_des_init(mbedtls_des_context *ctx) {
     memset(ctx, 0, sizeof(mbedtls_des_context));
@@ -779,15 +778,15 @@ static const unsigned char des3_test_buf[8] = {
 };
 
 static const unsigned char des3_test_ecb_dec[3][8] = {
-    { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
-    { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
-    { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
+    { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
+    { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
+    { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
 };
 
 static const unsigned char des3_test_ecb_enc[3][8] = {
-    { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
-    { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
-    { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
+    { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
+    { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
+    { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
 };
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
@@ -796,15 +795,15 @@ static const unsigned char des3_test_iv[8] = {
 };
 
 static const unsigned char des3_test_cbc_dec[3][8] = {
-    { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
-    { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
-    { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
+    { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
+    { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
+    { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
 };
 
 static const unsigned char des3_test_cbc_enc[3][8] = {
-    { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
-    { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
-    { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
+    { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
+    { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
+    { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
 };
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 
@@ -866,7 +865,7 @@ int mbedtls_des_self_test(int verbose) {
                 return (1);
         }
 
-        for (j = 0; j < 10000; j++) {
+        for (j = 0; j < 100; j++) {
             if (u == 0)
                 mbedtls_des_crypt_ecb(&ctx, buf, buf);
             else
@@ -938,14 +937,14 @@ int mbedtls_des_self_test(int verbose) {
         }
 
         if (v == MBEDTLS_DES_DECRYPT) {
-            for (j = 0; j < 10000; j++) {
+            for (j = 0; j < 100; j++) {
                 if (u == 0)
                     mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
                 else
                     mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
             }
         } else {
-            for (j = 0; j < 10000; j++) {
+            for (j = 0; j < 100; j++) {
                 unsigned char tmp[8];
 
                 if (u == 0)
diff --git a/common/mbedtls/des.h b/common/mbedtls/des.h
index e326acd49..21876ba8c 100644
--- a/common/mbedtls/des.h
+++ b/common/mbedtls/des.h
@@ -8,31 +8,27 @@
  *            instead.
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  *
  */
 #ifndef MBEDTLS_DES_H
 #define MBEDTLS_DES_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -44,6 +40,8 @@
 #define MBEDTLS_DES_DECRYPT     0
 
 #define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033  /**< DES hardware accelerator failed. */
 
 #define MBEDTLS_DES_KEY_SIZE    8
@@ -336,6 +334,8 @@ int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
 void mbedtls_des_setkey(uint32_t SK[32],
                         const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -343,6 +343,8 @@ void mbedtls_des_setkey(uint32_t SK[32],
  */
 int mbedtls_des_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/dhm.c b/common/mbedtls/dhm.c
new file mode 100644
index 000000000..f823f455b
--- /dev/null
+++ b/common/mbedtls/dhm.c
@@ -0,0 +1,698 @@
+/*
+ *  Diffie-Hellman-Merkle key exchange
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the Diffie-Hellman-Merkle algorithm:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ *      Menezes, van Oorschot and Vanstone
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DHM_C)
+
+#include "mbedtls/dhm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+#define DHM_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA )
+#define DHM_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * helper to validate the mbedtls_mpi size and import it
+ */
+static int dhm_read_bignum(mbedtls_mpi *X,
+                           unsigned char **p,
+                           const unsigned char *end) {
+    int ret, n;
+
+    if (end - *p < 2)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    n = ((*p)[0] << 8) | (*p)[1];
+    (*p) += 2;
+
+    if ((int)(end - *p) < n)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0)
+        return (MBEDTLS_ERR_DHM_READ_PARAMS_FAILED + ret);
+
+    (*p) += n;
+
+    return (0);
+}
+
+/*
+ * Verify sanity of parameter with regards to P
+ *
+ * Parameter should be: 2 <= public_param <= P - 2
+ *
+ * This means that we need to return an error if
+ *              public_param < 2 or public_param > P-2
+ *
+ * For more information on the attack, see:
+ *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
+ *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range(const mbedtls_mpi *param, const mbedtls_mpi *P) {
+    mbedtls_mpi L, U;
+    int ret = 0;
+
+    mbedtls_mpi_init(&L);
+    mbedtls_mpi_init(&U);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&L, 2));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
+
+    if (mbedtls_mpi_cmp_mpi(param, &L) < 0 ||
+            mbedtls_mpi_cmp_mpi(param, &U) > 0) {
+        ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+cleanup:
+    mbedtls_mpi_free(&L);
+    mbedtls_mpi_free(&U);
+    return (ret);
+}
+
+void mbedtls_dhm_init(mbedtls_dhm_context *ctx) {
+    DHM_VALIDATE(ctx != NULL);
+    memset(ctx, 0, sizeof(mbedtls_dhm_context));
+}
+
+/*
+ * Parse the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
+                            unsigned char **p,
+                            const unsigned char *end) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    DHM_VALIDATE_RET(ctx != NULL);
+    DHM_VALIDATE_RET(p != NULL && *p != NULL);
+    DHM_VALIDATE_RET(end != NULL);
+
+    if ((ret = dhm_read_bignum(&ctx->P,  p, end)) != 0 ||
+            (ret = dhm_read_bignum(&ctx->G,  p, end)) != 0 ||
+            (ret = dhm_read_bignum(&ctx->GY, p, end)) != 0)
+        return (ret);
+
+    if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0)
+        return (ret);
+
+    ctx->len = mbedtls_mpi_size(&ctx->P);
+
+    return (0);
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng) {
+    int ret, count = 0;
+    size_t n1, n2, n3;
+    unsigned char *p;
+    DHM_VALIDATE_RET(ctx != NULL);
+    DHM_VALIDATE_RET(output != NULL);
+    DHM_VALIDATE_RET(olen != NULL);
+    DHM_VALIDATE_RET(f_rng != NULL);
+
+    if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    /*
+     * Generate X as large as possible ( < P )
+     */
+    do {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
+
+        while (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->P) >= 0)
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&ctx->X, 1));
+
+        if (count++ > 10)
+            return (MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED);
+    } while (dhm_check_range(&ctx->X, &ctx->P) != 0);
+
+    /*
+     * Calculate GX = G^X mod P
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
+                                        &ctx->P, &ctx->RP));
+
+    if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0)
+        return (ret);
+
+    /*
+     * export P, G, GX
+     */
+#define DHM_MPI_EXPORT( X, n )                                          \
+    do {                                                                \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ),               \
+                                                   p + 2,               \
+                                                   ( n ) ) );           \
+        *p++ = (unsigned char)( ( n ) >> 8 );                           \
+        *p++ = (unsigned char)( ( n )      );                           \
+        p += ( n );                                                     \
+    } while( 0 )
+
+    n1 = mbedtls_mpi_size(&ctx->P);
+    n2 = mbedtls_mpi_size(&ctx->G);
+    n3 = mbedtls_mpi_size(&ctx->GX);
+
+    p = output;
+    DHM_MPI_EXPORT(&ctx->P, n1);
+    DHM_MPI_EXPORT(&ctx->G, n2);
+    DHM_MPI_EXPORT(&ctx->GX, n3);
+
+    *olen = p - output;
+
+    ctx->len = n1;
+
+cleanup:
+
+    if (ret != 0)
+        return (MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + ret);
+
+    return (0);
+}
+
+/*
+ * Set prime modulus and generator
+ */
+int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
+                          const mbedtls_mpi *P,
+                          const mbedtls_mpi *G) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    DHM_VALIDATE_RET(ctx != NULL);
+    DHM_VALIDATE_RET(P != NULL);
+    DHM_VALIDATE_RET(G != NULL);
+
+    if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 ||
+            (ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
+        return (MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret);
+    }
+
+    ctx->len = mbedtls_mpi_size(&ctx->P);
+    return (0);
+}
+
+/*
+ * Import the peer's public value G^Y
+ */
+int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
+                            const unsigned char *input, size_t ilen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    DHM_VALIDATE_RET(ctx != NULL);
+    DHM_VALIDATE_RET(input != NULL);
+
+    if (ilen < 1 || ilen > ctx->len)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0)
+        return (MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED + ret);
+
+    return (0);
+}
+
+/*
+ * Create own private value X and export G^X
+ */
+int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng) {
+    int ret, count = 0;
+    DHM_VALIDATE_RET(ctx != NULL);
+    DHM_VALIDATE_RET(output != NULL);
+    DHM_VALIDATE_RET(f_rng != NULL);
+
+    if (olen < 1 || olen > ctx->len)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    /*
+     * generate X and calculate GX = G^X mod P
+     */
+    do {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
+
+        while (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->P) >= 0)
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&ctx->X, 1));
+
+        if (count++ > 10)
+            return (MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED);
+    } while (dhm_check_range(&ctx->X, &ctx->P) != 0);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
+                                        &ctx->P, &ctx->RP));
+
+    if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0)
+        return (ret);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
+
+cleanup:
+
+    if (ret != 0)
+        return (MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED + ret);
+
+    return (0);
+}
+
+/*
+ * Pick a random R in the range [2, M) for blinding purposes
+ */
+static int dhm_random_below(mbedtls_mpi *R, const mbedtls_mpi *M,
+                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
+    int ret, count;
+
+    count = 0;
+    do {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(R, mbedtls_mpi_size(M), f_rng, p_rng));
+
+        while (mbedtls_mpi_cmp_mpi(R, M) >= 0)
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(R, 1));
+
+        if (count++ > 10)
+            return (MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
+    } while (mbedtls_mpi_cmp_int(R, 1) <= 0);
+
+cleanup:
+    return (ret);
+}
+
+
+/*
+ * Use the blinding method and optimisation suggested in section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int dhm_update_blinding(mbedtls_dhm_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
+    int ret;
+    mbedtls_mpi R;
+
+    mbedtls_mpi_init(&R);
+
+    /*
+     * Don't use any blinding the first time a particular X is used,
+     * but remember it to use blinding next time.
+     */
+    if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
+
+        return (0);
+    }
+
+    /*
+     * Ok, we need blinding. Can we re-use existing values?
+     * If yes, just update them by squaring them.
+     */
+    if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+
+        return (0);
+    }
+
+    /*
+     * We need to generate blinding values from scratch
+     */
+
+    /* Vi = random( 2, P-1 ) */
+    MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
+
+    /* Vf = Vi^-X mod P
+     * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
+     * then elevate to the Xth power. */
+    MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
+
+cleanup:
+    mbedtls_mpi_free(&R);
+
+    return (ret);
+}
+
+/*
+ * Derive and export the shared secret (G^Y)^X mod P
+ */
+int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
+                            unsigned char *output, size_t output_size, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi GYb;
+    DHM_VALIDATE_RET(ctx != NULL);
+    DHM_VALIDATE_RET(output != NULL);
+    DHM_VALIDATE_RET(olen != NULL);
+
+    if (output_size < ctx->len)
+        return (MBEDTLS_ERR_DHM_BAD_INPUT_DATA);
+
+    if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0)
+        return (ret);
+
+    mbedtls_mpi_init(&GYb);
+
+    /* Blind peer's value */
+    if (f_rng != NULL) {
+        MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
+    } else
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&GYb, &ctx->GY));
+
+    /* Do modular exponentiation */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X,
+                                        &ctx->P, &ctx->RP));
+
+    /* Unblind secret value */
+    if (f_rng != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
+    }
+
+    *olen = mbedtls_mpi_size(&ctx->K);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
+
+cleanup:
+    mbedtls_mpi_free(&GYb);
+
+    if (ret != 0)
+        return (MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret);
+
+    return (0);
+}
+
+/*
+ * Free the components of a DHM key
+ */
+void mbedtls_dhm_free(mbedtls_dhm_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_mpi_free(&ctx->pX);
+    mbedtls_mpi_free(&ctx->Vf);
+    mbedtls_mpi_free(&ctx->Vi);
+    mbedtls_mpi_free(&ctx->RP);
+    mbedtls_mpi_free(&ctx->K);
+    mbedtls_mpi_free(&ctx->GY);
+    mbedtls_mpi_free(&ctx->GX);
+    mbedtls_mpi_free(&ctx->X);
+    mbedtls_mpi_free(&ctx->G);
+    mbedtls_mpi_free(&ctx->P);
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/*
+ * Parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                          size_t dhminlen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+    unsigned char *p, *end;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_context pem;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    DHM_VALIDATE_RET(dhm != NULL);
+    DHM_VALIDATE_RET(dhmin != NULL);
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init(&pem);
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (dhminlen == 0 || dhmin[dhminlen - 1] != '\0')
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      "-----BEGIN DH PARAMETERS-----",
+                                      "-----END DH PARAMETERS-----",
+                                      dhmin, NULL, 0, &dhminlen);
+
+    if (ret == 0) {
+        /*
+         * Was PEM encoded
+         */
+        dhminlen = pem.buflen;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT)
+        goto exit;
+
+    p = (ret == 0) ? pem.buf : (unsigned char *) dhmin;
+#else
+    p = (unsigned char *) dhmin;
+#endif /* MBEDTLS_PEM_PARSE_C */
+    end = p + dhminlen;
+
+    /*
+     *  DHParams ::= SEQUENCE {
+     *      prime              INTEGER,  -- P
+     *      generator          INTEGER,  -- g
+     *      privateValueLength INTEGER OPTIONAL
+     *  }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    end = p + len;
+
+    if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 ||
+            (ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    if (p != end) {
+        /* This might be the optional privateValueLength.
+         * If so, we can cleanly discard it */
+        mbedtls_mpi rec;
+        mbedtls_mpi_init(&rec);
+        ret = mbedtls_asn1_get_mpi(&p, end, &rec);
+        mbedtls_mpi_free(&rec);
+        if (ret != 0) {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+            goto exit;
+        }
+        if (p != end) {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT +
+                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+            goto exit;
+        }
+    }
+
+    ret = 0;
+
+    dhm->len = mbedtls_mpi_size(&dhm->P);
+
+exit:
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_free(&pem);
+#endif
+    if (ret != 0)
+        mbedtls_dhm_free(dhm);
+
+    return (ret);
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+static int load_file(const char *path, unsigned char **buf, size_t *n) {
+    FILE *f;
+    long size;
+
+    if ((f = fopen(path, "rb")) == NULL)
+        return (MBEDTLS_ERR_DHM_FILE_IO_ERROR);
+
+    fseek(f, 0, SEEK_END);
+    if ((size = ftell(f)) == -1) {
+        fclose(f);
+        return (MBEDTLS_ERR_DHM_FILE_IO_ERROR);
+    }
+    fseek(f, 0, SEEK_SET);
+
+    *n = (size_t) size;
+
+    if (*n + 1 == 0 ||
+            (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
+        fclose(f);
+        return (MBEDTLS_ERR_DHM_ALLOC_FAILED);
+    }
+
+    if (fread(*buf, 1, *n, f) != *n) {
+        fclose(f);
+
+        mbedtls_platform_zeroize(*buf, *n + 1);
+        mbedtls_free(*buf);
+
+        return (MBEDTLS_ERR_DHM_FILE_IO_ERROR);
+    }
+
+    fclose(f);
+
+    (*buf)[*n] = '\0';
+
+    if (strstr((const char *) *buf, "-----BEGIN ") != NULL)
+        ++*n;
+
+    return (0);
+}
+
+/*
+ * Load and parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    unsigned char *buf;
+    DHM_VALIDATE_RET(dhm != NULL);
+    DHM_VALIDATE_RET(path != NULL);
+
+    if ((ret = load_file(path, &buf, &n)) != 0)
+        return (ret);
+
+    ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
+
+    mbedtls_platform_zeroize(buf, n);
+    mbedtls_free(buf);
+
+    return (ret);
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_DHM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+static const char mbedtls_test_dhm_params[] =
+    "-----BEGIN DH PARAMETERS-----\r\n"
+    "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
+    "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
+    "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
+    "-----END DH PARAMETERS-----\r\n";
+#else /* MBEDTLS_PEM_PARSE_C */
+static const char mbedtls_test_dhm_params[] = {
+    0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
+    0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
+    0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
+    0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
+    0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
+    0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
+    0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
+    0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
+    0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
+    0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
+    0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
+    0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
+};
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+static const size_t mbedtls_test_dhm_params_len = sizeof(mbedtls_test_dhm_params);
+
+/*
+ * Checkup routine
+ */
+int mbedtls_dhm_self_test(int verbose) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_dhm_context dhm;
+
+    mbedtls_dhm_init(&dhm);
+
+    if (verbose != 0)
+        mbedtls_printf("  DHM parameter load: ");
+
+    if ((ret = mbedtls_dhm_parse_dhm(&dhm,
+                                     (const unsigned char *) mbedtls_test_dhm_params,
+                                     mbedtls_test_dhm_params_len)) != 0) {
+        if (verbose != 0)
+            mbedtls_printf("failed\n");
+
+        ret = 1;
+        goto exit;
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n\n");
+
+exit:
+    mbedtls_dhm_free(&dhm);
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DHM_C */
diff --git a/common/mbedtls/dhm.h b/common/mbedtls/dhm.h
new file mode 100644
index 000000000..327176859
--- /dev/null
+++ b/common/mbedtls/dhm.h
@@ -0,0 +1,1091 @@
+/**
+ * \file dhm.h
+ *
+ * \brief   This file contains Diffie-Hellman-Merkle (DHM) key exchange
+ *          definitions and functions.
+ *
+ * Diffie-Hellman-Merkle (DHM) key exchange is defined in
+ * <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
+ * <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
+ * Hellman Key Agreement Standard</em>.
+ *
+ * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
+ * Internet Key Exchange (IKE)</em> defines a number of standardized
+ * Diffie-Hellman groups for IKE.
+ *
+ * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
+ * Standards</em> defines a number of standardized Diffie-Hellman
+ * groups that can be used.
+ *
+ * \warning  The security of the DHM key exchange relies on the proper choice
+ *           of prime modulus - optimally, it should be a safe prime. The usage
+ *           of non-safe primes both decreases the difficulty of the underlying
+ *           discrete logarithm problem and can lead to small subgroup attacks
+ *           leaking private exponent bits when invalid public keys are used
+ *           and not detected. This is especially relevant if the same DHM
+ *           parameters are reused for multiple key exchanges as in static DHM,
+ *           while the criticality of small-subgroup attacks is lower for
+ *           ephemeral DHM.
+ *
+ * \warning  For performance reasons, the code does neither perform primality
+ *           nor safe primality tests, nor the expensive checks for invalid
+ *           subgroups. Moreover, even if these were performed, non-standardized
+ *           primes cannot be trusted because of the possibility of backdoors
+ *           that can't be effectively checked for.
+ *
+ * \warning  Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_DHM_H
+#define MBEDTLS_DHM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+#include "mbedtls/bignum.h"
+
+/*
+ * DHM Error codes
+ */
+#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA                    -0x3080  /**< Bad input parameters. */
+#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED                -0x3100  /**< Reading of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180  /**< Making of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED                -0x3200  /**< Reading of the public values failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280  /**< Making of the public value failed. */
+#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED                -0x3300  /**< Calculation of the DHM secret failed. */
+#define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380  /**< The ASN.1 data is not formatted correctly. */
+#define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480  /**< Read or write of file failed. */
+
+/* MBEDTLS_ERR_DHM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED                   -0x3500  /**< DHM hardware accelerator failed. */
+
+#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580  /**< Setting the modulus and generator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+/**
+ * \brief          The DHM context structure.
+ */
+typedef struct mbedtls_dhm_context {
+    size_t len;         /*!<  The size of \p P in Bytes. */
+    mbedtls_mpi P;      /*!<  The prime modulus. */
+    mbedtls_mpi G;      /*!<  The generator. */
+    mbedtls_mpi X;      /*!<  Our secret value. */
+    mbedtls_mpi GX;     /*!<  Our public key = \c G^X mod \c P. */
+    mbedtls_mpi GY;     /*!<  The public key of the peer = \c G^Y mod \c P. */
+    mbedtls_mpi K;      /*!<  The shared secret = \c G^(XY) mod \c P. */
+    mbedtls_mpi RP;     /*!<  The cached value = \c R^2 mod \c P. */
+    mbedtls_mpi Vi;     /*!<  The blinding value. */
+    mbedtls_mpi Vf;     /*!<  The unblinding value. */
+    mbedtls_mpi pX;     /*!<  The previous \c X. */
+}
+mbedtls_dhm_context;
+
+#else /* MBEDTLS_DHM_ALT */
+#include "dhm_alt.h"
+#endif /* MBEDTLS_DHM_ALT */
+
+/**
+ * \brief          This function initializes the DHM context.
+ *
+ * \param ctx      The DHM context to initialize.
+ */
+void mbedtls_dhm_init(mbedtls_dhm_context *ctx);
+
+/**
+ * \brief          This function parses the DHM parameters in a
+ *                 TLS ServerKeyExchange handshake message
+ *                 (DHM modulus, generator, and public key).
+ *
+ * \note           In a TLS handshake, this is the how the client
+ *                 sets up its DHM context from the server's public
+ *                 DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized.
+ * \param p        On input, *p must be the start of the input buffer.
+ *                 On output, *p is updated to point to the end of the data
+ *                 that has been read. On success, this is the first byte
+ *                 past the end of the ServerKeyExchange parameters.
+ *                 On error, this is the point at which an error has been
+ *                 detected, which is usually not useful except to debug
+ *                 failures.
+ * \param end      The end of the input buffer.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
+                            unsigned char **p,
+                            const unsigned char *end);
+
+/**
+ * \brief          This function generates a DHM key pair and exports its
+ *                 public part together with the DHM parameters in the format
+ *                 used in a TLS ServerKeyExchange handshake message.
+ *
+ * \note           This function assumes that the DHM parameters \c ctx->P
+ *                 and \c ctx->G have already been properly set. For that, use
+ *                 mbedtls_dhm_set_group() below in conjunction with
+ *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
+ *
+ * \note           In a TLS handshake, this is the how the server generates
+ *                 and exports its DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized
+ *                 and have the DHM parameters set. It may or may not
+ *                 already have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param olen     The address at which to store the number of Bytes
+ *                 written on success. This must not be \c NULL.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 sufficient size to hold the reduced binary presentation of
+ *                 the modulus, the generator and the public key, each wrapped
+ *                 with a 2-byte length field. It is the responsibility of the
+ *                 caller to ensure that enough space is available. Refer to
+ *                 mbedtls_mpi_size() to computing the byte-size of an MPI.
+ * \param f_rng    The RNG function. Must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          This function sets the prime modulus and generator.
+ *
+ * \note           This function can be used to set \c ctx->P, \c ctx->G
+ *                 in preparation for mbedtls_dhm_make_params().
+ *
+ * \param ctx      The DHM context to configure. This must be initialized.
+ * \param P        The MPI holding the DHM prime modulus. This must be
+ *                 an initialized MPI.
+ * \param G        The MPI holding the DHM generator. This must be an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
+                          const mbedtls_mpi *P,
+                          const mbedtls_mpi *G);
+
+/**
+ * \brief          This function imports the raw public value of the peer.
+ *
+ * \note           In a TLS handshake, this is the how the server imports
+ *                 the Client's public DHM key.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and have
+ *                 its DHM parameters set, e.g. via mbedtls_dhm_set_group().
+ *                 It may or may not already have generated its own private key.
+ * \param input    The input buffer containing the \c G^Y value of the peer.
+ *                 This must be a readable buffer of size \p ilen Bytes.
+ * \param ilen     The size of the input buffer \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
+                            const unsigned char *input, size_t ilen);
+
+/**
+ * \brief          This function creates a DHM key pair and exports
+ *                 the raw public key in big-endian format.
+ *
+ * \note           The destination buffer is always fully written
+ *                 so as to contain a big-endian representation of G^X mod P.
+ *                 If it is larger than \c ctx->len, it is padded accordingly
+ *                 with zero-bytes at the beginning.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and
+ *                 have the DHM parameters set. It may or may not already
+ *                 have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 size \p olen Bytes.
+ * \param olen     The length of the destination buffer. This must be at least
+ *                 equal to `ctx->len` (the size of \c P).
+ * \param f_rng    The RNG function. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          This function derives and exports the shared secret
+ *                 \c (G^Y)^X mod \c P.
+ *
+ * \note           If \p f_rng is not \c NULL, it is used to blind the input as
+ *                 a countermeasure against timing attacks. Blinding is used
+ *                 only if our private key \c X is re-used, and not used
+ *                 otherwise. We recommend always passing a non-NULL
+ *                 \p f_rng argument.
+ *
+ * \param ctx           The DHM context to use. This must be initialized
+ *                      and have its own private key generated and the peer's
+ *                      public key imported.
+ * \param output        The buffer to write the generated shared key to. This
+ *                      must be a writable buffer of size \p output_size Bytes.
+ * \param output_size   The size of the destination buffer. This must be at
+ *                      least the size of \c ctx->len (the size of \c P).
+ * \param olen          On exit, holds the actual number of Bytes written.
+ * \param f_rng         The RNG function, for blinding purposes. This may
+ *                      b \c NULL if blinding isn't needed.
+ * \param p_rng         The RNG context. This may be \c NULL if \p f_rng
+ *                      doesn't need a context argument.
+ *
+ * \return              \c 0 on success.
+ * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
+                            unsigned char *output, size_t output_size, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          This function frees and clears the components
+ *                 of a DHM context.
+ *
+ * \param ctx      The DHM context to free and clear. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is not \c NULL,
+ *                 it must point to an initialized DHM context.
+ */
+void mbedtls_dhm_free(mbedtls_dhm_context *ctx);
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/**
+ * \brief             This function parses DHM parameters in PEM or DER format.
+ *
+ * \param dhm         The DHM context to import the DHM parameters into.
+ *                    This must be initialized.
+ * \param dhmin       The input buffer. This must be a readable buffer of
+ *                    length \p dhminlen Bytes.
+ * \param dhminlen    The size of the input buffer \p dhmin, including the
+ *                    terminating \c NULL Byte for PEM data.
+ *
+ * \return            \c 0 on success.
+ * \return            An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
+ *                    code on failure.
+ */
+int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                          size_t dhminlen);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          This function loads and parses DHM parameters from a file.
+ *
+ * \param dhm      The DHM context to load the parameters to.
+ *                 This must be initialized.
+ * \param path     The filename to read the DHM parameters from.
+ *                 This must not be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
+ *                 error code on failure.
+ */
+int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path);
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The DMH checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_dhm_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+#ifdef __cplusplus
+}
+#endif
+
+/**
+ * RFC 3526, RFC 5114 and RFC 7919 standardize a number of
+ * Diffie-Hellman groups, some of which are included here
+ * for use within the SSL/TLS module and the user's convenience
+ * when configuring the Diffie-Hellman parameters by hand
+ * through \c mbedtls_ssl_conf_dh_param.
+ *
+ * The following lists the source of the above groups in the standards:
+ * - RFC 5114 section 2.2:  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ * - RFC 3526 section 3:    2048-bit MODP Group
+ * - RFC 3526 section 4:    3072-bit MODP Group
+ * - RFC 3526 section 5:    4096-bit MODP Group
+ * - RFC 7919 section A.1:  ffdhe2048
+ * - RFC 7919 section A.2:  ffdhe3072
+ * - RFC 7919 section A.3:  ffdhe4096
+ * - RFC 7919 section A.4:  ffdhe6144
+ * - RFC 7919 section A.5:  ffdhe8192
+ *
+ * The constants with suffix "_p" denote the chosen prime moduli, while
+ * the constants with suffix "_g" denote the chosen generator
+ * of the associated prime field.
+ *
+ * The constants further suffixed with "_bin" are provided in binary format,
+ * while all other constants represent null-terminated strings holding the
+ * hexadecimal presentation of the respective numbers.
+ *
+ * The primes from RFC 3526 and RFC 7919 have been generating by the following
+ * trust-worthy procedure:
+ * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
+ *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
+ *   which are 0x7ff...ff.
+ * - Add the smallest multiple of the first N - 129 bits of the binary expansion
+ *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
+ *   such that the resulting integer is a safe-prime.
+ * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
+ *   generator is always chosen to be 2 (which is a square for these prime,
+ *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
+ *   bit in the private exponent).
+ *
+ */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+/**
+ * \warning The origin of the primes in RFC 5114 is not documented and
+ *          their use therefore constitutes a security risk!
+ *
+ * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
+ *             likely to be removed in a future version of the library without
+ *             replacement.
+ */
+
+/**
+ * The hexadecimal presentation of the prime underlying the
+ * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
+ * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
+ * IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1"      \
+        "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15"      \
+        "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212"      \
+        "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207"      \
+        "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708"      \
+        "B3BF8A317091883681286130BC8985DB1602E714415D9330"      \
+        "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D"      \
+        "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8"      \
+        "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763"      \
+        "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71"      \
+        "CF9DE5384E71B81C0AC4DFFE0C10E64F" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
+ * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"      \
+        "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"      \
+        "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"      \
+        "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"      \
+        "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"      \
+        "F180EB34118E98D119529A45D6F834566E3025E316A330EF"      \
+        "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"      \
+        "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"      \
+        "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"      \
+        "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"      \
+        "81BC087F2A7065B384B890D3191F2BFA" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ *
+ * \deprecated The hex-encoded primes from RFC 3625 are deprecated and
+ *             superseded by the corresponding macros providing them as
+ *             binary constants. Their hex-encoded constants are likely
+ *             to be removed in a future version of the library.
+ *
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 3072-bit MODP
+ * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"      \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"      \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"      \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"      \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"      \
+        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                      \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"   \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"   \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"   \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"   \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"   \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"   \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"   \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"   \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"   \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"   \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"   \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"   \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"   \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"   \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"   \
+        "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"   \
+        "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"   \
+        "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"   \
+        "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"   \
+        "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"   \
+        "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"   \
+        "FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Trustworthy DHM parameters in binary form
+ */
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+     0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+     0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+     0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+     0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+     0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+     0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+     0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+     0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+     0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+     0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+     0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+     0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+     0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+     0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+     0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+     0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+     0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+     0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+     0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+     0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+     0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+     0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+     0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+     0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+     0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+     0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+     0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+     0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+     0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN  {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,  \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,  \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,  \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,  \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,  \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,  \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,  \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,  \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,  \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,  \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,  \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,  \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,  \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,  \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,  \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,  \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,  \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,  \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,  \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,  \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,  \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,  \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,  \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,  \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,  \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,  \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,  \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,  \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,  \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,  \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,  \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,  \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,  \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,  \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,  \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,  \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,  \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,  \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,  \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,  \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,  \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,  \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,  \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,  \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,  \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,  \
+    0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,  \
+    0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,  \
+    0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,  \
+    0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,  \
+    0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,  \
+    0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,  \
+    0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,  \
+    0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,  \
+    0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,  \
+    0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,  \
+    0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,  \
+    0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,  \
+    0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,  \
+    0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,  \
+    0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,  \
+    0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,  \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \
+     0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \
+     0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \
+     0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \
+     0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \
+     0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \
+     0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \
+     0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \
+     0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \
+     0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \
+     0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \
+     0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \
+     0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \
+     0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \
+     0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \
+     0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \
+     0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \
+     0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \
+     0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \
+     0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \
+     0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \
+     0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \
+     0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \
+     0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \
+     0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \
+     0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \
+     0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \
+     0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \
+     0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \
+     0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \
+     0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \
+     0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \
+     0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 }
+
+#endif /* dhm.h */
diff --git a/common/mbedtls/ecdh.c b/common/mbedtls/ecdh.c
new file mode 100644
index 000000000..71c8f1aa2
--- /dev/null
+++ b/common/mbedtls/ecdh.c
@@ -0,0 +1,688 @@
+/*
+ *  Elliptic curve Diffie-Hellman
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * RFC 4492
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECDH_C)
+
+#include "mbedtls/ecdh.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDH_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDH_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
+#endif
+
+static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
+    const mbedtls_ecdh_context *ctx) {
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ctx->grp.id);
+#else
+    return (ctx->grp_id);
+#endif
+}
+
+int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid) {
+    /* At this time, all groups support ECDH. */
+    (void) gid;
+    return (1);
+}
+
+#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+/*
+ * Generate public key (restartable version)
+ *
+ * Note: this internal function relies on its caller preserving the value of
+ * the output parameter 'd' across continuation calls. This would not be
+ * acceptable for a public function but is OK here as we control call sites.
+ */
+static int ecdh_gen_public_restartable(mbedtls_ecp_group *grp,
+                                       mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                       int (*f_rng)(void *, unsigned char *, size_t),
+                                       void *p_rng,
+                                       mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* If multiplication is in progress, we already generated a privkey */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx == NULL || rs_ctx->rsm == NULL)
+#endif
+        MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, Q, d, &grp->G,
+                                                f_rng, p_rng, rs_ctx));
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Generate public key
+ */
+int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng) {
+    ECDH_VALIDATE_RET(grp != NULL);
+    ECDH_VALIDATE_RET(d != NULL);
+    ECDH_VALIDATE_RET(Q != NULL);
+    ECDH_VALIDATE_RET(f_rng != NULL);
+    return (ecdh_gen_public_restartable(grp, d, Q, f_rng, p_rng, NULL));
+}
+#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+static int ecdh_compute_shared_restartable(mbedtls_ecp_group *grp,
+                                           mbedtls_mpi *z,
+                                           const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                                           int (*f_rng)(void *, unsigned char *, size_t),
+                                           void *p_rng,
+                                           mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point P;
+
+    mbedtls_ecp_point_init(&P);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &P, d, Q,
+                                                f_rng, p_rng, rs_ctx));
+
+    if (mbedtls_ecp_is_zero(&P)) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(z, &P.X));
+
+cleanup:
+    mbedtls_ecp_point_free(&P);
+
+    return (ret);
+}
+
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                                const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng) {
+    ECDH_VALIDATE_RET(grp != NULL);
+    ECDH_VALIDATE_RET(Q != NULL);
+    ECDH_VALIDATE_RET(d != NULL);
+    ECDH_VALIDATE_RET(z != NULL);
+    return (ecdh_compute_shared_restartable(grp, z, Q, d,
+                                            f_rng, p_rng, NULL));
+}
+#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx) {
+    mbedtls_ecp_group_init(&ctx->grp);
+    mbedtls_mpi_init(&ctx->d);
+    mbedtls_ecp_point_init(&ctx->Q);
+    mbedtls_ecp_point_init(&ctx->Qp);
+    mbedtls_mpi_init(&ctx->z);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_init(&ctx->rs);
+#endif
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx) {
+    ECDH_VALIDATE(ctx != NULL);
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    ecdh_init_internal(ctx);
+    mbedtls_ecp_point_init(&ctx->Vi);
+    mbedtls_ecp_point_init(&ctx->Vf);
+    mbedtls_mpi_init(&ctx->_d);
+#else
+    memset(ctx, 0, sizeof(mbedtls_ecdh_context));
+
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+#endif
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ctx->restart_enabled = 0;
+#endif
+}
+
+static int ecdh_setup_internal(mbedtls_ecdh_context_mbed *ctx,
+                               mbedtls_ecp_group_id grp_id) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ret = mbedtls_ecp_group_load(&ctx->grp, grp_id);
+    if (ret != 0) {
+        return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+    }
+
+    return (0);
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id) {
+    ECDH_VALIDATE_RET(ctx != NULL);
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_setup_internal(ctx, grp_id));
+#else
+    switch (grp_id) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            ctx->point_format = MBEDTLS_ECP_PF_COMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_EVEREST;
+            ctx->grp_id = grp_id;
+            return (mbedtls_everest_setup(&ctx->ctx.everest_ecdh, grp_id));
+#endif
+        default:
+            ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+            ctx->grp_id = grp_id;
+            ecdh_init_internal(&ctx->ctx.mbed_ecdh);
+            return (ecdh_setup_internal(&ctx->ctx.mbed_ecdh, grp_id));
+    }
+#endif
+}
+
+static void ecdh_free_internal(mbedtls_ecdh_context_mbed *ctx) {
+    mbedtls_ecp_group_free(&ctx->grp);
+    mbedtls_mpi_free(&ctx->d);
+    mbedtls_ecp_point_free(&ctx->Q);
+    mbedtls_ecp_point_free(&ctx->Qp);
+    mbedtls_mpi_free(&ctx->z);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_free(&ctx->rs);
+#endif
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Enable restartable operations for context
+ */
+void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx) {
+    ECDH_VALIDATE(ctx != NULL);
+
+    ctx->restart_enabled = 1;
+}
+#endif
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_point_free(&ctx->Vi);
+    mbedtls_ecp_point_free(&ctx->Vf);
+    mbedtls_mpi_free(&ctx->_d);
+    ecdh_free_internal(ctx);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            mbedtls_everest_free(&ctx->ctx.everest_ecdh);
+            break;
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            ecdh_free_internal(&ctx->ctx.mbed_ecdh);
+            break;
+        default:
+            break;
+    }
+
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+    ctx->grp_id = MBEDTLS_ECP_DP_NONE;
+#endif
+}
+
+static int ecdh_make_params_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     size_t *olen, int point_format,
+                                     unsigned char *buf, size_t blen,
+                                     int (*f_rng)(void *,
+                                                  unsigned char *,
+                                                  size_t),
+                                     void *p_rng,
+                                     int restart_enabled) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t grp_len, pt_len;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if (ctx->grp.pbits == 0)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (restart_enabled)
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
+                                           f_rng, p_rng, rs_ctx)) != 0)
+        return (ret);
+#else
+    if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
+                                       f_rng, p_rng)) != 0)
+        return (ret);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if ((ret = mbedtls_ecp_tls_write_group(&ctx->grp, &grp_len, buf,
+                                           blen)) != 0)
+        return (ret);
+
+    buf += grp_len;
+    blen -= grp_len;
+
+    if ((ret = mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format,
+                                           &pt_len, buf, blen)) != 0)
+        return (ret);
+
+    *olen = grp_len + pt_len;
+    return (0);
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET(ctx != NULL);
+    ECDH_VALIDATE_RET(olen != NULL);
+    ECDH_VALIDATE_RET(buf != NULL);
+    ECDH_VALIDATE_RET(f_rng != NULL);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_make_params_internal(ctx, olen, ctx->point_format, buf, blen,
+                                      f_rng, p_rng, restart_enabled));
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return (mbedtls_everest_make_params(&ctx->ctx.everest_ecdh, olen,
+                                                buf, blen, f_rng, p_rng));
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return (ecdh_make_params_internal(&ctx->ctx.mbed_ecdh, olen,
+                                              ctx->point_format, buf, blen,
+                                              f_rng, p_rng,
+                                              restart_enabled));
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_params_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     const unsigned char **buf,
+                                     const unsigned char *end) {
+    return (mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, buf,
+                                       end - *buf));
+}
+
+/*
+ * Read the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
+                             const unsigned char **buf,
+                             const unsigned char *end) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group_id grp_id;
+    ECDH_VALIDATE_RET(ctx != NULL);
+    ECDH_VALIDATE_RET(buf != NULL);
+    ECDH_VALIDATE_RET(*buf != NULL);
+    ECDH_VALIDATE_RET(end != NULL);
+
+    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, end - *buf))
+            != 0)
+        return (ret);
+
+    if ((ret = mbedtls_ecdh_setup(ctx, grp_id)) != 0)
+        return (ret);
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_read_params_internal(ctx, buf, end));
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return (mbedtls_everest_read_params(&ctx->ctx.everest_ecdh,
+                                                buf, end));
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return (ecdh_read_params_internal(&ctx->ctx.mbed_ecdh,
+                                              buf, end));
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_get_params_internal(mbedtls_ecdh_context_mbed *ctx,
+                                    const mbedtls_ecp_keypair *key,
+                                    mbedtls_ecdh_side side) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* If it's not our key, just import the public part as Qp */
+    if (side == MBEDTLS_ECDH_THEIRS)
+        return (mbedtls_ecp_copy(&ctx->Qp, &key->Q));
+
+    /* Our key: import public (as Q) and private parts */
+    if (side != MBEDTLS_ECDH_OURS)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+    if ((ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0 ||
+            (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+/*
+ * Get parameters from a keypair
+ */
+int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
+                            const mbedtls_ecp_keypair *key,
+                            mbedtls_ecdh_side side) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECDH_VALIDATE_RET(ctx != NULL);
+    ECDH_VALIDATE_RET(key != NULL);
+    ECDH_VALIDATE_RET(side == MBEDTLS_ECDH_OURS ||
+                      side == MBEDTLS_ECDH_THEIRS);
+
+    if (mbedtls_ecdh_grp_id(ctx) == MBEDTLS_ECP_DP_NONE) {
+        /* This is the first call to get_params(). Set up the context
+         * for use with the group. */
+        if ((ret = mbedtls_ecdh_setup(ctx, key->grp.id)) != 0)
+            return (ret);
+    } else {
+        /* This is not the first call to get_params(). Check that the
+         * current key's group is the same as the context's, which was set
+         * from the first key's group. */
+        if (mbedtls_ecdh_grp_id(ctx) != key->grp.id)
+            return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_get_params_internal(ctx, key, side));
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST: {
+            mbedtls_everest_ecdh_side s = side == MBEDTLS_ECDH_OURS ?
+                                          MBEDTLS_EVEREST_ECDH_OURS :
+                                          MBEDTLS_EVEREST_ECDH_THEIRS;
+            return (mbedtls_everest_get_params(&ctx->ctx.everest_ecdh,
+                                               key, s));
+        }
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return (ecdh_get_params_internal(&ctx->ctx.mbed_ecdh,
+                                             key, side));
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_make_public_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     size_t *olen, int point_format,
+                                     unsigned char *buf, size_t blen,
+                                     int (*f_rng)(void *,
+                                                  unsigned char *,
+                                                  size_t),
+                                     void *p_rng,
+                                     int restart_enabled) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if (ctx->grp.pbits == 0)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (restart_enabled)
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
+                                           f_rng, p_rng, rs_ctx)) != 0)
+        return (ret);
+#else
+    if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
+                                       f_rng, p_rng)) != 0)
+        return (ret);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    return mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format, olen,
+                                       buf, blen);
+}
+
+/*
+ * Setup and export the client public value
+ */
+int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET(ctx != NULL);
+    ECDH_VALIDATE_RET(olen != NULL);
+    ECDH_VALIDATE_RET(buf != NULL);
+    ECDH_VALIDATE_RET(f_rng != NULL);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_make_public_internal(ctx, olen, ctx->point_format, buf, blen,
+                                      f_rng, p_rng, restart_enabled));
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return (mbedtls_everest_make_public(&ctx->ctx.everest_ecdh, olen,
+                                                buf, blen, f_rng, p_rng));
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return (ecdh_make_public_internal(&ctx->ctx.mbed_ecdh, olen,
+                                              ctx->point_format, buf, blen,
+                                              f_rng, p_rng,
+                                              restart_enabled));
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_public_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     const unsigned char *buf, size_t blen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = buf;
+
+    if ((ret = mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, &p,
+                                          blen)) != 0)
+        return (ret);
+
+    if ((size_t)(p - buf) != blen)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+    return (0);
+}
+
+/*
+ * Parse and import the client's public value
+ */
+int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
+                             const unsigned char *buf, size_t blen) {
+    ECDH_VALIDATE_RET(ctx != NULL);
+    ECDH_VALIDATE_RET(buf != NULL);
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_read_public_internal(ctx, buf, blen));
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return (mbedtls_everest_read_public(&ctx->ctx.everest_ecdh,
+                                                buf, blen));
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return (ecdh_read_public_internal(&ctx->ctx.mbed_ecdh,
+                                              buf, blen));
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_calc_secret_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     size_t *olen, unsigned char *buf,
+                                     size_t blen,
+                                     int (*f_rng)(void *,
+                                                  unsigned char *,
+                                                  size_t),
+                                     void *p_rng,
+                                     int restart_enabled) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if (ctx == NULL || ctx->grp.pbits == 0)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (restart_enabled)
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if ((ret = ecdh_compute_shared_restartable(&ctx->grp, &ctx->z, &ctx->Qp,
+                                               &ctx->d, f_rng, p_rng,
+                                               rs_ctx)) != 0) {
+        return (ret);
+    }
+#else
+    if ((ret = mbedtls_ecdh_compute_shared(&ctx->grp, &ctx->z, &ctx->Qp,
+                                           &ctx->d, f_rng, p_rng)) != 0) {
+        return (ret);
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if (mbedtls_mpi_size(&ctx->z) > blen)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+    *olen = ctx->grp.pbits / 8 + ((ctx->grp.pbits % 8) != 0);
+
+    if (mbedtls_ecp_get_type(&ctx->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY)
+        return mbedtls_mpi_write_binary_le(&ctx->z, buf, *olen);
+
+    return mbedtls_mpi_write_binary(&ctx->z, buf, *olen);
+}
+
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET(ctx != NULL);
+    ECDH_VALIDATE_RET(olen != NULL);
+    ECDH_VALIDATE_RET(buf != NULL);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return (ecdh_calc_secret_internal(ctx, olen, buf, blen, f_rng, p_rng,
+                                      restart_enabled));
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return (mbedtls_everest_calc_secret(&ctx->ctx.everest_ecdh, olen,
+                                                buf, blen, f_rng, p_rng));
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return (ecdh_calc_secret_internal(&ctx->ctx.mbed_ecdh, olen, buf,
+                                              blen, f_rng, p_rng,
+                                              restart_enabled));
+        default:
+            return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+    }
+#endif
+}
+
+#endif /* MBEDTLS_ECDH_C */
diff --git a/common/mbedtls/ecdh.h b/common/mbedtls/ecdh.h
new file mode 100644
index 000000000..5475595d6
--- /dev/null
+++ b/common/mbedtls/ecdh.h
@@ -0,0 +1,441 @@
+/**
+ * \file ecdh.h
+ *
+ * \brief This file contains ECDH definitions and functions.
+ *
+ * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
+ * key agreement protocol allowing two parties to establish a shared
+ * secret over an insecure channel. Each party must have an
+ * elliptic-curve public–private key pair.
+ *
+ * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
+ * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
+ * Cryptography</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_ECDH_H
+#define MBEDTLS_ECDH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ecp.h"
+
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+#undef MBEDTLS_ECDH_LEGACY_CONTEXT
+#include "everest/everest.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines the source of the imported EC key.
+ */
+typedef enum {
+    MBEDTLS_ECDH_OURS,   /**< Our key. */
+    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
+} mbedtls_ecdh_side;
+
+#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+/**
+ * Defines the ECDH implementation used.
+ *
+ * Later versions of the library may add new variants, therefore users should
+ * not make any assumptions about them.
+ */
+typedef enum {
+    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
+    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+    MBEDTLS_ECDH_VARIANT_EVEREST     /*!< Everest implementation */
+#endif
+} mbedtls_ecdh_variant;
+
+/**
+ * The context used by the default ECDH implementation.
+ *
+ * Later versions might change the structure of this context, therefore users
+ * should not make any assumptions about the structure of
+ * mbedtls_ecdh_context_mbed.
+ */
+typedef struct mbedtls_ecdh_context_mbed {
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif
+} mbedtls_ecdh_context_mbed;
+#endif
+
+/**
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ * \brief           The ECDH context structure.
+ */
+typedef struct mbedtls_ecdh_context {
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+    int point_format;        /*!< The format of point export in TLS messages. */
+    mbedtls_ecp_point Vi;    /*!< The blinding value. */
+    mbedtls_ecp_point Vf;    /*!< The unblinding value. */
+    mbedtls_mpi _d;          /*!< The previous \p d. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    int restart_enabled;        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#else
+    uint8_t point_format;       /*!< The format of point export in TLS messages
+                                  as defined in RFC 4492. */
+    mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
+    mbedtls_ecdh_variant var;   /*!< The ECDH implementation/structure used. */
+    union {
+        mbedtls_ecdh_context_mbed   mbed_ecdh;
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        mbedtls_ecdh_context_everest everest_ecdh;
+#endif
+    } ctx;                      /*!< Implementation-specific context. The
+                                  context in use is specified by the \c var
+                                  field. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    uint8_t restart_enabled;    /*!< The flag for restartable mode. Functions of
+                                  an alternative implementation not supporting
+                                  restartable mode must return
+                                  MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+                                  if this flag is set. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
+}
+mbedtls_ecdh_context;
+
+/**
+ * \brief          Check whether a given group can be used for ECDH.
+ *
+ * \param gid      The ECP group ID to check.
+ *
+ * \return         \c 1 if the group can be used, \c 0 otherwise
+ */
+int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid);
+
+/**
+ * \brief           This function generates an ECDH keypair on an elliptic
+ *                  curve.
+ *
+ *                  This function performs the first of two core computations
+ *                  implemented during the ECDH key exchange. The second core
+ *                  computation is performed by mbedtls_ecdh_compute_shared().
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param d         The destination MPI (private key).
+ *                  This must be initialized.
+ * \param Q         The destination point (public key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief           This function computes the shared secret.
+ *
+ *                  This function performs the second of two core computations
+ *                  implemented during the ECDH key exchange. The first core
+ *                  computation is performed by mbedtls_ecdh_gen_public().
+ *
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param z         The destination MPI (shared secret).
+ *                  This must be initialized.
+ * \param Q         The public key from another party.
+ *                  This must be initialized.
+ * \param d         Our secret exponent (private key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results during the ECP computations is
+ *                  not needed (discouraged). See the documentation of
+ *                  mbedtls_ecp_mul() for more.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't need a
+ *                  context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                                const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng);
+
+/**
+ * \brief           This function initializes an ECDH context.
+ *
+ * \param ctx       The ECDH context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx);
+
+/**
+ * \brief           This function sets up the ECDH context with the information
+ *                  given.
+ *
+ *                  This function should be called after mbedtls_ecdh_init() but
+ *                  before mbedtls_ecdh_make_params(). There is no need to call
+ *                  this function before mbedtls_ecdh_read_params().
+ *
+ *                  This is the first function used by a TLS server for ECDHE
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param grp_id    The group id of the group to set up the context for.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx,
+                       mbedtls_ecp_group_id grp_id);
+
+/**
+ * \brief           This function frees a context.
+ *
+ * \param ctx       The context to free. This may be \c NULL, in which
+ *                  case this function does nothing. If it is not \c NULL,
+ *                  it must point to an initialized ECDH context.
+ */
+void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx);
+
+/**
+ * \brief           This function generates an EC key pair and exports its
+ *                  in the format used in a TLS ServerKeyExchange handshake
+ *                  message.
+ *
+ *                  This is the second function used by a TLS server for ECDHE
+ *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param olen      The address at which to store the number of Bytes written.
+ * \param buf       The destination buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+/**
+ * \brief           This function parses the ECDHE parameters in a
+ *                  TLS ServerKeyExchange handshake message.
+ *
+ * \note            In a TLS handshake, this is the how the client
+ *                  sets up its ECDHE context from the server's public
+ *                  ECDHE key material.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDHE context to use. This must be initialized.
+ * \param buf       On input, \c *buf must be the start of the input buffer.
+ *                  On output, \c *buf is updated to point to the end of the
+ *                  data that has been read. On success, this is the first byte
+ *                  past the end of the ServerKeyExchange parameters.
+ *                  On error, this is the point at which an error has been
+ *                  detected, which is usually not useful except to debug
+ *                  failures.
+ * \param end       The end of the input buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
+                             const unsigned char **buf,
+                             const unsigned char *end);
+
+/**
+ * \brief           This function sets up an ECDH context from an EC key.
+ *
+ *                  It is used by clients and servers in place of the
+ *                  ServerKeyEchange for static ECDH, and imports ECDH
+ *                  parameters from the EC key information of a certificate.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param key       The EC key to use. This must be initialized.
+ * \param side      Defines the source of the key. Possible values are:
+ *                  - #MBEDTLS_ECDH_OURS: The key is ours.
+ *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
+                            const mbedtls_ecp_keypair *key,
+                            mbedtls_ecdh_side side);
+
+/**
+ * \brief           This function generates a public key and exports it
+ *                  as a TLS ClientKeyExchange payload.
+ *
+ *                  This is the second function used by a TLS client for ECDH(E)
+ *                  ciphersuites.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, the latter usually by
+ *                  mbedtls_ecdh_read_params().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The destination buffer. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The size of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+/**
+ * \brief       This function parses and processes the ECDHE payload of a
+ *              TLS ClientKeyExchange message.
+ *
+ *              This is the third function used by a TLS server for ECDH(E)
+ *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ *              mbedtls_ecdh_make_params().)
+ *
+ * \see         ecp.h
+ *
+ * \param ctx   The ECDH context to use. This must be initialized
+ *              and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param buf   The pointer to the ClientKeyExchange payload. This must
+ *              be a readable buffer of length \p blen Bytes.
+ * \param blen  The length of the input buffer \p buf in Bytes.
+ *
+ * \return      \c 0 on success.
+ * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
+                             const unsigned char *buf, size_t blen);
+
+/**
+ * \brief           This function derives and exports the shared secret.
+ *
+ *                  This is the last function used by both TLS client
+ *                  and servers.
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \see             ecp.h
+
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and have its own private key generated and the peer's
+ *                  public key imported.
+ * \param olen      The address at which to store the total number of
+ *                  Bytes written on success. This must not be \c NULL.
+ * \param buf       The buffer to write the generated shared key to. This
+ *                  must be a writable buffer of size \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function, for blinding purposes. This may
+ *                  b \c NULL if blinding isn't needed.
+ * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
+ *                  doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           This function enables restartable EC computations for this
+ *                  context.  (Default: disabled.)
+ *
+ * \see             \c mbedtls_ecp_set_max_ops()
+ *
+ * \note            It is not possible to safely disable restartable
+ *                  computations once enabled, except by free-ing the context,
+ *                  which cancels possible in-progress operations.
+ *
+ * \param ctx       The ECDH context to use. This must be initialized.
+ */
+void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdh.h */
diff --git a/common/mbedtls/ecdsa.c b/common/mbedtls/ecdsa.c
index a7d7bb720..71068682e 100644
--- a/common/mbedtls/ecdsa.c
+++ b/common/mbedtls/ecdsa.c
@@ -1,24 +1,20 @@
 /*
  *  Elliptic curve DSA
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -27,11 +23,7 @@
  * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_ECDSA_C)
 
@@ -44,13 +36,188 @@
 #include "mbedtls/hmac_drbg.h"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDSA_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDSA_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/*
+ * Sub-context for ecdsa_verify()
+ */
+struct mbedtls_ecdsa_restart_ver {
+    mbedtls_mpi u1, u2;     /* intermediate values  */
+    enum {                  /* what to do next?     */
+        ecdsa_ver_init = 0, /* getting started      */
+        ecdsa_ver_muladd,   /* muladd step          */
+    } state;
+};
+
+/*
+ * Init verify restart sub-context
+ */
+static void ecdsa_restart_ver_init(mbedtls_ecdsa_restart_ver_ctx *ctx) {
+    mbedtls_mpi_init(&ctx->u1);
+    mbedtls_mpi_init(&ctx->u2);
+    ctx->state = ecdsa_ver_init;
+}
+
+/*
+ * Free the components of a verify restart sub-context
+ */
+static void ecdsa_restart_ver_free(mbedtls_ecdsa_restart_ver_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_mpi_free(&ctx->u1);
+    mbedtls_mpi_free(&ctx->u2);
+
+    ecdsa_restart_ver_init(ctx);
+}
+
+/*
+ * Sub-context for ecdsa_sign()
+ */
+struct mbedtls_ecdsa_restart_sig {
+    int sign_tries;
+    int key_tries;
+    mbedtls_mpi k;          /* per-signature random */
+    mbedtls_mpi r;          /* r value              */
+    enum {                  /* what to do next?     */
+        ecdsa_sig_init = 0, /* getting started      */
+        ecdsa_sig_mul,      /* doing ecp_mul()      */
+        ecdsa_sig_modn,     /* mod N computations   */
+    } state;
+};
+
+/*
+ * Init verify sign sub-context
+ */
+static void ecdsa_restart_sig_init(mbedtls_ecdsa_restart_sig_ctx *ctx) {
+    ctx->sign_tries = 0;
+    ctx->key_tries = 0;
+    mbedtls_mpi_init(&ctx->k);
+    mbedtls_mpi_init(&ctx->r);
+    ctx->state = ecdsa_sig_init;
+}
+
+/*
+ * Free the components of a sign restart sub-context
+ */
+static void ecdsa_restart_sig_free(mbedtls_ecdsa_restart_sig_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_mpi_free(&ctx->k);
+    mbedtls_mpi_free(&ctx->r);
+}
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Sub-context for ecdsa_sign_det()
+ */
+struct mbedtls_ecdsa_restart_det {
+    mbedtls_hmac_drbg_context rng_ctx;  /* DRBG state   */
+    enum {                      /* what to do next?     */
+        ecdsa_det_init = 0,     /* getting started      */
+        ecdsa_det_sign,         /* make signature       */
+    } state;
+};
+
+/*
+ * Init verify sign_det sub-context
+ */
+static void ecdsa_restart_det_init(mbedtls_ecdsa_restart_det_ctx *ctx) {
+    mbedtls_hmac_drbg_init(&ctx->rng_ctx);
+    ctx->state = ecdsa_det_init;
+}
+
+/*
+ * Free the components of a sign_det restart sub-context
+ */
+static void ecdsa_restart_det_free(mbedtls_ecdsa_restart_det_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_hmac_drbg_free(&ctx->rng_ctx);
+
+    ecdsa_restart_det_init(ctx);
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#define ECDSA_RS_ECP    ( rs_ctx == NULL ? NULL : &rs_ctx->ecp )
+
+/* Utility macro for checking and updating ops budget */
+#define ECDSA_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) );
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECDSA_RS_ENTER( SUB )   do {                                 \
+    /* reset ops count for this call if top-level */                 \
+    if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 )                 \
+        rs_ctx->ecp.ops_done = 0;                                    \
+                                                                     \
+    /* set up our own sub-context if needed */                       \
+    if( mbedtls_ecp_restart_is_enabled() &&                          \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                      \
+    {                                                                \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );   \
+        if( rs_ctx->SUB == NULL )                                    \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                  \
+                                                                     \
+        ecdsa_restart_## SUB ##_init( rs_ctx->SUB );                 \
+    }                                                                \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECDSA_RS_LEAVE( SUB )   do {                                 \
+    /* clear our sub-context when not in progress (done or error) */ \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                     \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                         \
+    {                                                                \
+        ecdsa_restart_## SUB ##_free( rs_ctx->SUB );                 \
+        mbedtls_free( rs_ctx->SUB );                                 \
+        rs_ctx->SUB = NULL;                                          \
+    }                                                                \
+                                                                     \
+    if( rs_ctx != NULL )                                             \
+        rs_ctx->ecp.depth--;                                         \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECDSA_RS_ECP    NULL
+
+#define ECDSA_BUDGET( ops )   /* no-op; for compatibility */
+
+#define ECDSA_RS_ENTER( SUB )   (void) rs_ctx
+#define ECDSA_RS_LEAVE( SUB )   (void) rs_ctx
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \
+    !defined(MBEDTLS_ECDSA_SIGN_ALT)     || \
+    !defined(MBEDTLS_ECDSA_VERIFY_ALT)
 /*
  * Derive a suitable integer for group grp from a buffer of length len
  * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
  */
 static int derive_mpi(const mbedtls_ecp_group *grp, mbedtls_mpi *x,
                       const unsigned char *buf, size_t blen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n_size = (grp->nbits + 7) / 8;
     size_t use_size = blen > n_size ? n_size : blen;
 
@@ -65,21 +232,28 @@ static int derive_mpi(const mbedtls_ecp_group *grp, mbedtls_mpi *x,
 cleanup:
     return (ret);
 }
+#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
 
 #if !defined(MBEDTLS_ECDSA_SIGN_ALT)
 /*
  * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
  * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
  */
-int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    int ret, key_tries, sign_tries, blind_tries;
+static int ecdsa_sign_restartable(mbedtls_ecp_group *grp,
+                                  mbedtls_mpi *r, mbedtls_mpi *s,
+                                  const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                  int (*f_rng_blind)(void *, unsigned char *, size_t),
+                                  void *p_rng_blind,
+                                  mbedtls_ecdsa_restart_ctx *rs_ctx) {
+    int ret, key_tries, sign_tries;
+    int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
     mbedtls_ecp_point R;
     mbedtls_mpi k, e, t;
+    mbedtls_mpi *pk = &k, *pr = r;
 
     /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
-    if (grp->N.p == NULL)
+    if (! mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL)
         return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
 
     /* Make sure d is in range 1..n-1 */
@@ -91,22 +265,68 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
     mbedtls_mpi_init(&e);
     mbedtls_mpi_init(&t);
 
-    sign_tries = 0;
+    ECDSA_RS_ENTER(sig);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+        /* redirect to our context */
+        p_sign_tries = &rs_ctx->sig->sign_tries;
+        p_key_tries = &rs_ctx->sig->key_tries;
+        pk = &rs_ctx->sig->k;
+        pr = &rs_ctx->sig->r;
+
+        /* jump to current step */
+        if (rs_ctx->sig->state == ecdsa_sig_mul)
+            goto mul;
+        if (rs_ctx->sig->state == ecdsa_sig_modn)
+            goto modn;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    *p_sign_tries = 0;
     do {
+        if ((*p_sign_tries)++ > 10) {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+
         /*
          * Steps 1-3: generate a suitable ephemeral keypair
          * and set r = xR mod n
          */
-        key_tries = 0;
+        *p_key_tries = 0;
         do {
-            MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair(grp, &k, &R, f_rng, p_rng));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(r, &R.X, &grp->N));
-
-            if (key_tries++ > 10) {
+            if ((*p_key_tries)++ > 10) {
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;
             }
-        } while (mbedtls_mpi_cmp_int(r, 0) == 0);
+
+            MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, pk, f_rng, p_rng));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if (rs_ctx != NULL && rs_ctx->sig != NULL)
+                rs_ctx->sig->state = ecdsa_sig_mul;
+
+mul:
+#endif
+            MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &R, pk, &grp->G,
+                                                        f_rng_blind,
+                                                        p_rng_blind,
+                                                        ECDSA_RS_ECP));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pr, &R.X, &grp->N));
+        } while (mbedtls_mpi_cmp_int(pr, 0) == 0);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && rs_ctx->sig != NULL)
+            rs_ctx->sig->state = ecdsa_sig_modn;
+
+modn:
+#endif
+        /*
+         * Accounting for everything up to the end of the loop
+         * (step 6, but checking now avoids saving e and t)
+         */
+        ECDSA_BUDGET(MBEDTLS_ECP_OPS_INV + 4);
 
         /*
          * Step 5: derive MPI from hashed message
@@ -117,54 +337,86 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
          * Generate a random value to blind inv_mod in next step,
          * avoiding a potential timing leak.
          */
-        blind_tries = 0;
-        do {
-            size_t n_size = (grp->nbits + 7) / 8;
-            MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&t, n_size, f_rng, p_rng));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&t, 8 * n_size - grp->nbits));
-
-            /* See mbedtls_ecp_gen_keypair() */
-            if (++blind_tries > 30)
-                return (MBEDTLS_ERR_ECP_RANDOM_FAILED);
-        } while (mbedtls_mpi_cmp_int(&t, 1) < 0 ||
-                 mbedtls_mpi_cmp_mpi(&t, &grp->N) >= 0);
+        MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, &t, f_rng_blind,
+                                                p_rng_blind));
 
         /*
          * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
          */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, r, d));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, pr, d));
         MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&e, &e, s));
         MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&e, &e, &t));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&k, &k, &t));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, &k, &grp->N));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pk, pk, &t));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pk, pk, &grp->N));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, pk, &grp->N));
         MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, s, &e));
         MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(s, s, &grp->N));
-
-        if (sign_tries++ > 10) {
-            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
-            goto cleanup;
-        }
     } while (mbedtls_mpi_cmp_int(s, 0) == 0);
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->sig != NULL)
+        mbedtls_mpi_copy(r, pr);
+#endif
+
 cleanup:
     mbedtls_ecp_point_free(&R);
     mbedtls_mpi_free(&k);
     mbedtls_mpi_free(&e);
     mbedtls_mpi_free(&t);
 
+    ECDSA_RS_LEAVE(sig);
+
     return (ret);
 }
-#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid) {
+    switch (gid) {
+#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
+        case MBEDTLS_ECP_DP_CURVE25519:
+            return 0;
+#endif
+#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
+        case MBEDTLS_ECP_DP_CURVE448:
+            return 0;
+#endif
+        default:
+            return 1;
+    }
+}
+
+/*
+ * Compute ECDSA signature of a hashed message
+ */
+int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
+    ECDSA_VALIDATE_RET(grp   != NULL);
+    ECDSA_VALIDATE_RET(r     != NULL);
+    ECDSA_VALIDATE_RET(s     != NULL);
+    ECDSA_VALIDATE_RET(d     != NULL);
+    ECDSA_VALIDATE_RET(f_rng != NULL);
+    ECDSA_VALIDATE_RET(buf   != NULL || blen == 0);
+
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    return (ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                   f_rng, p_rng, f_rng, p_rng, NULL));
+}
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 /*
  * Deterministic signature wrapper
  */
-int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                           const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                           mbedtls_md_type_t md_alg) {
-    int ret;
+static int ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
+                                      mbedtls_mpi *r, mbedtls_mpi *s,
+                                      const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                                      mbedtls_md_type_t md_alg,
+                                      int (*f_rng_blind)(void *, unsigned char *, size_t),
+                                      void *p_rng_blind,
+                                      mbedtls_ecdsa_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_hmac_drbg_context rng_ctx;
+    mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
     unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
     size_t grp_len = (grp->nbits + 7) / 8;
     const mbedtls_md_info_t *md_info;
@@ -176,21 +428,146 @@ int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *
     mbedtls_mpi_init(&h);
     mbedtls_hmac_drbg_init(&rng_ctx);
 
+    ECDSA_RS_ENTER(det);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->det != NULL) {
+        /* redirect to our context */
+        p_rng = &rs_ctx->det->rng_ctx;
+
+        /* jump to current step */
+        if (rs_ctx->det->state == ecdsa_det_sign)
+            goto sign;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
     /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));
     MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));
     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));
-    mbedtls_hmac_drbg_seed_buf(&rng_ctx, md_info, data, 2 * grp_len);
+    mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len);
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->det != NULL)
+        rs_ctx->det->state = ecdsa_det_sign;
+
+sign:
+#endif
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    (void) f_rng_blind;
+    (void) p_rng_blind;
     ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
-                             mbedtls_hmac_drbg_random, &rng_ctx);
+                             mbedtls_hmac_drbg_random, p_rng);
+#else
+    if (f_rng_blind != NULL)
+        ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                     mbedtls_hmac_drbg_random, p_rng,
+                                     f_rng_blind, p_rng_blind, rs_ctx);
+    else {
+        mbedtls_hmac_drbg_context *p_rng_blind_det;
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+        /*
+         * To avoid reusing rng_ctx and risking incorrect behavior we seed a
+         * second HMAC-DRBG with the same seed. We also apply a label to avoid
+         * reusing the bits of the ephemeral key for blinding and eliminate the
+         * risk that they leak this way.
+         */
+        const char *blind_label = "BLINDING CONTEXT";
+        mbedtls_hmac_drbg_context rng_ctx_blind;
+
+        mbedtls_hmac_drbg_init(&rng_ctx_blind);
+        p_rng_blind_det = &rng_ctx_blind;
+        mbedtls_hmac_drbg_seed_buf(p_rng_blind_det, md_info,
+                                   data, 2 * grp_len);
+        ret = mbedtls_hmac_drbg_update_ret(p_rng_blind_det,
+                                           (const unsigned char *) blind_label,
+                                           strlen(blind_label));
+        if (ret != 0) {
+            mbedtls_hmac_drbg_free(&rng_ctx_blind);
+            goto cleanup;
+        }
+#else
+        /*
+         * In the case of restartable computations we would either need to store
+         * the second RNG in the restart context too or set it up at every
+         * restart. The first option would penalize the correct application of
+         * the function and the second would defeat the purpose of the
+         * restartable feature.
+         *
+         * Therefore in this case we reuse the original RNG. This comes with the
+         * price that the resulting signature might not be a valid deterministic
+         * ECDSA signature with a very low probability (same magnitude as
+         * successfully guessing the private key). However even then it is still
+         * a valid ECDSA signature.
+         */
+        p_rng_blind_det = p_rng;
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+        /*
+         * Since the output of the RNGs is always the same for the same key and
+         * message, this limits the efficiency of blinding and leaks information
+         * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
+         * won't be a valid value for f_rng_blind anymore. Therefore it should
+         * be checked by the caller and this branch and check can be removed.
+         */
+        ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                     mbedtls_hmac_drbg_random, p_rng,
+                                     mbedtls_hmac_drbg_random, p_rng_blind_det,
+                                     rs_ctx);
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+        mbedtls_hmac_drbg_free(&rng_ctx_blind);
+#endif
+    }
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
 
 cleanup:
     mbedtls_hmac_drbg_free(&rng_ctx);
     mbedtls_mpi_free(&h);
 
+    ECDSA_RS_LEAVE(det);
+
     return (ret);
 }
+
+/*
+ * Deterministic signature wrappers
+ */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                           mbedtls_mpi *s, const mbedtls_mpi *d,
+                           const unsigned char *buf, size_t blen,
+                           mbedtls_md_type_t md_alg) {
+    ECDSA_VALIDATE_RET(grp   != NULL);
+    ECDSA_VALIDATE_RET(r     != NULL);
+    ECDSA_VALIDATE_RET(s     != NULL);
+    ECDSA_VALIDATE_RET(d     != NULL);
+    ECDSA_VALIDATE_RET(buf   != NULL || blen == 0);
+
+    return (ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+                                       NULL, NULL, NULL));
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                               mbedtls_mpi *s, const mbedtls_mpi *d,
+                               const unsigned char *buf, size_t blen,
+                               mbedtls_md_type_t md_alg,
+                               int (*f_rng_blind)(void *, unsigned char *,
+                                                  size_t),
+                               void *p_rng_blind) {
+    ECDSA_VALIDATE_RET(grp   != NULL);
+    ECDSA_VALIDATE_RET(r     != NULL);
+    ECDSA_VALIDATE_RET(s     != NULL);
+    ECDSA_VALIDATE_RET(d     != NULL);
+    ECDSA_VALIDATE_RET(buf   != NULL || blen == 0);
+    ECDSA_VALIDATE_RET(f_rng_blind != NULL);
+
+    return (ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+                                       f_rng_blind, p_rng_blind, NULL));
+}
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
 #if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
@@ -198,12 +575,15 @@ cleanup:
  * Verify ECDSA signature of hashed message (SEC1 4.1.4)
  * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
  */
-int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
-                         const unsigned char *buf, size_t blen,
-                         const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s) {
-    int ret;
+static int ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+                                    const unsigned char *buf, size_t blen,
+                                    const mbedtls_ecp_point *Q,
+                                    const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                    mbedtls_ecdsa_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi e, s_inv, u1, u2;
     mbedtls_ecp_point R;
+    mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
 
     mbedtls_ecp_point_init(&R);
     mbedtls_mpi_init(&e);
@@ -212,9 +592,23 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
     mbedtls_mpi_init(&u2);
 
     /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
-    if (grp->N.p == NULL)
+    if (! mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL)
         return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
 
+    ECDSA_RS_ENTER(ver);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ver != NULL) {
+        /* redirect to our context */
+        pu1 = &rs_ctx->ver->u1;
+        pu2 = &rs_ctx->ver->u2;
+
+        /* jump to current step */
+        if (rs_ctx->ver->state == ecdsa_ver_muladd)
+            goto muladd;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
     /*
      * Step 1: make sure r and s are in range 1..n-1
      */
@@ -224,11 +618,6 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
         goto cleanup;
     }
 
-    /*
-     * Additional precaution: make sure Q is valid
-     */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, Q));
-
     /*
      * Step 3: derive MPI from hashed message
      */
@@ -237,21 +626,27 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
     /*
      * Step 4: u1 = e / s mod n, u2 = r / s mod n
      */
+    ECDSA_BUDGET(MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2);
+
     MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&s_inv, s, &grp->N));
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&u1, &e, &s_inv));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&u1, &u1, &grp->N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu1, &e, &s_inv));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu1, pu1, &grp->N));
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&u2, r, &s_inv));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&u2, &u2, &grp->N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu2, r, &s_inv));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu2, pu2, &grp->N));
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ver != NULL)
+        rs_ctx->ver->state = ecdsa_ver_muladd;
+
+muladd:
+#endif
     /*
      * Step 5: R = u1 G + u2 Q
-     *
-     * Since we're not using any secret data, no need to pass a RNG to
-     * mbedtls_ecp_mul() for countermesures.
      */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, &R, &u1, &grp->G, &u2, Q));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd_restartable(grp,
+                                                   &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP));
 
     if (mbedtls_ecp_is_zero(&R)) {
         ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
@@ -279,16 +674,36 @@ cleanup:
     mbedtls_mpi_free(&u1);
     mbedtls_mpi_free(&u2);
 
+    ECDSA_RS_LEAVE(ver);
+
     return (ret);
 }
-#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Verify ECDSA signature of hashed message
+ */
+int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
+                         const unsigned char *buf, size_t blen,
+                         const mbedtls_ecp_point *Q,
+                         const mbedtls_mpi *r,
+                         const mbedtls_mpi *s) {
+    ECDSA_VALIDATE_RET(grp != NULL);
+    ECDSA_VALIDATE_RET(Q   != NULL);
+    ECDSA_VALIDATE_RET(r   != NULL);
+    ECDSA_VALIDATE_RET(s   != NULL);
+    ECDSA_VALIDATE_RET(buf != NULL || blen == 0);
+
+    return (ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL));
+}
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
 
 /*
  * Convert a signature (given by context) to ASN.1
  */
 int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s,
                             unsigned char *sig, size_t *slen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
     unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = {0};
     unsigned char *p = buf + sizeof(buf) - 1;
     size_t len = 0;
@@ -297,39 +712,54 @@ int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s,
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, r));
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf,
+                                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
 
     memcpy(sig, p, len);
     *slen = len;
+
     return (0);
 }
 
 /*
  * Compute and write signature
  */
-int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
-                                  const unsigned char *hash, size_t hlen,
-                                  unsigned char *sig, size_t *slen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng) {
-    int ret;
+int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                              mbedtls_md_type_t md_alg,
+                                              const unsigned char *hash, size_t hlen,
+                                              unsigned char *sig, size_t *slen,
+                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              void *p_rng,
+                                              mbedtls_ecdsa_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET(ctx  != NULL);
+    ECDSA_VALIDATE_RET(hash != NULL);
+    ECDSA_VALIDATE_RET(sig  != NULL);
+    ECDSA_VALIDATE_RET(slen != NULL);
 
     mbedtls_mpi_init(&r);
     mbedtls_mpi_init(&s);
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    (void) f_rng;
-    (void) p_rng;
-
-    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det(&ctx->grp, &r, &s, &ctx->d,
-                                           hash, hlen, md_alg));
+    MBEDTLS_MPI_CHK(ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
+                                               hash, hlen, md_alg, f_rng,
+                                               p_rng, rs_ctx));
 #else
     (void) md_alg;
 
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    (void) rs_ctx;
+
     MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ctx->grp, &r, &s, &ctx->d,
                                        hash, hlen, f_rng, p_rng));
-#endif
+#else
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    MBEDTLS_MPI_CHK(ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
+                                           hash, hlen, f_rng, p_rng, f_rng,
+                                           p_rng, rs_ctx));
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
     MBEDTLS_MPI_CHK(ecdsa_signature_to_asn1(&r, &s, sig, slen));
 
@@ -340,12 +770,33 @@ cleanup:
     return (ret);
 }
 
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED) && \
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hlen,
+                                  unsigned char *sig, size_t *slen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng) {
+    ECDSA_VALIDATE_RET(ctx  != NULL);
+    ECDSA_VALIDATE_RET(hash != NULL);
+    ECDSA_VALIDATE_RET(sig  != NULL);
+    ECDSA_VALIDATE_RET(slen != NULL);
+    return (mbedtls_ecdsa_write_signature_restartable(
+                ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL));
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED) && \
     defined(MBEDTLS_ECDSA_DETERMINISTIC)
 int mbedtls_ecdsa_write_signature_det(mbedtls_ecdsa_context *ctx,
                                       const unsigned char *hash, size_t hlen,
                                       unsigned char *sig, size_t *slen,
                                       mbedtls_md_type_t md_alg) {
+    ECDSA_VALIDATE_RET(ctx  != NULL);
+    ECDSA_VALIDATE_RET(hash != NULL);
+    ECDSA_VALIDATE_RET(sig  != NULL);
+    ECDSA_VALIDATE_RET(slen != NULL);
     return (mbedtls_ecdsa_write_signature(ctx, md_alg, hash, hlen, sig, slen,
                                           NULL, NULL));
 }
@@ -357,11 +808,28 @@ int mbedtls_ecdsa_write_signature_det(mbedtls_ecdsa_context *ctx,
 int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
                                  const unsigned char *hash, size_t hlen,
                                  const unsigned char *sig, size_t slen) {
-    int ret;
+    ECDSA_VALIDATE_RET(ctx  != NULL);
+    ECDSA_VALIDATE_RET(hash != NULL);
+    ECDSA_VALIDATE_RET(sig  != NULL);
+    return (mbedtls_ecdsa_read_signature_restartable(
+                ctx, hash, hlen, sig, slen, NULL));
+}
+
+/*
+ * Restartable read and check signature
+ */
+int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                             const unsigned char *hash, size_t hlen,
+                                             const unsigned char *sig, size_t slen,
+                                             mbedtls_ecdsa_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p = (unsigned char *) sig;
     const unsigned char *end = sig + slen;
     size_t len;
     mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET(ctx  != NULL);
+    ECDSA_VALIDATE_RET(hash != NULL);
+    ECDSA_VALIDATE_RET(sig  != NULL);
 
     mbedtls_mpi_init(&r);
     mbedtls_mpi_init(&s);
@@ -383,10 +851,17 @@ int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
         ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
         goto cleanup;
     }
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    (void) rs_ctx;
 
     if ((ret = mbedtls_ecdsa_verify(&ctx->grp, hash, hlen,
                                     &ctx->Q, &r, &s)) != 0)
         goto cleanup;
+#else
+    if ((ret = ecdsa_verify_restartable(&ctx->grp, hash, hlen,
+                                        &ctx->Q, &r, &s, rs_ctx)) != 0)
+        goto cleanup;
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
 
     /* At this point we know that the buffer starts with a valid signature.
      * Return 0 if the buffer just contains the signature, and a specific
@@ -407,16 +882,26 @@ cleanup:
  */
 int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
                          int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    return (mbedtls_ecp_group_load(&ctx->grp, gid) ||
-            mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng));
+    int ret = 0;
+    ECDSA_VALIDATE_RET(ctx   != NULL);
+    ECDSA_VALIDATE_RET(f_rng != NULL);
+
+    ret = mbedtls_ecp_group_load(&ctx->grp, gid);
+    if (ret != 0)
+        return (ret);
+
+    return (mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d,
+                                    &ctx->Q, f_rng, p_rng));
 }
-#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
 
 /*
  * Set context from an mbedtls_ecp_keypair
  */
 int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECDSA_VALIDATE_RET(ctx != NULL);
+    ECDSA_VALIDATE_RET(key != NULL);
 
     if ((ret = mbedtls_ecp_group_copy(&ctx->grp, &key->grp)) != 0 ||
             (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0 ||
@@ -431,6 +916,8 @@ int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_key
  * Initialize context
  */
 void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx) {
+    ECDSA_VALIDATE(ctx != NULL);
+
     mbedtls_ecp_keypair_init(ctx);
 }
 
@@ -438,7 +925,51 @@ void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx) {
  * Free context
  */
 void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx) {
+    if (ctx == NULL)
+        return;
+
     mbedtls_ecp_keypair_free(ctx);
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx) {
+    ECDSA_VALIDATE(ctx != NULL);
+
+    mbedtls_ecp_restart_init(&ctx->ecp);
+
+    ctx->ver = NULL;
+    ctx->sig = NULL;
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ctx->det = NULL;
+#endif
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_ecp_restart_free(&ctx->ecp);
+
+    ecdsa_restart_ver_free(ctx->ver);
+    mbedtls_free(ctx->ver);
+    ctx->ver = NULL;
+
+    ecdsa_restart_sig_free(ctx->sig);
+    mbedtls_free(ctx->sig);
+    ctx->sig = NULL;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ecdsa_restart_det_free(ctx->det);
+    mbedtls_free(ctx->det);
+    ctx->det = NULL;
+#endif
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 #endif /* MBEDTLS_ECDSA_C */
diff --git a/common/mbedtls/ecdsa.h b/common/mbedtls/ecdsa.h
index 5293c2376..ba4133645 100644
--- a/common/mbedtls/ecdsa.h
+++ b/common/mbedtls/ecdsa.h
@@ -11,66 +11,135 @@
  *
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H
 
-#include "ecp.h"
-#include "md.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
-/*
- * RFC-4492 page 20:
+#include "mbedtls/ecp.h"
+#include "mbedtls/md.h"
+
+/**
+ * \brief           Maximum ECDSA signature size for a given curve bit size
  *
+ * \param bits      Curve size in bits
+ * \return          Maximum signature size in bytes
+ *
+ * \note            This macro returns a compile-time constant if its argument
+ *                  is one. It may evaluate its argument multiple times.
+ */
+/*
  *     Ecdsa-Sig-Value ::= SEQUENCE {
  *         r       INTEGER,
  *         s       INTEGER
  *     }
  *
- * Size is at most
- *    1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
- *    twice that + 1 (tag) + 2 (len) for the sequence
- * (assuming ECP_MAX_BYTES is less than 126 for r and s,
- * and less than 124 (total len <= 255) for the sequence)
+ * For each of r and s, the value (V) may include an extra initial "0" bit.
  */
-#if MBEDTLS_ECP_MAX_BYTES > 124
-#error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
-#endif
-/** The maximal size of an ECDSA signature in Bytes. */
-#define MBEDTLS_ECDSA_MAX_LEN  ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
+#define MBEDTLS_ECDSA_MAX_SIG_LEN( bits )                               \
+    ( /*T,L of SEQUENCE*/ ( ( bits ) >= 61 * 8 ? 3 : 2 ) +              \
+      /*T,L of r,s*/        2 * ( ( ( bits ) >= 127 * 8 ? 3 : 2 ) +     \
+      /*V of r,s*/                ( ( bits ) + 8 ) / 8 ) )
 
-/**
- * \brief           The ECDSA context structure.
- */
-typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
+/** The maximal size of an ECDSA signature in Bytes. */
+#define MBEDTLS_ECDSA_MAX_LEN  MBEDTLS_ECDSA_MAX_SIG_LEN( MBEDTLS_ECP_MAX_BITS )
+
+int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen);
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+/**
+ * \brief           The ECDSA context structure.
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ */
+typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for ecdsa_verify()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+
+/**
+ * \brief           Internal restart context for ecdsa_sign()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           Internal restart context for ecdsa_sign_det()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
+#endif
+
+/**
+ * \brief           General context for resuming ECDSA operations
+ */
+typedef struct {
+    mbedtls_ecp_restart_ctx ecp;        /*!<  base context for ECP restart and
+                                              shared administrative info    */
+    mbedtls_ecdsa_restart_ver_ctx *ver; /*!<  ecdsa_verify() sub-context    */
+    mbedtls_ecdsa_restart_sig_ctx *sig; /*!<  ecdsa_sign() sub-context      */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    mbedtls_ecdsa_restart_det_ctx *det; /*!<  ecdsa_sign_det() sub-context  */
+#endif
+} mbedtls_ecdsa_restart_ctx;
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_ecdsa_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief          This function checks whether a given group can be used
+ *                 for ECDSA.
+ *
+ * \param gid      The ECP group ID to check.
+ *
+ * \return         \c 1 if the group can be used, \c 0 otherwise
+ */
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid);
+
 /**
  * \brief           This function computes the ECDSA signature of a
  *                  previously-hashed message.
  *
- * \note            The deterministic version is usually preferred.
+ * \note            The deterministic version implemented in
+ *                  mbedtls_ecdsa_sign_det() is usually preferred.
  *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated
@@ -80,14 +149,22 @@ extern "C" {
  *
  * \see             ecp.h
  *
- * \param grp       The ECP group.
- * \param r         The first output integer.
- * \param s         The second output integer.
- * \param d         The private signing key.
- * \param buf       The message hash.
- * \param blen      The length of \p buf.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized.
+ * \param buf       The content to be signed. This is usually the hash of
+ *                  the original data to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context parameter.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX
@@ -98,6 +175,67 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \warning         Since the output of the internal RNG is always the same for
+ *                  the same key and message, this limits the efficiency of
+ *                  blinding and leaks information through side channels. For
+ *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
+ *
+ *                  (Optimally the blinding is a random value that is different
+ *                  on every execution. In this case the blinding is still
+ *                  random from the attackers perspective, but is the same on
+ *                  each execution. This means that this blinding does not
+ *                  prevent attackers from recovering secrets by combining
+ *                  several measurement traces, but may prevent some attacks
+ *                  that exploit relationships between secret data.)
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized
+ *                  and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf       The hashed content to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param md_alg    The hash algorithm used to hash the original data.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                           mbedtls_mpi *s, const mbedtls_mpi *d,
+                           const unsigned char *buf, size_t blen,
+                           mbedtls_md_type_t md_alg) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
 /**
  * \brief           This function computes the ECDSA signature of a
  *                  previously-hashed message, deterministic version.
@@ -114,21 +252,35 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
  *
  * \see             ecp.h
  *
- * \param grp       The ECP group.
- * \param r         The first output integer.
- * \param s         The second output integer.
- * \param d         The private signing key.
- * \param buf       The message hash.
- * \param blen      The length of \p buf.
- * \param md_alg    The MD algorithm used to hash the message.
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
  *                  error code on failure.
  */
-int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                           const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                           mbedtls_md_type_t md_alg);
+int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                               mbedtls_mpi *s, const mbedtls_mpi *d,
+                               const unsigned char *buf, size_t blen,
+                               mbedtls_md_type_t md_alg,
+                               int (*f_rng_blind)(void *, unsigned char *, size_t),
+                               void *p_rng_blind);
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
 /**
@@ -143,12 +295,19 @@ int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *
  *
  * \see             ecp.h
  *
- * \param grp       The ECP group.
- * \param buf       The message hash.
- * \param blen      The length of \p buf.
- * \param Q         The public key to use for verification.
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
  * \param r         The first integer of the signature.
+ *                  This must be initialized.
  * \param s         The second integer of the signature.
+ *                  This must be initialized.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
@@ -158,7 +317,8 @@ int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *
  */
 int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
                          const unsigned char *buf, size_t blen,
-                         const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s);
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+                         const mbedtls_mpi *s);
 
 /**
  * \brief           This function computes the ECDSA signature and writes it
@@ -175,11 +335,6 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
  *                  of the Digital Signature Algorithm (DSA) and Elliptic
  *                  Curve Digital Signature Algorithm (ECDSA)</em>.
  *
- * \note            The \p sig buffer must be at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if
- *                  a 256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
  *                  defined in <em>Standards for Efficient Cryptography Group
@@ -188,25 +343,85 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
  *
  * \see             ecp.h
  *
- * \param ctx       The ECDSA context.
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
  * \param md_alg    The message digest that was used to hash the message.
- * \param hash      The message hash.
- * \param hlen      The length of the hash.
- * \param sig       The buffer that holds the signature.
- * \param slen      The length of the signature written.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is used only for blinding and may be set to \c NULL, but
+ *                  doing so is DEPRECATED.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
  *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
+int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
+                                  mbedtls_md_type_t md_alg,
                                   const unsigned char *hash, size_t hlen,
                                   unsigned char *sig, size_t *slen,
                                   int (*f_rng)(void *, unsigned char *, size_t),
                                   void *p_rng);
 
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_write_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_write_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                              mbedtls_md_type_t md_alg,
+                                              const unsigned char *hash, size_t hlen,
+                                              unsigned char *sig, size_t *slen,
+                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              void *p_rng,
+                                              mbedtls_ecdsa_restart_ctx *rs_ctx);
+
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
@@ -227,11 +442,6 @@ int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
  * \warning         It is not thread-safe to use the same context in
  *                  multiple threads.
  *
- * \note            The \p sig buffer must be at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if a
- *                  256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
  *                  defined in <em>Standards for Efficient Cryptography Group
@@ -243,12 +453,20 @@ int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
  * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
  *                  Mbed TLS version 2.0 and later.
  *
- * \param ctx       The ECDSA context.
- * \param hash      The message hash.
- * \param hlen      The length of the hash.
- * \param sig       The buffer that holds the signature.
- * \param slen      The length of the signature written.
- * \param md_alg    The MD algorithm used to hash the message.
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param md_alg    The message digest that was used to hash the message.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
@@ -273,11 +491,14 @@ int mbedtls_ecdsa_write_signature_det(mbedtls_ecdsa_context *ctx,
  *
  * \see             ecp.h
  *
- * \param ctx       The ECDSA context.
- * \param hash      The message hash.
- * \param hlen      The size of the hash.
- * \param sig       The signature to read and verify.
- * \param slen      The size of \p sig.
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
@@ -290,16 +511,54 @@ int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
                                  const unsigned char *hash, size_t hlen,
                                  const unsigned char *sig, size_t slen);
 
+/**
+ * \brief           This function reads and verifies an ECDSA signature,
+ *                  in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_read_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_read_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                             const unsigned char *hash, size_t hlen,
+                                             const unsigned char *sig, size_t slen,
+                                             mbedtls_ecdsa_restart_ctx *rs_ctx);
+
 /**
  * \brief          This function generates an ECDSA keypair on the given curve.
  *
  * \see            ecp.h
  *
  * \param ctx      The ECDSA context to store the keypair in.
+ *                 This must be initialized.
  * \param gid      The elliptic curve to use. One of the various
  *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
- * \param f_rng    The RNG function.
- * \param p_rng    The RNG context.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
@@ -308,33 +567,58 @@ int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
                          int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
 
 /**
- * \brief           This function sets an ECDSA context from an EC key pair.
+ * \brief           This function sets up an ECDSA context from an EC key pair.
  *
  * \see             ecp.h
  *
- * \param ctx       The ECDSA context to set.
- * \param key       The EC key to use.
+ * \param ctx       The ECDSA context to setup. This must be initialized.
+ * \param key       The EC key to use. This must be initialized and hold
+ *                  a private-public key pair or a public key. In the former
+ *                  case, the ECDSA context may be used for signature creation
+ *                  and verification after this call. In the latter case, it
+ *                  may be used for signature verification.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
  */
-int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key);
+int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx,
+                               const mbedtls_ecp_keypair *key);
 
 /**
  * \brief           This function initializes an ECDSA context.
  *
  * \param ctx       The ECDSA context to initialize.
+ *                  This must not be \c NULL.
  */
 void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx);
 
 /**
  * \brief           This function frees an ECDSA context.
  *
- * \param ctx       The ECDSA context to free.
+ * \param ctx       The ECDSA context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
  */
 void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx);
 
-int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen);
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
 #ifdef __cplusplus
 }
diff --git a/common/mbedtls/ecjpake.c b/common/mbedtls/ecjpake.c
new file mode 100644
index 000000000..5082d626f
--- /dev/null
+++ b/common/mbedtls/ecjpake.c
@@ -0,0 +1,1109 @@
+/*
+ *  Elliptic curve J-PAKE
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * References in the code are to the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECJPAKE_C)
+
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECJPAKE_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECJPAKE_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * Convert a mbedtls_ecjpake_role to identifier string
+ */
+static const char *const ecjpake_id[] = {
+    "client",
+    "server"
+};
+
+#define ID_MINE     ( ecjpake_id[ ctx->role ] )
+#define ID_PEER     ( ecjpake_id[ 1 - ctx->role ] )
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx) {
+    ECJPAKE_VALIDATE(ctx != NULL);
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_init(&ctx->grp);
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    mbedtls_ecp_point_init(&ctx->Xm1);
+    mbedtls_ecp_point_init(&ctx->Xm2);
+    mbedtls_ecp_point_init(&ctx->Xp1);
+    mbedtls_ecp_point_init(&ctx->Xp2);
+    mbedtls_ecp_point_init(&ctx->Xp);
+
+    mbedtls_mpi_init(&ctx->xm1);
+    mbedtls_mpi_init(&ctx->xm2);
+    mbedtls_mpi_init(&ctx->s);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_free(&ctx->grp);
+
+    mbedtls_ecp_point_free(&ctx->Xm1);
+    mbedtls_ecp_point_free(&ctx->Xm2);
+    mbedtls_ecp_point_free(&ctx->Xp1);
+    mbedtls_ecp_point_free(&ctx->Xp2);
+    mbedtls_ecp_point_free(&ctx->Xp);
+
+    mbedtls_mpi_free(&ctx->xm1);
+    mbedtls_mpi_free(&ctx->xm2);
+    mbedtls_mpi_free(&ctx->s);
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
+                          mbedtls_ecjpake_role role,
+                          mbedtls_md_type_t hash,
+                          mbedtls_ecp_group_id curve,
+                          const unsigned char *secret,
+                          size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ECJPAKE_VALIDATE_RET(ctx != NULL);
+    ECJPAKE_VALIDATE_RET(role == MBEDTLS_ECJPAKE_CLIENT ||
+                         role == MBEDTLS_ECJPAKE_SERVER);
+    ECJPAKE_VALIDATE_RET(secret != NULL || len == 0);
+
+    ctx->role = role;
+
+    if ((ctx->md_info = mbedtls_md_info_from_type(hash)) == NULL)
+        return (MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ctx->grp, curve));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->s, secret, len));
+
+cleanup:
+    if (ret != 0)
+        mbedtls_ecjpake_free(ctx);
+
+    return (ret);
+}
+
+/*
+ * Check if context is ready for use
+ */
+int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx) {
+    ECJPAKE_VALIDATE_RET(ctx != NULL);
+
+    if (ctx->md_info == NULL ||
+            ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
+            ctx->s.p == NULL) {
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+    }
+
+    return (0);
+}
+
+/*
+ * Write a point plus its length to a buffer
+ */
+static int ecjpake_write_len_point(unsigned char **p,
+                                   const unsigned char *end,
+                                   const mbedtls_ecp_group *grp,
+                                   const int pf,
+                                   const mbedtls_ecp_point *P) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    /* Need at least 4 for length plus 1 for point */
+    if (end < *p || end - *p < 5)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    ret = mbedtls_ecp_point_write_binary(grp, P, pf,
+                                         &len, *p + 4, end - (*p + 4));
+    if (ret != 0)
+        return (ret);
+
+    (*p)[0] = (unsigned char)((len >> 24) & 0xFF);
+    (*p)[1] = (unsigned char)((len >> 16) & 0xFF);
+    (*p)[2] = (unsigned char)((len >>  8) & 0xFF);
+    (*p)[3] = (unsigned char)((len) & 0xFF);
+
+    *p += 4 + len;
+
+    return (0);
+}
+
+/*
+ * Size of the temporary buffer for ecjpake_hash:
+ * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
+ */
+#define ECJPAKE_HASH_BUF_LEN    ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 4 + 6 )
+
+/*
+ * Compute hash for ZKP (7.4.2.2.2.1)
+ */
+static int ecjpake_hash(const mbedtls_md_info_t *md_info,
+                        const mbedtls_ecp_group *grp,
+                        const int pf,
+                        const mbedtls_ecp_point *G,
+                        const mbedtls_ecp_point *V,
+                        const mbedtls_ecp_point *X,
+                        const char *id,
+                        mbedtls_mpi *h) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[ECJPAKE_HASH_BUF_LEN];
+    unsigned char *p = buf;
+    const unsigned char *end = buf + sizeof(buf);
+    const size_t id_len = strlen(id);
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    /* Write things to temporary buffer */
+    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
+    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, V));
+    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, X));
+
+    if (end - p < 4)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    *p++ = (unsigned char)((id_len >> 24) & 0xFF);
+    *p++ = (unsigned char)((id_len >> 16) & 0xFF);
+    *p++ = (unsigned char)((id_len >>  8) & 0xFF);
+    *p++ = (unsigned char)((id_len) & 0xFF);
+
+    if (end < p || (size_t)(end - p) < id_len)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    memcpy(p, id, id_len);
+    p += id_len;
+
+    /* Compute hash */
+    MBEDTLS_MPI_CHK(mbedtls_md(md_info, buf, p - buf, hash));
+
+    /* Turn it into an integer mod n */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
+                                            mbedtls_md_get_size(md_info)));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
+ */
+static int ecjpake_zkp_read(const mbedtls_md_info_t *md_info,
+                            const mbedtls_ecp_group *grp,
+                            const int pf,
+                            const mbedtls_ecp_point *G,
+                            const mbedtls_ecp_point *X,
+                            const char *id,
+                            const unsigned char **p,
+                            const unsigned char *end) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point V, VV;
+    mbedtls_mpi r, h;
+    size_t r_len;
+
+    mbedtls_ecp_point_init(&V);
+    mbedtls_ecp_point_init(&VV);
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&h);
+
+    /*
+     * struct {
+     *     ECPoint V;
+     *     opaque r<1..2^8-1>;
+     * } ECSchnorrZKP;
+     */
+    if (end < *p)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, &V, p, end - *p));
+
+    if (end < *p || (size_t)(end - *p) < 1) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    r_len = *(*p)++;
+
+    if (end < *p || (size_t)(end - *p) < r_len) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r, *p, r_len));
+    *p += r_len;
+
+    /*
+     * Verification
+     */
+    MBEDTLS_MPI_CHK(ecjpake_hash(md_info, grp, pf, G, &V, X, id, &h));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd((mbedtls_ecp_group *) grp,
+                                       &VV, &h, X, &r, G));
+
+    if (mbedtls_ecp_point_cmp(&VV, &V) != 0) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free(&V);
+    mbedtls_ecp_point_free(&VV);
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&h);
+
+    return (ret);
+}
+
+/*
+ * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
+ */
+static int ecjpake_zkp_write(const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             const mbedtls_mpi *x,
+                             const mbedtls_ecp_point *X,
+                             const char *id,
+                             unsigned char **p,
+                             const unsigned char *end,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point V;
+    mbedtls_mpi v;
+    mbedtls_mpi h; /* later recycled to hold r */
+    size_t len;
+
+    if (end < *p)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    mbedtls_ecp_point_init(&V);
+    mbedtls_mpi_init(&v);
+    mbedtls_mpi_init(&h);
+
+    /* Compute signature */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp,
+                                                 G, &v, &V, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(ecjpake_hash(md_info, grp, pf, G, &V, X, id, &h));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&h, &h, x));     /* x*h */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&h, &v, &h));     /* v - x*h */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&h, &h, &grp->N));     /* r */
+
+    /* Write it out */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, &V,
+                                                pf, &len, *p, end - *p));
+    *p += len;
+
+    len = mbedtls_mpi_size(&h);   /* actually r */
+    if (end < *p || (size_t)(end - *p) < 1 + len || len > 255) {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    *(*p)++ = (unsigned char)(len & 0xFF);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, *p, len));     /* r */
+    *p += len;
+
+cleanup:
+    mbedtls_ecp_point_free(&V);
+    mbedtls_mpi_free(&v);
+    mbedtls_mpi_free(&h);
+
+    return (ret);
+}
+
+/*
+ * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
+ * Output: verified public key X
+ */
+static int ecjpake_kkp_read(const mbedtls_md_info_t *md_info,
+                            const mbedtls_ecp_group *grp,
+                            const int pf,
+                            const mbedtls_ecp_point *G,
+                            mbedtls_ecp_point *X,
+                            const char *id,
+                            const unsigned char **p,
+                            const unsigned char *end) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (end < *p)
+        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+    /*
+     * struct {
+     *     ECPoint X;
+     *     ECSchnorrZKP zkp;
+     * } ECJPAKEKeyKP;
+     */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, X, p, end - *p));
+    if (mbedtls_ecp_is_zero(X)) {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(ecjpake_zkp_read(md_info, grp, pf, G, X, id, p, end));
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Generate an ECJPAKEKeyKP
+ * Output: the serialized structure, plus private/public key pair
+ */
+static int ecjpake_kkp_write(const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_mpi *x,
+                             mbedtls_ecp_point *X,
+                             const char *id,
+                             unsigned char **p,
+                             const unsigned char *end,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if (end < *p)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    /* Generate key (7.4.2.3.1) and write it out */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp, G, x, X,
+                                                 f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, X,
+                                                pf, &len, *p, end - *p));
+    *p += len;
+
+    /* Generate and write proof */
+    MBEDTLS_MPI_CHK(ecjpake_zkp_write(md_info, grp, pf, G, x, X, id,
+                                      p, end, f_rng, p_rng));
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
+ * Ouputs: verified peer public keys Xa, Xb
+ */
+static int ecjpake_kkpp_read(const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_ecp_point *Xa,
+                             mbedtls_ecp_point *Xb,
+                             const char *id,
+                             const unsigned char *buf,
+                             size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    /*
+     * struct {
+     *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
+     * } ECJPAKEKeyKPPairList;
+     */
+    MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_info, grp, pf, G, Xa, id, &p, end));
+    MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_info, grp, pf, G, Xb, id, &p, end));
+
+    if (p != end)
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Generate a ECJPAKEKeyKPPairList
+ * Outputs: the serialized structure, plus two private/public key pairs
+ */
+static int ecjpake_kkpp_write(const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_mpi *xm1,
+                              mbedtls_ecp_point *Xa,
+                              mbedtls_mpi *xm2,
+                              mbedtls_ecp_point *Xb,
+                              const char *id,
+                              unsigned char *buf,
+                              size_t len,
+                              size_t *olen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_info, grp, pf, G, xm1, Xa, id,
+                                      &p, end, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_info, grp, pf, G, xm2, Xb, id,
+                                      &p, end, f_rng, p_rng));
+
+    *olen = p - buf;
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Read and process the first round message
+ */
+int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len) {
+    ECJPAKE_VALIDATE_RET(ctx != NULL);
+    ECJPAKE_VALIDATE_RET(buf != NULL);
+
+    return (ecjpake_kkpp_read(ctx->md_info, &ctx->grp, ctx->point_format,
+                              &ctx->grp.G,
+                              &ctx->Xp1, &ctx->Xp2, ID_PEER,
+                              buf, len));
+}
+
+/*
+ * Generate and write the first round message
+ */
+int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng) {
+    ECJPAKE_VALIDATE_RET(ctx   != NULL);
+    ECJPAKE_VALIDATE_RET(buf   != NULL);
+    ECJPAKE_VALIDATE_RET(olen  != NULL);
+    ECJPAKE_VALIDATE_RET(f_rng != NULL);
+
+    return (ecjpake_kkpp_write(ctx->md_info, &ctx->grp, ctx->point_format,
+                               &ctx->grp.G,
+                               &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
+                               ID_MINE, buf, len, olen, f_rng, p_rng));
+}
+
+/*
+ * Compute the sum of three points R = A + B + C
+ */
+static int ecjpake_ecp_add3(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                            const mbedtls_ecp_point *A,
+                            const mbedtls_ecp_point *B,
+                            const mbedtls_ecp_point *C) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi one;
+
+    mbedtls_mpi_init(&one);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, A, &one, B));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, R, &one, C));
+
+cleanup:
+    mbedtls_mpi_free(&one);
+
+    return (ret);
+}
+
+/*
+ * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
+ */
+int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point G;    /* C: GB, S: GA */
+
+    ECJPAKE_VALIDATE_RET(ctx != NULL);
+    ECJPAKE_VALIDATE_RET(buf != NULL);
+
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_ecp_point_init(&G);
+
+    /*
+     * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
+     * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
+     * Unified: G = Xm1 + Xm2 + Xp1
+     * We need that before parsing in order to check Xp as we read it
+     */
+    MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
+                                     &ctx->Xm1, &ctx->Xm2, &ctx->Xp1));
+
+    /*
+     * struct {
+     *     ECParameters curve_params;   // only client reading server msg
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if (ctx->role == MBEDTLS_ECJPAKE_CLIENT) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_group(&grp, &p, len));
+        if (grp.id != ctx->grp.id) {
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK(ecjpake_kkp_read(ctx->md_info, &ctx->grp,
+                                     ctx->point_format,
+                                     &G, &ctx->Xp, ID_PEER, &p, end));
+
+    if (p != end) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&G);
+
+    return (ret);
+}
+
+/*
+ * Compute R = +/- X * S mod N, taking care not to leak S
+ */
+static int ecjpake_mul_secret(mbedtls_mpi *R, int sign,
+                              const mbedtls_mpi *X,
+                              const mbedtls_mpi *S,
+                              const mbedtls_mpi *N,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi b; /* Blinding value, then s + N * blinding */
+
+    mbedtls_mpi_init(&b);
+
+    /* b = s + rnd-128-bit * N */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&b, 16, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&b, &b, N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&b, &b, S));
+
+    /* R = sign * X * b mod N */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(R, X, &b));
+    R->s *= sign;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(R, R, N));
+
+cleanup:
+    mbedtls_mpi_free(&b);
+
+    return (ret);
+}
+
+/*
+ * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
+ */
+int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point G;    /* C: GA, S: GB */
+    mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
+    mbedtls_mpi xm;         /* C: xc, S: xs */
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    size_t ec_len;
+
+    ECJPAKE_VALIDATE_RET(ctx   != NULL);
+    ECJPAKE_VALIDATE_RET(buf   != NULL);
+    ECJPAKE_VALIDATE_RET(olen  != NULL);
+    ECJPAKE_VALIDATE_RET(f_rng != NULL);
+
+    mbedtls_ecp_point_init(&G);
+    mbedtls_ecp_point_init(&Xm);
+    mbedtls_mpi_init(&xm);
+
+    /*
+     * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
+     *
+     * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
+     * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
+     * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
+     */
+    MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
+                                     &ctx->Xp1, &ctx->Xp2, &ctx->Xm1));
+    MBEDTLS_MPI_CHK(ecjpake_mul_secret(&xm, 1, &ctx->xm2, &ctx->s,
+                                       &ctx->grp.N, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &Xm, &xm, &G, f_rng, p_rng));
+
+    /*
+     * Now write things out
+     *
+     * struct {
+     *     ECParameters curve_params;   // only server writing its message
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if (ctx->role == MBEDTLS_ECJPAKE_SERVER) {
+        if (end < p) {
+            ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_group(&ctx->grp, &ec_len,
+                                                    p, end - p));
+        p += ec_len;
+    }
+
+    if (end < p) {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(&ctx->grp, &Xm,
+                                                ctx->point_format, &ec_len, p, end - p));
+    p += ec_len;
+
+    MBEDTLS_MPI_CHK(ecjpake_zkp_write(ctx->md_info, &ctx->grp,
+                                      ctx->point_format,
+                                      &G, &xm, &Xm, ID_MINE,
+                                      &p, end, f_rng, p_rng));
+
+    *olen = p - buf;
+
+cleanup:
+    mbedtls_ecp_point_free(&G);
+    mbedtls_ecp_point_free(&Xm);
+    mbedtls_mpi_free(&xm);
+
+    return (ret);
+}
+
+/*
+ * Derive PMS (7.4.2.7 / 7.4.2.8)
+ */
+int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
+                                  unsigned char *buf, size_t len, size_t *olen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point K;
+    mbedtls_mpi m_xm2_s, one;
+    unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
+    size_t x_bytes;
+
+    ECJPAKE_VALIDATE_RET(ctx   != NULL);
+    ECJPAKE_VALIDATE_RET(buf   != NULL);
+    ECJPAKE_VALIDATE_RET(olen  != NULL);
+    ECJPAKE_VALIDATE_RET(f_rng != NULL);
+
+    *olen = mbedtls_md_get_size(ctx->md_info);
+    if (len < *olen)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    mbedtls_ecp_point_init(&K);
+    mbedtls_mpi_init(&m_xm2_s);
+    mbedtls_mpi_init(&one);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
+
+    /*
+     * Client:  K = ( Xs - X4  * x2  * s ) * x2
+     * Server:  K = ( Xc - X2  * x4  * s ) * x4
+     * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
+     */
+    MBEDTLS_MPI_CHK(ecjpake_mul_secret(&m_xm2_s, -1, &ctx->xm2, &ctx->s,
+                                       &ctx->grp.N, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(&ctx->grp, &K,
+                                       &one, &ctx->Xp,
+                                       &m_xm2_s, &ctx->Xp2));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &K, &ctx->xm2, &K,
+                                    f_rng, p_rng));
+
+    /* PMS = SHA-256( K.X ) */
+    x_bytes = (ctx->grp.pbits + 7) / 8;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K.X, kx, x_bytes));
+    MBEDTLS_MPI_CHK(mbedtls_md(ctx->md_info, kx, x_bytes, buf));
+
+cleanup:
+    mbedtls_ecp_point_free(&K);
+    mbedtls_mpi_free(&m_xm2_s);
+    mbedtls_mpi_free(&one);
+
+    return (ret);
+}
+
+#undef ID_MINE
+#undef ID_PEER
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    !defined(MBEDTLS_SHA256_C)
+int mbedtls_ecjpake_self_test(int verbose) {
+    (void) verbose;
+    return (0);
+}
+#else
+
+static const unsigned char ecjpake_test_password[] = {
+    0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
+    0x65, 0x73, 0x74
+};
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+static const unsigned char ecjpake_test_x1[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+    0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+    0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
+};
+
+static const unsigned char ecjpake_test_x2[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x3[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x4[] = {
+    0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
+    0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
+    0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
+};
+
+static const unsigned char ecjpake_test_cli_one[] = {
+    0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
+    0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
+    0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
+    0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
+    0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
+    0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
+    0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
+    0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
+    0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
+    0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
+    0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
+    0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
+    0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
+    0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
+    0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
+    0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
+    0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
+    0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
+    0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
+    0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
+    0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
+    0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
+    0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
+    0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
+    0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
+    0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
+    0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
+    0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
+};
+
+static const unsigned char ecjpake_test_srv_one[] = {
+    0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
+    0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
+    0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
+    0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
+    0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
+    0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
+    0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
+    0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
+    0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
+    0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
+    0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
+    0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
+    0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
+    0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
+    0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
+    0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
+    0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
+    0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
+    0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
+    0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
+    0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
+    0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
+    0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
+    0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
+    0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
+    0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
+    0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
+    0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
+};
+
+static const unsigned char ecjpake_test_srv_two[] = {
+    0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
+    0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
+    0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
+    0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
+    0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
+    0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
+    0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
+    0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
+    0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
+    0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
+    0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
+    0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
+    0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
+    0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
+};
+
+static const unsigned char ecjpake_test_cli_two[] = {
+    0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
+    0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
+    0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
+    0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
+    0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
+    0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
+    0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
+    0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
+    0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
+    0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
+    0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
+    0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
+    0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
+    0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
+};
+
+static const unsigned char ecjpake_test_pms[] = {
+    0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
+    0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
+    0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
+};
+
+/* Load my private keys and generate the corresponding public keys */
+static int ecjpake_test_load(mbedtls_ecjpake_context *ctx,
+                             const unsigned char *xm1, size_t len1,
+                             const unsigned char *xm2, size_t len2) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm1, xm1, len1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm2, xm2, len2));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm1, &ctx->xm1,
+                                    &ctx->grp.G, NULL, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm2, &ctx->xm2,
+                                    &ctx->grp.G, NULL, NULL));
+
+cleanup:
+    return (ret);
+}
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+/* For tests we don't need a secure RNG;
+ * use the LGC from Numerical Recipes for simplicity */
+static int ecjpake_lgc(void *p, unsigned char *out, size_t len) {
+    static uint32_t x = 42;
+    (void) p;
+
+    while (len > 0) {
+        size_t use_len = len > 4 ? 4 : len;
+        x = 1664525 * x + 1013904223;
+        memcpy(out, &x, use_len);
+        out += use_len;
+        len -= use_len;
+    }
+
+    return (0);
+}
+
+#define TEST_ASSERT( x )    \
+    do {                    \
+        if( x )             \
+            ret = 0;        \
+        else                \
+        {                   \
+            ret = 1;        \
+            goto cleanup;   \
+        }                   \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecjpake_self_test(int verbose) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecjpake_context cli;
+    mbedtls_ecjpake_context srv;
+    unsigned char buf[512], pms[32];
+    size_t len, pmslen;
+
+    mbedtls_ecjpake_init(&cli);
+    mbedtls_ecjpake_init(&srv);
+
+    if (verbose != 0)
+        mbedtls_printf("  ECJPAKE test #0 (setup): ");
+
+    TEST_ASSERT(mbedtls_ecjpake_setup(&cli, MBEDTLS_ECJPAKE_CLIENT,
+                                      MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                                      ecjpake_test_password,
+                                      sizeof(ecjpake_test_password)) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_setup(&srv, MBEDTLS_ECJPAKE_SERVER,
+                                      MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                                      ecjpake_test_password,
+                                      sizeof(ecjpake_test_password)) == 0);
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+    if (verbose != 0)
+        mbedtls_printf("  ECJPAKE test #1 (random handshake): ");
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_one(&cli,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_one(&srv,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_two(&srv,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
+                                              pms, sizeof(pms), &pmslen, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_two(&cli,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
+                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == pmslen);
+    TEST_ASSERT(memcmp(buf, pms, len) == 0);
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+    /* 'reference handshake' tests can only be run against implementations
+     * for which we have 100% control over how the random ephemeral keys
+     * are generated. This is only the case for the internal mbed TLS
+     * implementation, so these tests are skipped in case the internal
+     * implementation is swapped out for an alternative one. */
+    if (verbose != 0)
+        mbedtls_printf("  ECJPAKE test #2 (reference handshake): ");
+
+    /* Simulate generation of round one */
+    MBEDTLS_MPI_CHK(ecjpake_test_load(&cli,
+                                      ecjpake_test_x1, sizeof(ecjpake_test_x1),
+                                      ecjpake_test_x2, sizeof(ecjpake_test_x2)));
+
+    MBEDTLS_MPI_CHK(ecjpake_test_load(&srv,
+                                      ecjpake_test_x3, sizeof(ecjpake_test_x3),
+                                      ecjpake_test_x4, sizeof(ecjpake_test_x4)));
+
+    /* Read round one */
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv,
+                                               ecjpake_test_cli_one,
+                                               sizeof(ecjpake_test_cli_one)) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli,
+                                               ecjpake_test_srv_one,
+                                               sizeof(ecjpake_test_srv_one)) == 0);
+
+    /* Skip generation of round two, read round two */
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli,
+                                               ecjpake_test_srv_two,
+                                               sizeof(ecjpake_test_srv_two)) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv,
+                                               ecjpake_test_cli_two,
+                                               sizeof(ecjpake_test_cli_two)) == 0);
+
+    /* Server derives PMS */
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
+                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == sizeof(ecjpake_test_pms));
+    TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
+
+    memset(buf, 0, len);   /* Avoid interferences with next step */
+
+    /* Client derives PMS */
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
+                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == sizeof(ecjpake_test_pms));
+    TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+cleanup:
+    mbedtls_ecjpake_free(&cli);
+    mbedtls_ecjpake_free(&srv);
+
+    if (ret != 0) {
+        if (verbose != 0)
+            mbedtls_printf("failed\n");
+
+        ret = 1;
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (ret);
+}
+
+#undef TEST_ASSERT
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/common/mbedtls/ecjpake.h b/common/mbedtls/ecjpake.h
new file mode 100644
index 000000000..0619c51b1
--- /dev/null
+++ b/common/mbedtls/ecjpake.h
@@ -0,0 +1,274 @@
+/**
+ * \file ecjpake.h
+ *
+ * \brief Elliptic curve J-PAKE
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_ECJPAKE_H
+#define MBEDTLS_ECJPAKE_H
+
+/*
+ * J-PAKE is a password-authenticated key exchange that allows deriving a
+ * strong shared secret from a (potentially low entropy) pre-shared
+ * passphrase, with forward secrecy and mutual authentication.
+ * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
+ *
+ * This file implements the Elliptic Curve variant of J-PAKE,
+ * as defined in Chapter 7.4 of the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ *
+ * As the J-PAKE algorithm is inherently symmetric, so is our API.
+ * Each party needs to send its first round message, in any order, to the
+ * other party, then each sends its second round message, in any order.
+ * The payloads are serialized in a way suitable for use in TLS, but could
+ * also be use outside TLS.
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Roles in the EC J-PAKE exchange
+ */
+typedef enum {
+    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
+    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+} mbedtls_ecjpake_role;
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+/**
+ * EC J-PAKE context structure.
+ *
+ * J-PAKE is a symmetric protocol, except for the identifiers used in
+ * Zero-Knowledge Proofs, and the serialization of the second message
+ * (KeyExchange) as defined by the Thread spec.
+ *
+ * In order to benefit from this symmetry, we choose a different naming
+ * convetion from the Thread v1.0 spec. Correspondance is indicated in the
+ * description as a pair C: client name, S: server name
+ */
+typedef struct mbedtls_ecjpake_context {
+    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
+    mbedtls_ecp_group grp;              /**< Elliptic curve                 */
+    mbedtls_ecjpake_role role;          /**< Are we client or server?       */
+    int point_format;                   /**< Format for point export        */
+
+    mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */
+    mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */
+    mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */
+    mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */
+    mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */
+
+    mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */
+    mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */
+
+    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
+} mbedtls_ecjpake_context;
+
+#else  /* MBEDTLS_ECJPAKE_ALT */
+#include "ecjpake_alt.h"
+#endif /* MBEDTLS_ECJPAKE_ALT */
+
+/**
+ * \brief           Initialize an ECJPAKE context.
+ *
+ * \param ctx       The ECJPAKE context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx);
+
+/**
+ * \brief           Set up an ECJPAKE context for use.
+ *
+ * \note            Currently the only values for hash/curve allowed by the
+ *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
+ *
+ * \param ctx       The ECJPAKE context to set up. This must be initialized.
+ * \param role      The role of the caller. This must be either
+ *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash      The identifier of the hash function to use,
+ *                  for example #MBEDTLS_MD_SHA256.
+ * \param curve     The identifier of the elliptic curve to use,
+ *                  for example #MBEDTLS_ECP_DP_SECP256R1.
+ * \param secret    The pre-shared secret (passphrase). This must be
+ *                  a readable buffer of length \p len Bytes. It need
+ *                  only be valid for the duration of this call.
+ * \param len       The length of the pre-shared secret \p secret.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
+                          mbedtls_ecjpake_role role,
+                          mbedtls_md_type_t hash,
+                          mbedtls_ecp_group_id curve,
+                          const unsigned char *secret,
+                          size_t len);
+
+/**
+ * \brief           Check if an ECJPAKE context is ready for use.
+ *
+ * \param ctx       The ECJPAKE context to check. This must be
+ *                  initialized.
+ *
+ * \return          \c 0 if the context is ready for use.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
+ */
+int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx);
+
+/**
+ * \brief           Generate and write the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be
+ *                  initialized and set up.
+ * \param buf       The buffer to write the contents to. This must be a
+ *                  writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number
+ *                  of Bytes written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng);
+
+/**
+ * \brief           Read and process the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up.
+ * \param buf       The buffer holding the first round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len);
+
+/**
+ * \brief           Generate and write the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up, and already have performed round one.
+ * \param buf       The buffer to write the round two contents to.
+ *                  This must be a writable buffer of length \p len Bytes.
+ * \param len       The size of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng);
+
+/**
+ * \brief           Read and process the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up and already have performed round one.
+ * \param buf       The buffer holding the second round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len);
+
+/**
+ * \brief           Derive the shared secret
+ *                  (TLS: Pre-Master Secret).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
+                                  unsigned char *buf, size_t len, size_t *olen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng);
+
+/**
+ * \brief           This clears an ECJPAKE context and frees any
+ *                  embedded data structure.
+ *
+ * \param ctx       The ECJPAKE context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it is not
+ *                  \c NULL, it must point to an initialized ECJPAKE context.
+ */
+void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_ecjpake_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* ecjpake.h */
diff --git a/common/mbedtls/ecp.c b/common/mbedtls/ecp.c
index 3a2b48804..5754cfe28 100644
--- a/common/mbedtls/ecp.c
+++ b/common/mbedtls/ecp.c
@@ -1,24 +1,20 @@
 /*
  *  Elliptic curves over GF(p): generic functions
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -43,10 +39,35 @@
  *     <http://eprint.iacr.org/2004/342.pdf>
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
+#include "common.h"
+
+/**
+ * \brief Function level alternative implementation.
+ *
+ * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
+ * replace certain functions in this module. The alternative implementations are
+ * typically hardware accelerators and need to activate the hardware before the
+ * computation starts and deactivate it after it finishes. The
+ * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
+ * this purpose.
+ *
+ * To preserve the correct functionality the following conditions must hold:
+ *
+ * - The alternative implementation must be activated by
+ *   mbedtls_internal_ecp_init() before any of the replaceable functions is
+ *   called.
+ * - mbedtls_internal_ecp_free() must \b only be called when the alternative
+ *   implementation is activated.
+ * - mbedtls_internal_ecp_init() must \b not be called when the alternative
+ *   implementation is activated.
+ * - Public functions must not return while the alternative implementation is
+ *   activated.
+ * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
+ *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
+ *   \endcode ensures that the alternative implementation supports the current
+ *   group.
+ */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
 #endif
 
 #if defined(MBEDTLS_ECP_C)
@@ -54,11 +75,18 @@
 #include "mbedtls/ecp.h"
 #include "mbedtls/threading.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
 #if !defined(MBEDTLS_ECP_ALT)
 
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
@@ -71,6 +99,16 @@
 
 #include "mbedtls/ecp_internal.h"
 
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#elif defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#else
+#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
+#endif
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
     !defined(inline) && !defined(__cplusplus)
 #define inline __inline
@@ -84,39 +122,362 @@
 static unsigned long add_count, dbl_count, mul_count;
 #endif
 
-#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-#define ECP_SHORTWEIERSTRASS
-#endif
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+/*
+ * Currently ecp_mul() takes a RNG function as an argument, used for
+ * side-channel protection, but it can be NULL. The initial reasoning was
+ * that people will pass non-NULL RNG when they care about side-channels, but
+ * unfortunately we have some APIs that call ecp_mul() with a NULL RNG, with
+ * no opportunity for the user to do anything about it.
+ *
+ * The obvious strategies for addressing that include:
+ * - change those APIs so that they take RNG arguments;
+ * - require a global RNG to be available to all crypto modules.
+ *
+ * Unfortunately those would break compatibility. So what we do instead is
+ * have our own internal DRBG instance, seeded from the secret scalar.
+ *
+ * The following is a light-weight abstraction layer for doing that with
+ * HMAC_DRBG (first choice) or CTR_DRBG.
+ */
 
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#define ECP_MONTGOMERY
-#endif
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+/* DRBG context type */
+typedef mbedtls_hmac_drbg_context ecp_drbg_context;
+
+/* DRBG context init */
+static inline void ecp_drbg_init(ecp_drbg_context *ctx) {
+    mbedtls_hmac_drbg_init(ctx);
+}
+
+/* DRBG context free */
+static inline void ecp_drbg_free(ecp_drbg_context *ctx) {
+    mbedtls_hmac_drbg_free(ctx);
+}
+
+/* DRBG function */
+static inline int ecp_drbg_random(void *p_rng,
+                                  unsigned char *output, size_t output_len) {
+    return (mbedtls_hmac_drbg_random(p_rng, output, output_len));
+}
+
+/* DRBG context seeding */
+static int ecp_drbg_seed(ecp_drbg_context *ctx,
+                         const mbedtls_mpi *secret, size_t secret_len) {
+    int ret;
+    unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
+    /* The list starts with strong hashes */
+    const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
+
+    if (secret_len > MBEDTLS_ECP_MAX_BYTES) {
+        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(secret,
+                                             secret_bytes, secret_len));
+
+    ret = mbedtls_hmac_drbg_seed_buf(ctx, md_info, secret_bytes, secret_len);
+
+cleanup:
+    mbedtls_platform_zeroize(secret_bytes, secret_len);
+
+    return (ret);
+}
+
+#elif defined(MBEDTLS_CTR_DRBG_C)
+
+/* DRBG context type */
+typedef mbedtls_ctr_drbg_context ecp_drbg_context;
+
+/* DRBG context init */
+static inline void ecp_drbg_init(ecp_drbg_context *ctx) {
+    mbedtls_ctr_drbg_init(ctx);
+}
+
+/* DRBG context free */
+static inline void ecp_drbg_free(ecp_drbg_context *ctx) {
+    mbedtls_ctr_drbg_free(ctx);
+}
+
+/* DRBG function */
+static inline int ecp_drbg_random(void *p_rng,
+                                  unsigned char *output, size_t output_len) {
+    return (mbedtls_ctr_drbg_random(p_rng, output, output_len));
+}
 
 /*
- * Curve types: internal for now, might be exposed later
+ * Since CTR_DRBG doesn't have a seed_buf() function the way HMAC_DRBG does,
+ * we need to pass an entropy function when seeding. So we use a dummy
+ * function for that, and pass the actual entropy as customisation string.
+ * (During seeding of CTR_DRBG the entropy input and customisation string are
+ * concatenated before being used to update the secret state.)
  */
-typedef enum {
-    ECP_TYPE_NONE = 0,
-    ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
-    ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
-} ecp_curve_type;
+static int ecp_ctr_drbg_null_entropy(void *ctx, unsigned char *out, size_t len) {
+    (void) ctx;
+    memset(out, 0, len);
+    return (0);
+}
+
+/* DRBG context seeding */
+static int ecp_drbg_seed(ecp_drbg_context *ctx,
+                         const mbedtls_mpi *secret, size_t secret_len) {
+    int ret;
+    unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
+
+    if (secret_len > MBEDTLS_ECP_MAX_BYTES) {
+        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(secret,
+                                             secret_bytes, secret_len));
+
+    ret = mbedtls_ctr_drbg_seed(ctx, ecp_ctr_drbg_null_entropy, NULL,
+                                secret_bytes, secret_len);
+
+cleanup:
+    mbedtls_platform_zeroize(secret_bytes, secret_len);
+
+    return (ret);
+}
+
+#else
+#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
+#endif /* DRBG modules */
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Maximum number of "basic operations" to be done in a row.
+ *
+ * Default value 0 means that ECC operations will not yield.
+ * Note that regardless of the value of ecp_max_ops, always at
+ * least one step is performed before yielding.
+ *
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
+ * as it will interrupt computation at all possible points.
+ */
+static unsigned ecp_max_ops = 0;
+
+/*
+ * Set ecp_max_ops
+ */
+void mbedtls_ecp_set_max_ops(unsigned max_ops) {
+    ecp_max_ops = max_ops;
+}
+
+/*
+ * Check if restart is enabled
+ */
+int mbedtls_ecp_restart_is_enabled(void) {
+    return (ecp_max_ops != 0);
+}
+
+/*
+ * Restart sub-context for ecp_mul_comb()
+ */
+struct mbedtls_ecp_restart_mul {
+    mbedtls_ecp_point R;    /* current intermediate result                  */
+    size_t i;               /* current index in various loops, 0 outside    */
+    mbedtls_ecp_point *T;   /* table for precomputed points                 */
+    unsigned char T_size;   /* number of points in table T                  */
+    enum {                  /* what were we doing last time we returned?    */
+        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
+        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
+        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
+        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
+        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
+        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
+        ecp_rsm_final_norm,     /* do the final normalization               */
+    } state;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_context drbg_ctx;
+    unsigned char drbg_seeded;
+#endif
+};
+
+/*
+ * Init restart_mul sub-context
+ */
+static void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx) {
+    mbedtls_ecp_point_init(&ctx->R);
+    ctx->i = 0;
+    ctx->T = NULL;
+    ctx->T_size = 0;
+    ctx->state = ecp_rsm_init;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_init(&ctx->drbg_ctx);
+    ctx->drbg_seeded = 0;
+#endif
+}
+
+/*
+ * Free the components of a restart_mul sub-context
+ */
+static void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx) {
+    unsigned char i;
+
+    if (ctx == NULL)
+        return;
+
+    mbedtls_ecp_point_free(&ctx->R);
+
+    if (ctx->T != NULL) {
+        for (i = 0; i < ctx->T_size; i++)
+            mbedtls_ecp_point_free(ctx->T + i);
+        mbedtls_free(ctx->T);
+    }
+
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_free(&ctx->drbg_ctx);
+#endif
+
+    ecp_restart_rsm_init(ctx);
+}
+
+/*
+ * Restart context for ecp_muladd()
+ */
+struct mbedtls_ecp_restart_muladd {
+    mbedtls_ecp_point mP;       /* mP value                             */
+    mbedtls_ecp_point R;        /* R intermediate result                */
+    enum {                      /* what should we do next?              */
+        ecp_rsma_mul1 = 0,      /* first multiplication                 */
+        ecp_rsma_mul2,          /* second multiplication                */
+        ecp_rsma_add,           /* addition                             */
+        ecp_rsma_norm,          /* normalization                        */
+    } state;
+};
+
+/*
+ * Init restart_muladd sub-context
+ */
+static void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx) {
+    mbedtls_ecp_point_init(&ctx->mP);
+    mbedtls_ecp_point_init(&ctx->R);
+    ctx->state = ecp_rsma_mul1;
+}
+
+/*
+ * Free the components of a restart_muladd sub-context
+ */
+static void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_ecp_point_free(&ctx->mP);
+    mbedtls_ecp_point_free(&ctx->R);
+
+    ecp_restart_ma_init(ctx);
+}
+
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx) {
+    ECP_VALIDATE(ctx != NULL);
+    ctx->ops_done = 0;
+    ctx->depth = 0;
+    ctx->rsm = NULL;
+    ctx->ma = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    ecp_restart_rsm_free(ctx->rsm);
+    mbedtls_free(ctx->rsm);
+
+    ecp_restart_ma_free(ctx->ma);
+    mbedtls_free(ctx->ma);
+
+    mbedtls_ecp_restart_init(ctx);
+}
+
+/*
+ * Check if we can do the next step
+ */
+int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
+                             mbedtls_ecp_restart_ctx *rs_ctx,
+                             unsigned ops) {
+    ECP_VALIDATE_RET(grp != NULL);
+
+    if (rs_ctx != NULL && ecp_max_ops != 0) {
+        /* scale depending on curve size: the chosen reference is 256-bit,
+         * and multiplication is quadratic. Round to the closest integer. */
+        if (grp->pbits >= 512)
+            ops *= 4;
+        else if (grp->pbits >= 384)
+            ops *= 2;
+
+        /* Avoid infinite loops: always allow first step.
+         * Because of that, however, it's not generally true
+         * that ops_done <= ecp_max_ops, so the check
+         * ops_done > ecp_max_ops below is mandatory. */
+        if ((rs_ctx->ops_done != 0) &&
+                (rs_ctx->ops_done > ecp_max_ops ||
+                 ops > ecp_max_ops - rs_ctx->ops_done)) {
+            return (MBEDTLS_ERR_ECP_IN_PROGRESS);
+        }
+
+        /* update running count */
+        rs_ctx->ops_done += ops;
+    }
+
+    return (0);
+}
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECP_RS_ENTER( SUB )   do {                                      \
+    /* reset ops count for this call if top-level */                    \
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )                        \
+        rs_ctx->ops_done = 0;                                           \
+                                                                        \
+    /* set up our own sub-context if needed */                          \
+    if( mbedtls_ecp_restart_is_enabled() &&                             \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                         \
+    {                                                                   \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );      \
+        if( rs_ctx->SUB == NULL )                                       \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                     \
+                                                                        \
+        ecp_restart_## SUB ##_init( rs_ctx->SUB );                      \
+    }                                                                   \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECP_RS_LEAVE( SUB )   do {                                      \
+    /* clear our sub-context when not in progress (done or error) */    \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                            \
+    {                                                                   \
+        ecp_restart_## SUB ##_free( rs_ctx->SUB );                      \
+        mbedtls_free( rs_ctx->SUB );                                    \
+        rs_ctx->SUB = NULL;                                             \
+    }                                                                   \
+                                                                        \
+    if( rs_ctx != NULL )                                                \
+        rs_ctx->depth--;                                                \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECP_RS_ENTER( sub )     (void) rs_ctx;
+#define ECP_RS_LEAVE( sub )     (void) rs_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
 /*
  * List of supported curves:
  *  - internal ID
- *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
+ *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
  *  - size in bits
  *  - readable name
  *
@@ -161,12 +522,18 @@ static const mbedtls_ecp_curve_info ecp_supported_curves[] = {
 #endif
 #if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED)
     { MBEDTLS_ECP_DP_SECP128R1, 0xFE00,     128,    "secp128r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    { MBEDTLS_ECP_DP_CURVE25519,   29,     256,    "x25519"            },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    { MBEDTLS_ECP_DP_CURVE448,     30,     448,    "x448"              },
 #endif
     { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
 };
 
 #define ECP_NB_CURVES   sizeof( ecp_supported_curves ) /    \
-    sizeof( ecp_supported_curves[0] )
+                        sizeof( ecp_supported_curves[0] )
 
 static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
 
@@ -238,6 +605,9 @@ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id
 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name) {
     const mbedtls_ecp_curve_info *curve_info;
 
+    if (name == NULL)
+        return (NULL);
+
     for (curve_info = mbedtls_ecp_curve_list();
             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
             curve_info++) {
@@ -251,22 +621,21 @@ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
 /*
  * Get the type of a curve
  */
-static inline ecp_curve_type ecp_get_type(const mbedtls_ecp_group *grp) {
+mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp) {
     if (grp->G.X.p == NULL)
-        return (ECP_TYPE_NONE);
+        return (MBEDTLS_ECP_TYPE_NONE);
 
     if (grp->G.Y.p == NULL)
-        return (ECP_TYPE_MONTGOMERY);
+        return (MBEDTLS_ECP_TYPE_MONTGOMERY);
     else
-        return (ECP_TYPE_SHORT_WEIERSTRASS);
+        return (MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS);
 }
 
 /*
  * Initialize (the components of) a point
  */
 void mbedtls_ecp_point_init(mbedtls_ecp_point *pt) {
-    if (pt == NULL)
-        return;
+    ECP_VALIDATE(pt != NULL);
 
     mbedtls_mpi_init(&pt->X);
     mbedtls_mpi_init(&pt->Y);
@@ -277,18 +646,30 @@ void mbedtls_ecp_point_init(mbedtls_ecp_point *pt) {
  * Initialize (the components of) a group
  */
 void mbedtls_ecp_group_init(mbedtls_ecp_group *grp) {
-    if (grp == NULL)
-        return;
+    ECP_VALIDATE(grp != NULL);
 
-    memset(grp, 0, sizeof(mbedtls_ecp_group));
+    grp->id = MBEDTLS_ECP_DP_NONE;
+    mbedtls_mpi_init(&grp->P);
+    mbedtls_mpi_init(&grp->A);
+    mbedtls_mpi_init(&grp->B);
+    mbedtls_ecp_point_init(&grp->G);
+    mbedtls_mpi_init(&grp->N);
+    grp->pbits = 0;
+    grp->nbits = 0;
+    grp->h = 0;
+    grp->modp = NULL;
+    grp->t_pre = NULL;
+    grp->t_post = NULL;
+    grp->t_data = NULL;
+    grp->T = NULL;
+    grp->T_size = 0;
 }
 
 /*
  * Initialize (the components of) a key pair
  */
 void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key) {
-    if (key == NULL)
-        return;
+    ECP_VALIDATE(key != NULL);
 
     mbedtls_ecp_group_init(&key->grp);
     mbedtls_mpi_init(&key->d);
@@ -349,7 +730,9 @@ void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key) {
  * Copy the contents of a point
  */
 int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECP_VALIDATE_RET(P != NULL);
+    ECP_VALIDATE_RET(Q != NULL);
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
@@ -363,14 +746,18 @@ cleanup:
  * Copy the contents of a group object
  */
 int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src) {
-    return mbedtls_ecp_group_load(dst, src->id);
+    ECP_VALIDATE_RET(dst != NULL);
+    ECP_VALIDATE_RET(src != NULL);
+
+    return (mbedtls_ecp_group_load(dst, src->id));
 }
 
 /*
  * Set point to zero
  */
 int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECP_VALIDATE_RET(pt != NULL);
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
@@ -384,14 +771,19 @@ cleanup:
  * Tell if a point is zero
  */
 int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt) {
+    ECP_VALIDATE_RET(pt != NULL);
+
     return (mbedtls_mpi_cmp_int(&pt->Z, 0) == 0);
 }
 
 /*
- * Compare two points lazyly
+ * Compare two points lazily
  */
 int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
                           const mbedtls_ecp_point *Q) {
+    ECP_VALIDATE_RET(P != NULL);
+    ECP_VALIDATE_RET(Q != NULL);
+
     if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
             mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
             mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
@@ -406,7 +798,10 @@ int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
  */
 int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
                                   const char *x, const char *y) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECP_VALIDATE_RET(P != NULL);
+    ECP_VALIDATE_RET(x != NULL);
+    ECP_VALIDATE_RET(y != NULL);
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
     MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
@@ -417,85 +812,126 @@ cleanup:
 }
 
 /*
- * Export a point into unsigned binary data (SEC1 2.3.3)
+ * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
  */
-int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
+int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
+                                   const mbedtls_ecp_point *P,
                                    int format, size_t *olen,
                                    unsigned char *buf, size_t buflen) {
-    int ret = 0;
+    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
     size_t plen;
-
-    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
-            format != MBEDTLS_ECP_PF_COMPRESSED)
-        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
-
-    /*
-     * Common case: P == 0
-     */
-    if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
-        if (buflen < 1)
-            return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
-
-        buf[0] = 0x00;
-        *olen = 1;
-
-        return (0);
-    }
+    ECP_VALIDATE_RET(grp  != NULL);
+    ECP_VALIDATE_RET(P    != NULL);
+    ECP_VALIDATE_RET(olen != NULL);
+    ECP_VALIDATE_RET(buf  != NULL);
+    ECP_VALIDATE_RET(format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                     format == MBEDTLS_ECP_PF_COMPRESSED);
 
     plen = mbedtls_mpi_size(&grp->P);
 
-    if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
-        *olen = 2 * plen + 1;
-
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    (void) format; /* Montgomery curves always use the same point format */
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        *olen = plen;
         if (buflen < *olen)
             return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
 
-        buf[0] = 0x04;
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
-    } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
-        *olen = plen + 1;
-
-        if (buflen < *olen)
-            return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
-
-        buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
     }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        /*
+         * Common case: P == 0
+         */
+        if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
+            if (buflen < 1)
+                return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+            buf[0] = 0x00;
+            *olen = 1;
+
+            return (0);
+        }
+
+        if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
+            *olen = 2 * plen + 1;
+
+            if (buflen < *olen)
+                return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+            buf[0] = 0x04;
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
+        } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
+            *olen = plen + 1;
+
+            if (buflen < *olen)
+                return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+            buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+        }
+    }
+#endif
 
 cleanup:
     return (ret);
 }
 
 /*
- * Import a point from unsigned binary data (SEC1 2.3.4)
+ * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
  */
-int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
+                                  mbedtls_ecp_point *pt,
                                   const unsigned char *buf, size_t ilen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
     size_t plen;
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(pt  != NULL);
+    ECP_VALIDATE_RET(buf != NULL);
 
     if (ilen < 1)
         return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
 
-    if (buf[0] == 0x00) {
-        if (ilen == 1)
-            return (mbedtls_ecp_set_zero(pt));
-        else
-            return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
-    }
-
     plen = mbedtls_mpi_size(&grp->P);
 
-    if (buf[0] != 0x04)
-        return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        if (plen != ilen)
+            return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
 
-    if (ilen != 2 * plen + 1)
-        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
+        mbedtls_mpi_free(&pt->Y);
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+        if (grp->id == MBEDTLS_ECP_DP_CURVE25519)
+            /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        if (buf[0] == 0x00) {
+            if (ilen == 1)
+                return (mbedtls_ecp_set_zero(pt));
+            else
+                return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+        }
+
+        if (buf[0] != 0x04)
+            return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+
+        if (ilen != 2 * plen + 1)
+            return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->Y,
+                                                buf + 1 + plen, plen));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+    }
+#endif
 
 cleanup:
     return (ret);
@@ -507,10 +943,15 @@ cleanup:
  *          opaque point <1..2^8-1>;
  *      } ECPoint;
  */
-int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *pt,
                                const unsigned char **buf, size_t buf_len) {
     unsigned char data_len;
     const unsigned char *buf_start;
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(pt  != NULL);
+    ECP_VALIDATE_RET(buf != NULL);
+    ECP_VALIDATE_RET(*buf != NULL);
 
     /*
      * We must have at least two bytes (1 for length, at least one for data)
@@ -528,7 +969,7 @@ int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp, mbedtls_ecp_point *
     buf_start = *buf;
     *buf += data_len;
 
-    return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
+    return (mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len));
 }
 
 /*
@@ -540,7 +981,13 @@ int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp, mbedtls_ecp_point *
 int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
                                 int format, size_t *olen,
                                 unsigned char *buf, size_t blen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECP_VALIDATE_RET(grp  != NULL);
+    ECP_VALIDATE_RET(pt   != NULL);
+    ECP_VALIDATE_RET(olen != NULL);
+    ECP_VALIDATE_RET(buf  != NULL);
+    ECP_VALIDATE_RET(format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                     format == MBEDTLS_ECP_PF_COMPRESSED);
 
     /*
      * buffer length must be at least one, for our length byte
@@ -564,9 +1011,31 @@ int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_
 /*
  * Set a group from an ECParameters record (RFC 4492)
  */
-int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp, const unsigned char **buf, size_t len) {
+int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
+                               const unsigned char **buf, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group_id grp_id;
+    ECP_VALIDATE_RET(grp  != NULL);
+    ECP_VALIDATE_RET(buf  != NULL);
+    ECP_VALIDATE_RET(*buf != NULL);
+
+    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0)
+        return (ret);
+
+    return (mbedtls_ecp_group_load(grp, grp_id));
+}
+
+/*
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
+ * mbedtls_ecp_group_id.
+ */
+int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
+                                  const unsigned char **buf, size_t len) {
     uint16_t tls_id;
     const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET(grp  != NULL);
+    ECP_VALIDATE_RET(buf  != NULL);
+    ECP_VALIDATE_RET(*buf != NULL);
 
     /*
      * We expect at least three bytes (see below)
@@ -590,7 +1059,9 @@ int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp, const unsigned char **buf
     if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL)
         return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
 
-    return mbedtls_ecp_group_load(grp, curve_info->grp_id);
+    *grp = curve_info->grp_id;
+
+    return (0);
 }
 
 /*
@@ -599,6 +1070,9 @@ int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp, const unsigned char **buf
 int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
                                 unsigned char *buf, size_t blen) {
     const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET(grp  != NULL);
+    ECP_VALIDATE_RET(buf  != NULL);
+    ECP_VALIDATE_RET(olen != NULL);
 
     if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL)
         return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
@@ -631,7 +1105,7 @@ int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
  * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
  */
 static int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (grp->modp == NULL)
         return (mbedtls_mpi_mod_mpi(N, N, &grp->P));
@@ -675,27 +1149,87 @@ cleanup:
 #define INC_MUL_COUNT
 #endif
 
-#define MOD_MUL( N )    do { MBEDTLS_MPI_CHK( ecp_modp( &N, grp ) ); INC_MUL_COUNT } \
-    while( 0 )
+#define MOD_MUL( N )                                                    \
+    do                                                                  \
+    {                                                                   \
+        MBEDTLS_MPI_CHK( ecp_modp( &(N), grp ) );                       \
+        INC_MUL_COUNT                                                   \
+    } while( 0 )
+
+static int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
+                               mbedtls_mpi *X,
+                               const mbedtls_mpi *A,
+                               const mbedtls_mpi *B) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
+    MOD_MUL(*X);
+cleanup:
+    return (ret);
+}
 
 /*
  * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
  * N->s < 0 is a very fast test, which fails only if N is 0
  */
-#define MOD_SUB( N )                                \
-    while( N.s < 0 && mbedtls_mpi_cmp_int( &N, 0 ) != 0 )   \
-        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &N, &N, &grp->P ) )
+#define MOD_SUB( N )                                                    \
+    while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 )           \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
+
+#if ( defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
+      !( defined(MBEDTLS_ECP_NO_FALLBACK) && \
+         defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
+         defined(MBEDTLS_ECP_ADD_MIXED_ALT) ) ) || \
+    ( defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) && \
+      !( defined(MBEDTLS_ECP_NO_FALLBACK) && \
+         defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) ) )
+static int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
+                               mbedtls_mpi *X,
+                               const mbedtls_mpi *A,
+                               const mbedtls_mpi *B) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
+    MOD_SUB(*X);
+cleanup:
+    return (ret);
+}
+#endif /* All functions referencing mbedtls_mpi_sub_mod() are alt-implemented without fallback */
 
 /*
  * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
  * We known P, N and the result are positive, so sub_abs is correct, and
  * a bit faster.
  */
-#define MOD_ADD( N )                                \
-    while( mbedtls_mpi_cmp_mpi( &N, &grp->P ) >= 0 )        \
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &N, &N, &grp->P ) )
+#define MOD_ADD( N )                                                    \
+    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
 
-#if defined(ECP_SHORTWEIERSTRASS)
+static int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
+                               mbedtls_mpi *X,
+                               const mbedtls_mpi *A,
+                               const mbedtls_mpi *B) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
+    MOD_ADD(*X);
+cleanup:
+    return (ret);
+}
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
+    !( defined(MBEDTLS_ECP_NO_FALLBACK) && \
+       defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
+       defined(MBEDTLS_ECP_ADD_MIXED_ALT) )
+static int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
+                                   mbedtls_mpi *X,
+                                   size_t count) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
+    MOD_ADD(*X);
+cleanup:
+    return (ret);
+}
+#endif /* All functions referencing mbedtls_mpi_shift_l_mod() are alt-implemented without fallback */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
 /*
  * For curves in short Weierstrass form, we do all the internal operations in
  * Jacobian coordinates.
@@ -709,17 +1243,19 @@ cleanup:
  * Cost: 1N := 1I + 3M + 1S
  */
 static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt) {
-    int ret;
-    mbedtls_mpi Zi, ZZi;
-
     if (mbedtls_mpi_cmp_int(&pt->Z, 0) == 0)
         return (0);
 
 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_normalize_jac(grp, pt);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_normalize_jac(grp, pt));
 #endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi Zi, ZZi;
     mbedtls_mpi_init(&Zi);
     mbedtls_mpi_init(&ZZi);
 
@@ -727,18 +1263,14 @@ static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt
      * X = X / Z^2  mod p
      */
     MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&Zi,      &pt->Z,     &grp->P));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ZZi,     &Zi,        &Zi));
-    MOD_MUL(ZZi);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&pt->X,   &pt->X,     &ZZi));
-    MOD_MUL(pt->X);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &ZZi,     &Zi,        &Zi));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &pt->X,   &pt->X,     &ZZi));
 
     /*
      * Y = Y / Z^3  mod p
      */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&pt->Y,   &pt->Y,     &ZZi));
-    MOD_MUL(pt->Y);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&pt->Y,   &pt->Y,     &Zi));
-    MOD_MUL(pt->Y);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &pt->Y,   &pt->Y,     &ZZi));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &pt->Y,   &pt->Y,     &Zi));
 
     /*
      * Z = 1
@@ -751,6 +1283,7 @@ cleanup:
     mbedtls_mpi_free(&ZZi);
 
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
 }
 
 /*
@@ -765,23 +1298,28 @@ cleanup:
  * Cost: 1N(t) := 1I + (6t - 3)M + 1S
  */
 static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
-                                  mbedtls_ecp_point *T[], size_t t_len) {
-    int ret;
-    size_t i;
-    mbedtls_mpi *c, u, Zi, ZZi;
-
-    if (t_len < 2)
+                                  mbedtls_ecp_point *T[], size_t T_size) {
+    if (T_size < 2)
         return (ecp_normalize_jac(grp, *T));
 
 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_normalize_jac_many(grp, T, t_len);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size));
 #endif
 
-    if ((c = mbedtls_calloc(t_len, sizeof(mbedtls_mpi))) == NULL)
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    mbedtls_mpi *c, u, Zi, ZZi;
+
+    if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL)
         return (MBEDTLS_ERR_ECP_ALLOC_FAILED);
 
+    for (i = 0; i < T_size; i++)
+        mbedtls_mpi_init(&c[i]);
+
     mbedtls_mpi_init(&u);
     mbedtls_mpi_init(&Zi);
     mbedtls_mpi_init(&ZZi);
@@ -790,17 +1328,16 @@ static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
      * c[i] = Z_0 * ... * Z_i
      */
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&c[0], &T[0]->Z));
-    for (i = 1; i < t_len; i++) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&c[i], &c[i - 1], &T[i]->Z));
-        MOD_MUL(c[i]);
+    for (i = 1; i < T_size; i++) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &c[i], &c[i - 1], &T[i]->Z));
     }
 
     /*
      * u = 1 / (Z_0 * ... * Z_n) mod P
      */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&u, &c[t_len - 1], &grp->P));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&u, &c[T_size - 1], &grp->P));
 
-    for (i = t_len - 1; ; i--) {
+    for (i = T_size - 1; ; i--) {
         /*
          * Zi = 1 / Z_i mod p
          * u = 1 / (Z_0 * ... * Z_i) mod P
@@ -808,23 +1345,17 @@ static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
         if (i == 0) {
             MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Zi, &u));
         } else {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&Zi, &u, &c[i - 1]));
-            MOD_MUL(Zi);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&u,  &u, &T[i]->Z));
-            MOD_MUL(u);
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &Zi, &u, &c[i - 1]));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &u,  &u, &T[i]->Z));
         }
 
         /*
          * proceed as in normalize()
          */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ZZi,     &Zi,      &Zi));
-        MOD_MUL(ZZi);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T[i]->X, &T[i]->X, &ZZi));
-        MOD_MUL(T[i]->X);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T[i]->Y, &T[i]->Y, &ZZi));
-        MOD_MUL(T[i]->Y);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T[i]->Y, &T[i]->Y, &Zi));
-        MOD_MUL(T[i]->Y);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &ZZi,     &Zi,      &Zi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T[i]->X, &T[i]->X, &ZZi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T[i]->Y, &T[i]->Y, &ZZi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T[i]->Y, &T[i]->Y, &Zi));
 
         /*
          * Post-precessing: reclaim some memory by shrinking coordinates
@@ -845,11 +1376,12 @@ cleanup:
     mbedtls_mpi_free(&u);
     mbedtls_mpi_free(&Zi);
     mbedtls_mpi_free(&ZZi);
-    for (i = 0; i < t_len; i++)
+    for (i = 0; i < T_size; i++)
         mbedtls_mpi_free(&c[i]);
     mbedtls_free(c);
 
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
 }
 
 /*
@@ -859,7 +1391,7 @@ cleanup:
 static int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
                                mbedtls_ecp_point *Q,
                                unsigned char inv) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char nonzero;
     mbedtls_mpi mQY;
 
@@ -892,19 +1424,21 @@ cleanup:
  */
 static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                           const mbedtls_ecp_point *P) {
-    int ret;
-    mbedtls_mpi M, S, T, U;
-
 #if defined(MBEDTLS_SELF_TEST)
     dbl_count++;
 #endif
 
 #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_double_jac(grp, R, P);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_double_jac(grp, R, P));
 #endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
 
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi M, S, T, U;
+
     mbedtls_mpi_init(&M);
     mbedtls_mpi_init(&S);
     mbedtls_mpi_init(&T);
@@ -913,74 +1447,51 @@ static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     /* Special case for A = -3 */
     if (grp->A.p == NULL) {
         /* M = 3(X + Z^2)(X - Z^2) */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &P->Z,  &P->Z));
-        MOD_MUL(S);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T,  &P->X,  &S));
-        MOD_ADD(T);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U,  &P->X,  &S));
-        MOD_SUB(U);
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &T,     &U));
-        MOD_MUL(S);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &P->Z,  &P->Z));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &T,  &P->X,  &S));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &U,  &P->X,  &S));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &T,     &U));
         MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&M,  &S,     3));
         MOD_ADD(M);
     } else {
         /* M = 3.X^2 */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &P->X,  &P->X));
-        MOD_MUL(S);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &P->X,  &P->X));
         MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&M,  &S,     3));
         MOD_ADD(M);
 
         /* Optimize away for "koblitz" curves with A = 0 */
         if (mbedtls_mpi_cmp_int(&grp->A, 0) != 0) {
             /* M += A.Z^4 */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &P->Z,  &P->Z));
-            MOD_MUL(S);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T,  &S,     &S));
-            MOD_MUL(T);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &T,     &grp->A));
-            MOD_MUL(S);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M,  &M,     &S));
-            MOD_ADD(M);
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &P->Z,  &P->Z));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T,  &S,     &S));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &T,     &grp->A));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &M,  &M,     &S));
         }
     }
 
     /* S = 4.X.Y^2 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T,  &P->Y,  &P->Y));
-    MOD_MUL(T);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T,  1));
-    MOD_ADD(T);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &P->X,  &T));
-    MOD_MUL(S);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&S,  1));
-    MOD_ADD(S);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T,  &P->Y,  &P->Y));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, &T,  1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &P->X,  &T));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, &S,  1));
 
     /* U = 8.Y^4 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&U,  &T,     &T));
-    MOD_MUL(U);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&U,  1));
-    MOD_ADD(U);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &U,  &T,     &T));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, &U,  1));
 
     /* T = M^2 - 2.S */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T,  &M,     &M));
-    MOD_MUL(T);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T,  &T,     &S));
-    MOD_SUB(T);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T,  &T,     &S));
-    MOD_SUB(T);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T,  &M,     &M));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &T,  &T,     &S));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &T,  &T,     &S));
 
     /* S = M(S - T) - U */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&S,  &S,     &T));
-    MOD_SUB(S);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S,  &S,     &M));
-    MOD_MUL(S);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&S,  &S,     &U));
-    MOD_SUB(S);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &S,  &S,     &T));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S,  &S,     &M));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &S,  &S,     &U));
 
     /* U = 2.Y.Z */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&U,  &P->Y,  &P->Z));
-    MOD_MUL(U);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&U,  1));
-    MOD_ADD(U);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &U,  &P->Y,  &P->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, &U,  1));
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R->X, &T));
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R->Y, &S));
@@ -993,6 +1504,7 @@ cleanup:
     mbedtls_mpi_free(&U);
 
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
 }
 
 /*
@@ -1015,19 +1527,21 @@ cleanup:
  */
 static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                          const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q) {
-    int ret;
-    mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
-
 #if defined(MBEDTLS_SELF_TEST)
     add_count++;
 #endif
 
 #if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_add_mixed(grp, R, P, Q);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_add_mixed(grp, R, P, Q));
 #endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
 
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
+
     /*
      * Trivial cases: P == 0 or Q == 0 (case 1)
      */
@@ -1051,18 +1565,12 @@ static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     mbedtls_mpi_init(&Y);
     mbedtls_mpi_init(&Z);
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T1,  &P->Z,  &P->Z));
-    MOD_MUL(T1);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T2,  &T1,    &P->Z));
-    MOD_MUL(T2);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T1,  &T1,    &Q->X));
-    MOD_MUL(T1);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T2,  &T2,    &Q->Y));
-    MOD_MUL(T2);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T1,  &T1,    &P->X));
-    MOD_SUB(T1);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T2,  &T2,    &P->Y));
-    MOD_SUB(T2);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T1,  &P->Z,  &P->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T2,  &T1,    &P->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T1,  &T1,    &Q->X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T2,  &T2,    &Q->Y));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &T1,  &T1,    &P->X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &T2,  &T2,    &P->Y));
 
     /* Special cases (2) and (3) */
     if (mbedtls_mpi_cmp_int(&T1, 0) == 0) {
@@ -1075,30 +1583,19 @@ static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
         }
     }
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&Z,   &P->Z,  &T1));
-    MOD_MUL(Z);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T3,  &T1,    &T1));
-    MOD_MUL(T3);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T4,  &T3,    &T1));
-    MOD_MUL(T4);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T3,  &T3,    &P->X));
-    MOD_MUL(T3);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1,  &T3,    2));
-    MOD_ADD(T1);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X,   &T2,    &T2));
-    MOD_MUL(X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X,   &X,     &T1));
-    MOD_SUB(X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X,   &X,     &T4));
-    MOD_SUB(X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T3,  &T3,    &X));
-    MOD_SUB(T3);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T3,  &T3,    &T2));
-    MOD_MUL(T3);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T4,  &T4,    &P->Y));
-    MOD_MUL(T4);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&Y,   &T3,    &T4));
-    MOD_SUB(Y);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &Z,   &P->Z,  &T1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T3,  &T1,    &T1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T4,  &T3,    &T1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T3,  &T3,    &P->X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &T3));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, &T1,  1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &X,   &T2,    &T2));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &X,   &X,     &T1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &X,   &X,     &T4));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &T3,  &T3,    &X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T3,  &T3,    &T2));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &T4,  &T4,    &P->Y));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &Y,   &T3,    &T4));
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R->X, &X));
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R->Y, &Y));
@@ -1115,6 +1612,7 @@ cleanup:
     mbedtls_mpi_free(&Z);
 
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
 }
 
 /*
@@ -1126,18 +1624,19 @@ cleanup:
  */
 static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    int ret;
-    mbedtls_mpi l, ll;
-    size_t p_size;
-    int count = 0;
-
 #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng));
 #endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
 
-    p_size = (grp->pbits + 7) / 8;
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi l, ll;
+    int count = 0;
+    size_t p_size = (grp->pbits + 7) / 8;
+
     mbedtls_mpi_init(&l);
     mbedtls_mpi_init(&ll);
 
@@ -1148,31 +1647,29 @@ static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt
         while (mbedtls_mpi_cmp_mpi(&l, &grp->P) >= 0)
             MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&l, 1));
 
-        if (count++ > 10)
-            return (MBEDTLS_ERR_ECP_RANDOM_FAILED);
+        if (count++ > 10) {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
     } while (mbedtls_mpi_cmp_int(&l, 1) <= 0);
 
     /* Z = l * Z */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&pt->Z,   &pt->Z,     &l));
-    MOD_MUL(pt->Z);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &pt->Z,   &pt->Z,     &l));
 
     /* X = l^2 * X */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ll,      &l,         &l));
-    MOD_MUL(ll);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&pt->X,   &pt->X,     &ll));
-    MOD_MUL(pt->X);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &ll,      &l,         &l));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &pt->X,   &pt->X,     &ll));
 
     /* Y = l^3 * Y */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ll,      &ll,        &l));
-    MOD_MUL(ll);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&pt->Y,   &pt->Y,     &ll));
-    MOD_MUL(pt->Y);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &ll,      &ll,        &l));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &pt->Y,   &pt->Y,     &ll));
 
 cleanup:
     mbedtls_mpi_free(&l);
     mbedtls_mpi_free(&ll);
 
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
 }
 
 /*
@@ -1195,11 +1692,38 @@ cleanup:
  * modified version that provides resistance to SPA by avoiding zero
  * digits in the representation as in [3]. We modify the method further by
  * requiring that all K_i be odd, which has the small cost that our
- * representation uses one more K_i, due to carries.
+ * representation uses one more K_i, due to carries, but saves on the size of
+ * the precomputed table.
  *
- * Also, for the sake of compactness, only the seven low-order bits of x[i]
- * are used to represent K_i, and the msb of x[i] encodes the the sign (s_i in
- * the paper): it is set if and only if if s_i == -1;
+ * Summary of the comb method and its modifications:
+ *
+ * - The goal is to compute m*P for some w*d-bit integer m.
+ *
+ * - The basic comb method splits m into the w-bit integers
+ *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
+ *   index has residue i modulo d, and computes m * P as
+ *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
+ *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
+ *
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
+ *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
+ *   thereby successively converting it into a form where all summands
+ *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
+ *
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
+ *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
+ *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
+ *   Performing and iterating this procedure for those x[i] that are even
+ *   (keeping track of carry), we can transform the original sum into one of the form
+ *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
+ *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
+ *   which is why we are only computing half of it in the first place in
+ *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
+ *
+ * - For the sake of compactness, only the seven low-order bits of x[i]
+ *   are used to represent its absolute value (K_i in the paper), and the msb
+ *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
+ *   if s_i == -1;
  *
  * Calling conventions:
  * - x is an array of size d + 1
@@ -1208,8 +1732,8 @@ cleanup:
  * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
  *   (the result will be incorrect if these assumptions are not satisfied)
  */
-static void ecp_comb_fixed(unsigned char x[], size_t d,
-                           unsigned char w, const mbedtls_mpi *m) {
+static void ecp_comb_recode_core(unsigned char x[], size_t d,
+                                 unsigned char w, const mbedtls_mpi *m) {
     size_t i, j;
     unsigned char c, cc, adjust;
 
@@ -1237,75 +1761,181 @@ static void ecp_comb_fixed(unsigned char x[], size_t d,
 }
 
 /*
- * Precompute points for the comb method
+ * Precompute points for the adapted comb method
  *
- * If i = i_{w-1} ... i_1 is the binary representation of i, then
- * T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P
+ * Assumption: T must be able to hold 2^{w - 1} elements.
  *
- * T must be able to hold 2^{w - 1} elements
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
+ *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
  *
  * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ *
+ * Note: Even comb values (those where P would be omitted from the
+ *       sum defining T[i] above) are not needed in our adaption
+ *       the comb method. See ecp_comb_recode_core().
+ *
+ * This function currently works in four steps:
+ * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
+ * (3) [add]      Computation of all T[i]
+ * (4) [norm_add] Normalization of all T[i]
+ *
+ * Step 1 can be interrupted but not the others; together with the final
+ * coordinate normalization they are the largest steps done at once, depending
+ * on the window size. Here are operation counts for P-256:
+ *
+ * step     (2)     (3)     (4)
+ * w = 5    142     165     208
+ * w = 4    136      77     160
+ * w = 3    130      33     136
+ * w = 2    124      11     124
+ *
+ * So if ECC operations are blocking for too long even with a low max_ops
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
+ * to minimize maximum blocking time.
  */
 static int ecp_precompute_comb(const mbedtls_ecp_group *grp,
                                mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
-                               unsigned char w, size_t d) {
-    int ret;
-    unsigned char i, k;
-    size_t j;
+                               unsigned char w, size_t d,
+                               mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char i;
+    size_t j = 0;
+    const unsigned char T_size = 1U << (w - 1);
     mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1];
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl)
+            goto dbl;
+        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl)
+            goto norm_dbl;
+        if (rs_ctx->rsm->state == ecp_rsm_pre_add)
+            goto add;
+        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add)
+            goto norm_add;
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
+
+        /* initial state for the loop */
+        rs_ctx->rsm->i = 0;
+    }
+
+dbl:
+#endif
     /*
      * Set T[0] = P and
      * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
      */
     MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
 
-    k = 0;
-    for (i = 1; i < (1U << (w - 1)); i <<= 1) {
-        cur = T + i;
-        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
-        for (j = 0; j < d; j++)
-            MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0)
+        j = rs_ctx->rsm->i;
+    else
+#endif
+        j = 0;
 
-        TT[k++] = cur;
+    for (; j < d * (w - 1); j++) {
+        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
+
+        i = 1U << (j / d);
+        cur = T + i;
+
+        if (j % d == 0)
+            MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
+
+        MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur));
     }
 
-    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, k));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
 
+norm_dbl:
+#endif
+    /*
+     * Normalize current elements in T. As T has holes,
+     * use an auxiliary array of pointers to elements in T.
+     */
+    j = 0;
+    for (i = 1; i < T_size; i <<= 1)
+        TT[j++] = T + i;
+
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
+
+    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+        rs_ctx->rsm->state = ecp_rsm_pre_add;
+
+add:
+#endif
     /*
      * Compute the remaining ones using the minimal number of additions
      * Be careful to update T[2^l] only after using it!
      */
-    k = 0;
-    for (i = 1; i < (1U << (w - 1)); i <<= 1) {
+    MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
+
+    for (i = 1; i < T_size; i <<= 1) {
         j = i;
-        while (j--) {
+        while (j--)
             MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i]));
-            TT[k++] = &T[i + j];
-        }
     }
 
-    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, k));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
+
+norm_add:
+#endif
+    /*
+     * Normalize final elements in T. Even though there are no holes now, we
+     * still need the auxiliary array for homogeneity with the previous
+     * call. Also, skip T[0] which is already normalised, being a copy of P.
+     */
+    for (j = 0; j + 1 < T_size; j++)
+        TT[j] = T + j + 1;
+
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
+
+    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
 
 cleanup:
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+            ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl)
+            rs_ctx->rsm->i = j;
+    }
+#endif
 
     return (ret);
 }
 
 /*
  * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ *
+ * See ecp_comb_recode_core() for background
  */
 static int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                           const mbedtls_ecp_point T[], unsigned char t_len,
+                           const mbedtls_ecp_point T[], unsigned char T_size,
                            unsigned char i) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char ii, j;
 
     /* Ignore the "sign" bit and scale down */
     ii = (i & 0x7Fu) >> 1;
 
     /* Read the whole table to thwart cache-based timing attacks */
-    for (j = 0; j < t_len; j++) {
+    for (j = 0; j < T_size; j++) {
         MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&R->X, &T[j].X, j == ii));
         MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&R->Y, &T[j].Y, j == ii));
     }
@@ -1324,26 +1954,51 @@ cleanup:
  * Cost: d A + d D + 1 R
  */
 static int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                             const mbedtls_ecp_point T[], unsigned char t_len,
+                             const mbedtls_ecp_point T[], unsigned char T_size,
                              const unsigned char x[], size_t d,
                              int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng) {
-    int ret;
+                             void *p_rng,
+                             mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecp_point Txi;
     size_t i;
 
     mbedtls_ecp_point_init(&Txi);
 
-    /* Start with a non-zero point and randomize its coordinates */
-    i = d;
-    MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, t_len, x[i]));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&R->Z, 1));
-    if (f_rng != 0)
-        MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+            rs_ctx->rsm->state != ecp_rsm_comb_core) {
+        rs_ctx->rsm->i = 0;
+        rs_ctx->rsm->state = ecp_rsm_comb_core;
+    }
+
+    /* new 'if' instead of nested for the sake of the 'else' branch */
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
+        /* restore current index (R already pointing to rs_ctx->rsm->R) */
+        i = rs_ctx->rsm->i;
+    } else
+#endif
+    {
+        /* Start with a non-zero point and randomize its coordinates */
+        i = d;
+        MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&R->Z, 1));
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+        if (f_rng != 0)
+#endif
+            MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
+    }
+
+    while (i != 0) {
+        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
+        --i;
 
-    while (i-- != 0) {
         MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R));
-        MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, t_len, x[i]));
+        MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
         MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi));
     }
 
@@ -1351,31 +2006,141 @@ cleanup:
 
     mbedtls_ecp_point_free(&Txi);
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+            ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+        rs_ctx->rsm->i = i;
+        /* no need to save R, already pointing to rs_ctx->rsm->R */
+    }
+#endif
+
     return (ret);
 }
 
 /*
- * Multiplication using the comb method,
- * for curves in short Weierstrass form
+ * Recode the scalar to get constant-time comb multiplication
+ *
+ * As the actual scalar recoding needs an odd scalar as a starting point,
+ * this wrapper ensures that by replacing m by N - m if necessary, and
+ * informs the caller that the result of multiplication will be negated.
+ *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
+ * See ecp_comb_recode_core() for background.
  */
-static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng) {
-    int ret;
-    unsigned char w, m_is_odd, p_eq_g, pre_len, i;
-    size_t d;
-    unsigned char k[COMB_MAX_D + 1];
-    mbedtls_ecp_point *T;
+static int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
+                                  const mbedtls_mpi *m,
+                                  unsigned char k[COMB_MAX_D + 1],
+                                  size_t d,
+                                  unsigned char w,
+                                  unsigned char *parity_trick) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi M, mm;
 
     mbedtls_mpi_init(&M);
     mbedtls_mpi_init(&mm);
 
-    /* we need N to be odd to trnaform m in an odd number, check now */
+    /* N is always odd (see above), just make extra sure */
     if (mbedtls_mpi_get_bit(&grp->N, 0) != 1)
         return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
 
+    /* do we need the parity trick? */
+    *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
+
+    /* execute parity fix in constant time */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
+
+    /* actual scalar recoding */
+    ecp_comb_recode_core(k, d, w, &M);
+
+cleanup:
+    mbedtls_mpi_free(&mm);
+    mbedtls_mpi_free(&M);
+
+    return (ret);
+}
+
+/*
+ * Perform comb multiplication (for short Weierstrass curves)
+ * once the auxiliary table has been pre-computed.
+ *
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
+ * if that is the case we'll need to recover m * P at the end.
+ */
+static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
+                                      mbedtls_ecp_point *R,
+                                      const mbedtls_mpi *m,
+                                      const mbedtls_ecp_point *T,
+                                      unsigned char T_size,
+                                      unsigned char w,
+                                      size_t d,
+                                      int (*f_rng)(void *, unsigned char *, size_t),
+                                      void *p_rng,
+                                      mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char parity_trick;
+    unsigned char k[COMB_MAX_D + 1];
+    mbedtls_ecp_point *RR = R;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        RR = &rs_ctx->rsm->R;
+
+        if (rs_ctx->rsm->state == ecp_rsm_final_norm)
+            goto final_norm;
+    }
+#endif
+
+    MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
+                                           &parity_trick));
+    MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
+                                      f_rng, p_rng, rs_ctx));
+    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+        rs_ctx->rsm->state = ecp_rsm_final_norm;
+
+final_norm:
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
+#endif
+    /*
+     * Knowledge of the jacobian coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if (f_rng != 0)
+#endif
+        MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
+
+    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
+#endif
+
+cleanup:
+    return (ret);
+}
+
+/*
+ * Pick window size based on curve size and whether we optimize for base point
+ */
+static unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
+                                          unsigned char p_eq_g) {
+    unsigned char w;
+
     /*
      * Minimize the number of multiplications, that is minimize
      * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
@@ -1388,95 +2153,186 @@ static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
      * Just adding one avoids upping the cost of the first mul too much,
      * and the memory cost too.
      */
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-    p_eq_g = (mbedtls_mpi_cmp_mpi(&P->Y, &grp->G.Y) == 0 &&
-              mbedtls_mpi_cmp_mpi(&P->X, &grp->G.X) == 0);
     if (p_eq_g)
         w++;
-#else
-    p_eq_g = 0;
-#endif
 
     /*
      * Make sure w is within bounds.
      * (The last test is useful only for very small curves in the test suite.)
      */
+#if( MBEDTLS_ECP_WINDOW_SIZE < 6 )
     if (w > MBEDTLS_ECP_WINDOW_SIZE)
         w = MBEDTLS_ECP_WINDOW_SIZE;
+#endif
     if (w >= grp->nbits)
         w = 2;
 
-    /* Other sizes that depend on w */
-    pre_len = 1U << (w - 1);
+    return (w);
+}
+
+/*
+ * Multiplication using the comb method - for curves in short Weierstrass form
+ *
+ * This function is mainly responsible for administrative work:
+ * - managing the restart context if enabled
+ * - managing the table of precomputed points (passed between the below two
+ *   functions): allocation, computation, ownership tranfer, freeing.
+ *
+ * It delegates the actual arithmetic work to:
+ *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
+ *
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
+ */
+static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng,
+                        mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char w, p_eq_g, i;
+    size_t d;
+    unsigned char T_size = 0, T_ok = 0;
+    mbedtls_ecp_point *T = NULL;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_context drbg_ctx;
+
+    ecp_drbg_init(&drbg_ctx);
+#endif
+
+    ECP_RS_ENTER(rsm);
+
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if (f_rng == NULL) {
+        /* Adjust pointers */
+        f_rng = &ecp_drbg_random;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+            p_rng = &rs_ctx->rsm->drbg_ctx;
+        else
+#endif
+            p_rng = &drbg_ctx;
+
+        /* Initialize internal DRBG if necessary */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx == NULL || rs_ctx->rsm == NULL ||
+                rs_ctx->rsm->drbg_seeded == 0)
+#endif
+        {
+            const size_t m_len = (grp->nbits + 7) / 8;
+            MBEDTLS_MPI_CHK(ecp_drbg_seed(p_rng, m, m_len));
+        }
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && rs_ctx->rsm != NULL)
+            rs_ctx->rsm->drbg_seeded = 1;
+#endif
+    }
+#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
+
+    /* Is P the base point ? */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    p_eq_g = (mbedtls_mpi_cmp_mpi(&P->Y, &grp->G.Y) == 0 &&
+              mbedtls_mpi_cmp_mpi(&P->X, &grp->G.X) == 0);
+#else
+    p_eq_g = 0;
+#endif
+
+    /* Pick window size and deduce related sizes */
+    w = ecp_pick_window_size(grp, p_eq_g);
+    T_size = 1U << (w - 1);
     d = (grp->nbits + w - 1) / w;
 
-    /*
-     * Prepare precomputed points: if P == G we want to
-     * use grp->T if already initialized, or initialize it.
-     */
-    T = p_eq_g ? grp->T : NULL;
+    /* Pre-computed table: do we have it already for the base point? */
+    if (p_eq_g && grp->T != NULL) {
+        /* second pointer to the same table, will be deleted on exit */
+        T = grp->T;
+        T_ok = 1;
+    } else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        /* Pre-computed table: do we have one in progress? complete? */
+        if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
+            /* transfer ownership of T from rsm to local function */
+            T = rs_ctx->rsm->T;
+            rs_ctx->rsm->T = NULL;
+            rs_ctx->rsm->T_size = 0;
 
-    if (T == NULL) {
-        T = mbedtls_calloc(pre_len, sizeof(mbedtls_ecp_point));
-        if (T == NULL) {
-            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
-            goto cleanup;
+            /* This effectively jumps to the call to mul_comb_after_precomp() */
+            T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
+        } else
+#endif
+            /* Allocate table if we didn't have any */
+        {
+            T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
+            if (T == NULL) {
+                ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+                goto cleanup;
+            }
+
+            for (i = 0; i < T_size; i++)
+                mbedtls_ecp_point_init(&T[i]);
+
+            T_ok = 0;
         }
 
-        MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d));
+    /* Compute table (or finish computing it) if not done already */
+    if (!T_ok) {
+        MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
 
         if (p_eq_g) {
+            /* almost transfer ownership of T to the group, but keep a copy of
+             * the pointer to use for calling the next function more easily */
             grp->T = T;
-            grp->T_size = pre_len;
+            grp->T_size = T_size;
         }
     }
 
-    /*
-     * Make sure M is odd (M = m or M = N - m, since N is odd)
-     * using the fact that m * P = - (N - m) * P
-     */
-    m_is_odd = (mbedtls_mpi_get_bit(m, 0) == 1);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, ! m_is_odd));
-
-    /*
-     * Go for comb multiplication, R = M * P
-     */
-    ecp_comb_fixed(k, d, w, &M);
-    MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, R, T, pre_len, k, d, f_rng, p_rng));
-
-    /*
-     * Now get m * P from M * P and normalize it
-     */
-    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, ! m_is_odd));
-    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, R));
+    /* Actual comb multiplication using precomputed points */
+    MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
+                                               T, T_size, w, d,
+                                               f_rng, p_rng, rs_ctx));
 
 cleanup:
 
-    /* There are two cases where T is not stored in grp:
-     * - P != G
-     * - An intermediate operation failed before setting grp->T
-     * In either case, T must be freed.
-     */
-    if (T != NULL && T != grp->T) {
-        for (i = 0; i < pre_len; i++)
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_free(&drbg_ctx);
+#endif
+
+    /* does T belong to the group? */
+    if (T == grp->T)
+        T = NULL;
+
+    /* does T belong to the restart context? */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
+        /* transfer ownership of T from local function to rsm */
+        rs_ctx->rsm->T_size = T_size;
+        rs_ctx->rsm->T = T;
+        T = NULL;
+    }
+#endif
+
+    /* did T belong to us? then let's destroy it! */
+    if (T != NULL) {
+        for (i = 0; i < T_size; i++)
             mbedtls_ecp_point_free(&T[i]);
         mbedtls_free(T);
     }
 
-    mbedtls_mpi_free(&M);
-    mbedtls_mpi_free(&mm);
+    /* don't free R while in progress in case R == P */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS)
+#endif
+        /* prevent caller from using invalid value */
+        if (ret != 0)
+            mbedtls_ecp_point_free(R);
 
-    if (ret != 0)
-        mbedtls_ecp_point_free(R);
+    ECP_RS_LEAVE(rsm);
 
     return (ret);
 }
 
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
 /*
  * For Montgomery curves, we do all the internal arithmetic in projective
  * coordinates. Import/export of points uses only the x coordinates, which is
@@ -1490,21 +2346,22 @@ cleanup:
  * Cost: 1M + 1I
  */
 static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P) {
-    int ret;
-
 #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_normalize_mxz(grp, P);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_normalize_mxz(grp, P));
 #endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
 
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&P->Z, &P->Z, &grp->P));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&P->X, &P->X, &P->Z));
-    MOD_MUL(P->X);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &P->X, &P->X, &P->Z));
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
 
 cleanup:
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
 }
 
 /*
@@ -1517,70 +2374,73 @@ cleanup:
  */
 static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    int ret;
-    mbedtls_mpi l;
-    size_t p_size;
-    int count = 0;
-
 #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
-    }
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
 #endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
 
-    p_size = (grp->pbits + 7) / 8;
-    mbedtls_mpi_init(&l);
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+                return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+                int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+                mbedtls_mpi l;
+                int count = 0;
+                size_t p_size = (grp->pbits + 7) / 8;
+                mbedtls_mpi_init(&l);
 
-    /* Generate l such that 1 < l < p */
-    do {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&l, p_size, f_rng, p_rng));
+                /* Generate l such that 1 < l < p */
+        do {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&l, p_size, f_rng, p_rng));
 
-        while (mbedtls_mpi_cmp_mpi(&l, &grp->P) >= 0)
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&l, 1));
+            while (mbedtls_mpi_cmp_mpi(&l, &grp->P) >= 0)
+                MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&l, 1));
 
-        if (count++ > 10)
-            return (MBEDTLS_ERR_ECP_RANDOM_FAILED);
-    } while (mbedtls_mpi_cmp_int(&l, 1) <= 0);
+            if (count++ > 10) {
+                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+                goto cleanup;
+            }
+        } while (mbedtls_mpi_cmp_int(&l, 1) <= 0);
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&P->X, &P->X, &l));
-    MOD_MUL(P->X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&P->Z, &P->Z, &l));
-    MOD_MUL(P->Z);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &P->X, &P->X, &l));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &P->Z, &P->Z, &l));
 
-cleanup:
-    mbedtls_mpi_free(&l);
+        cleanup:
+        mbedtls_mpi_free(&l);
 
-    return (ret);
-}
-
-/*
- * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
- * for Montgomery curves in x/z coordinates.
- *
- * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
- * with
- * d =  X1
- * P = (X2, Z2)
- * Q = (X3, Z3)
- * R = (X4, Z4)
- * S = (X5, Z5)
- * and eliminating temporary variables tO, ..., t4.
- *
- * Cost: 5M + 4S
- */
-static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
-                              mbedtls_ecp_point *R, mbedtls_ecp_point *S,
-                              const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
-                              const mbedtls_mpi *d) {
-    int ret;
-    mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
-
-#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d);
+        return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
     }
+
+       /*
+        * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
+        * for Montgomery curves in x/z coordinates.
+        *
+        * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
+        * with
+        * d =  X1
+        * P = (X2, Z2)
+        * Q = (X3, Z3)
+        * R = (X4, Z4)
+        * S = (X5, Z5)
+        * and eliminating temporary variables tO, ..., t4.
+        *
+        * Cost: 5M + 4S
+        */
+       static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
+                                     mbedtls_ecp_point *R, mbedtls_ecp_point *S,
+                                     const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+const mbedtls_mpi *d) {
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    if (mbedtls_internal_ecp_grp_capable(grp))
+        return (mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d));
 #endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
 
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+#else
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
+
     mbedtls_mpi_init(&A);
     mbedtls_mpi_init(&AA);
     mbedtls_mpi_init(&B);
@@ -1591,42 +2451,24 @@ static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
     mbedtls_mpi_init(&DA);
     mbedtls_mpi_init(&CB);
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&A,    &P->X,   &P->Z));
-    MOD_ADD(A);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&AA,   &A,      &A));
-    MOD_MUL(AA);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&B,    &P->X,   &P->Z));
-    MOD_SUB(B);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&BB,   &B,      &B));
-    MOD_MUL(BB);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&E,    &AA,     &BB));
-    MOD_SUB(E);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&C,    &Q->X,   &Q->Z));
-    MOD_ADD(C);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&D,    &Q->X,   &Q->Z));
-    MOD_SUB(D);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DA,   &D,      &A));
-    MOD_MUL(DA);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&CB,   &C,      &B));
-    MOD_MUL(CB);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&S->X, &DA,     &CB));
-    MOD_MUL(S->X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S->X, &S->X,   &S->X));
-    MOD_MUL(S->X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&S->Z, &DA,     &CB));
-    MOD_SUB(S->Z);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S->Z, &S->Z,   &S->Z));
-    MOD_MUL(S->Z);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&S->Z, d,       &S->Z));
-    MOD_MUL(S->Z);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&R->X, &AA,     &BB));
-    MOD_MUL(R->X);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&R->Z, &grp->A, &E));
-    MOD_MUL(R->Z);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&R->Z, &BB,     &R->Z));
-    MOD_ADD(R->Z);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&R->Z, &E,      &R->Z));
-    MOD_MUL(R->Z);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &A,    &P->X,   &P->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &AA,   &A,      &A));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &B,    &P->X,   &P->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &BB,   &B,      &B));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &E,    &AA,     &BB));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &C,    &Q->X,   &Q->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &D,    &Q->X,   &Q->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &DA,   &D,      &A));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &CB,   &C,      &B));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &S->X, &DA,     &CB));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S->X, &S->X,   &S->X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, &S->Z, &DA,     &CB));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S->Z, &S->Z,   &S->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &S->Z, d,       &S->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &R->X, &AA,     &BB));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &R->Z, &grp->A, &E));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &R->Z, &BB,     &R->Z));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &R->Z, &E,      &R->Z));
 
 cleanup:
     mbedtls_mpi_free(&A);
@@ -1640,6 +2482,7 @@ cleanup:
     mbedtls_mpi_free(&CB);
 
     return (ret);
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
 }
 
 /*
@@ -1650,15 +2493,28 @@ static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
                        int (*f_rng)(void *, unsigned char *, size_t),
                        void *p_rng) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i;
     unsigned char b;
     mbedtls_ecp_point RP;
     mbedtls_mpi PX;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_context drbg_ctx;
 
+    ecp_drbg_init(&drbg_ctx);
+#endif
     mbedtls_ecp_point_init(&RP);
     mbedtls_mpi_init(&PX);
 
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if (f_rng == NULL) {
+        const size_t m_len = (grp->nbits + 7) / 8;
+        MBEDTLS_MPI_CHK(ecp_drbg_seed(&drbg_ctx, m, m_len));
+        f_rng = &ecp_drbg_random;
+        p_rng = &drbg_ctx;
+    }
+#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
+
     /* Save PX and read from P before writing to R, in case P == R */
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&PX, &P->X));
     MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
@@ -1672,7 +2528,9 @@ static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     MOD_ADD(RP.X);
 
     /* Randomize coordinates of the starting point */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
     if (f_rng != NULL)
+#endif
         MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
 
     /* Loop invariant: R = result so far, RP = R + P */
@@ -1693,16 +2551,103 @@ static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
         MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap(&R->Z, &RP.Z, b));
     }
 
+    /*
+     * Knowledge of the projective coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if (f_rng != NULL)
+#endif
+        MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
+
     MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
 
 cleanup:
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_free(&drbg_ctx);
+#endif
+
     mbedtls_ecp_point_free(&RP);
     mbedtls_mpi_free(&PX);
 
     return (ret);
 }
 
-#endif /* ECP_MONTGOMERY */
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+/*
+ * Restartable multiplication R = m * P
+ */
+int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(R   != NULL);
+    ECP_VALIDATE_RET(m   != NULL);
+    ECP_VALIDATE_RET(P   != NULL);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* reset ops count for this call if top-level */
+    if (rs_ctx != NULL && rs_ctx->depth++ == 0)
+        rs_ctx->ops_done = 0;
+#else
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp)))
+        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* skip argument check when restarting */
+    if (rs_ctx == NULL || rs_ctx->rsm == NULL)
+#endif
+    {
+        /* check_privkey is free */
+        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
+
+        /* Common sanity checks */
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+    }
+
+    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY)
+        MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS)
+        MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
+#endif
+
+cleanup:
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if (is_grp_capable)
+        mbedtls_internal_ecp_free(grp);
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL)
+        rs_ctx->depth--;
+#endif
+
+    return (ret);
+}
 
 /*
  * Multiplication R = m * P
@@ -1710,53 +2655,20 @@ cleanup:
 int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                     const mbedtls_mpi *m, const mbedtls_ecp_point *P,
                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    char is_grp_capable = 0;
-#endif
-
-    /* Common sanity checks */
-    if (mbedtls_mpi_cmp_int(&P->Z, 1) != 0)
-        return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
-
-    if ((ret = mbedtls_ecp_check_privkey(grp, m)) != 0 ||
-            (ret = mbedtls_ecp_check_pubkey(grp, P)) != 0)
-        return (ret);
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if (is_grp_capable = mbedtls_internal_ecp_grp_capable(grp)) {
-        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
-    }
-
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-#if defined(ECP_MONTGOMERY)
-    if (ecp_get_type(grp) == ECP_TYPE_MONTGOMERY)
-        ret = ecp_mul_mxz(grp, R, m, P, f_rng, p_rng);
-
-#endif
-#if defined(ECP_SHORTWEIERSTRASS)
-    if (ecp_get_type(grp) == ECP_TYPE_SHORT_WEIERSTRASS)
-        ret = ecp_mul_comb(grp, R, m, P, f_rng, p_rng);
-
-#endif
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-cleanup:
-
-    if (is_grp_capable) {
-        mbedtls_internal_ecp_free(grp);
-    }
-
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-    return (ret);
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(R   != NULL);
+    ECP_VALIDATE_RET(m   != NULL);
+    ECP_VALIDATE_RET(P   != NULL);
+    return (mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL));
 }
 
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
 /*
  * Check that an affine point is valid as a public key,
  * short weierstrass curves (SEC1 3.2.3.1)
  */
 static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi YY, RHS;
 
     /* pt coordinates must be normalized for our checks */
@@ -1773,24 +2685,19 @@ static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_p
      * YY = Y^2
      * RHS = X (X^2 + A) + B = X^3 + A X + B
      */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&YY,  &pt->Y,   &pt->Y));
-    MOD_MUL(YY);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&RHS, &pt->X,   &pt->X));
-    MOD_MUL(RHS);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &YY,  &pt->Y,   &pt->Y));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &RHS, &pt->X,   &pt->X));
 
     /* Special case for A = -3 */
     if (grp->A.p == NULL) {
         MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&RHS, &RHS, 3));
         MOD_SUB(RHS);
     } else {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&RHS, &RHS, &grp->A));
-        MOD_ADD(RHS);
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &RHS, &RHS, &grp->A));
     }
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&RHS, &RHS,     &pt->X));
-    MOD_MUL(RHS);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&RHS, &RHS,     &grp->B));
-    MOD_ADD(RHS);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, &RHS, &RHS,     &pt->X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, &RHS, &RHS,     &grp->B));
 
     if (mbedtls_mpi_cmp_mpi(&YY, &RHS) != 0)
         ret = MBEDTLS_ERR_ECP_INVALID_KEY;
@@ -1802,8 +2709,9 @@ cleanup:
 
     return (ret);
 }
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
 /*
  * R = m * P with shortcuts for m == 1 and m == -1
  * NOT constant-time - ONLY for short Weierstrass!
@@ -1811,8 +2719,9 @@ cleanup:
 static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
                                      mbedtls_ecp_point *R,
                                      const mbedtls_mpi *m,
-                                     const mbedtls_ecp_point *P) {
-    int ret;
+                                     const mbedtls_ecp_point *P,
+                                     mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (mbedtls_mpi_cmp_int(m, 1) == 0) {
         MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
@@ -1821,13 +2730,109 @@ static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
         if (mbedtls_mpi_cmp_int(&R->Y, 0) != 0)
             MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&R->Y, &grp->P, &R->Y));
     } else {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, NULL, NULL));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, R, m, P,
+                                                    NULL, NULL, rs_ctx));
     }
 
 cleanup:
     return (ret);
 }
 
+/*
+ * Restartable linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd_restartable(
+    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+    mbedtls_ecp_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point mP;
+    mbedtls_ecp_point *pmP = &mP;
+    mbedtls_ecp_point *pR = R;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(R   != NULL);
+    ECP_VALIDATE_RET(m   != NULL);
+    ECP_VALIDATE_RET(P   != NULL);
+    ECP_VALIDATE_RET(n   != NULL);
+    ECP_VALIDATE_RET(Q   != NULL);
+
+    if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS)
+        return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
+
+    mbedtls_ecp_point_init(&mP);
+
+    ECP_RS_ENTER(ma);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+        /* redirect intermediate results to restart context */
+        pmP = &rs_ctx->ma->mP;
+        pR  = &rs_ctx->ma->R;
+
+        /* jump to next operation */
+        if (rs_ctx->ma->state == ecp_rsma_mul2)
+            goto mul2;
+        if (rs_ctx->ma->state == ecp_rsma_add)
+            goto add;
+        if (rs_ctx->ma->state == ecp_rsma_norm)
+            goto norm;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL)
+        rs_ctx->ma->state = ecp_rsma_mul2;
+
+mul2:
+#endif
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR,  n, Q, rs_ctx));
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp)))
+        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL)
+        rs_ctx->ma->state = ecp_rsma_add;
+
+add:
+#endif
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
+    MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL)
+        rs_ctx->ma->state = ecp_rsma_norm;
+
+norm:
+#endif
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
+    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL)
+        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
+#endif
+
+cleanup:
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if (is_grp_capable)
+        mbedtls_internal_ecp_free(grp);
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+    mbedtls_ecp_point_free(&mP);
+
+    ECP_RS_LEAVE(ma);
+
+    return (ret);
+}
+
 /*
  * Linear combination
  * NOT constant-time
@@ -1835,44 +2840,17 @@ cleanup:
 int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
                        const mbedtls_mpi *n, const mbedtls_ecp_point *Q) {
-    int ret;
-    mbedtls_ecp_point mP;
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    char is_grp_capable = 0;
-#endif
-
-    if (ecp_get_type(grp) != ECP_TYPE_SHORT_WEIERSTRASS)
-        return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
-
-    mbedtls_ecp_point_init(&mP);
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, &mP, m, P));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, R,   n, Q));
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if (is_grp_capable = mbedtls_internal_ecp_grp_capable(grp)) {
-        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
-    }
-
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-    MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, &mP, R));
-    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, R));
-
-cleanup:
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if (is_grp_capable) {
-        mbedtls_internal_ecp_free(grp);
-    }
-
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-    mbedtls_ecp_point_free(&mP);
-
-    return (ret);
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(R   != NULL);
+    ECP_VALIDATE_RET(m   != NULL);
+    ECP_VALIDATE_RET(P   != NULL);
+    ECP_VALIDATE_RET(n   != NULL);
+    ECP_VALIDATE_RET(Q   != NULL);
+    return (mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL));
 }
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
-
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
 /*
  * Check validity of a public key for Montgomery curves with x-only schemes
  */
@@ -1885,22 +2863,26 @@ static int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_p
 
     return (0);
 }
-#endif /* ECP_MONTGOMERY */
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
 
 /*
  * Check that a point is valid as a public key
  */
-int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt) {
+int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
+                             const mbedtls_ecp_point *pt) {
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(pt  != NULL);
+
     /* Must use affine coordinates */
     if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0)
         return (MBEDTLS_ERR_ECP_INVALID_KEY);
 
-#if defined(ECP_MONTGOMERY)
-    if (ecp_get_type(grp) == ECP_TYPE_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY)
         return (ecp_check_pubkey_mx(grp, pt));
 #endif
-#if defined(ECP_SHORTWEIERSTRASS)
-    if (ecp_get_type(grp) == ECP_TYPE_SHORT_WEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS)
         return (ecp_check_pubkey_sw(grp, pt));
 #endif
     return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
@@ -1909,9 +2891,13 @@ int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp, const mbedtls_ecp_poi
 /*
  * Check that an mbedtls_mpi is valid as a private key
  */
-int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp, const mbedtls_mpi *d) {
-#if defined(ECP_MONTGOMERY)
-    if (ecp_get_type(grp) == ECP_TYPE_MONTGOMERY) {
+int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
+                              const mbedtls_mpi *d) {
+    ECP_VALIDATE_RET(grp != NULL);
+    ECP_VALIDATE_RET(d   != NULL);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
         /* see RFC 7748 sec. 5 para. 5 */
         if (mbedtls_mpi_get_bit(d, 0) != 0 ||
                 mbedtls_mpi_get_bit(d, 1) != 0 ||
@@ -1924,9 +2910,9 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp, const mbedtls_mpi *d
 
         return (0);
     }
-#endif /* ECP_MONTGOMERY */
-#if defined(ECP_SHORTWEIERSTRASS)
-    if (ecp_get_type(grp) == ECP_TYPE_SHORT_WEIERSTRASS) {
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
         /* see SEC1 3.2 */
         if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
                 mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0)
@@ -1934,24 +2920,29 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp, const mbedtls_mpi *d
         else
             return (0);
     }
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
     return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
 }
 
 /*
- * Generate a keypair with configurable base point
+ * Generate a private key
  */
-int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
-                                 const mbedtls_ecp_point *G,
-                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng) {
-    int ret;
-    size_t n_size = (grp->nbits + 7) / 8;
+int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
+                            mbedtls_mpi *d,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng) {
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    size_t n_size;
 
-#if defined(ECP_MONTGOMERY)
-    if (ecp_get_type(grp) == ECP_TYPE_MONTGOMERY) {
+    ECP_VALIDATE_RET(grp   != NULL);
+    ECP_VALIDATE_RET(d     != NULL);
+    ECP_VALIDATE_RET(f_rng != NULL);
+
+    n_size = (grp->nbits + 7) / 8;
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
         /* [M225] page 5 */
         size_t b;
 
@@ -1973,46 +2964,72 @@ int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
         if (grp->nbits == 254) {
             MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
         }
-    } else
-#endif /* ECP_MONTGOMERY */
-#if defined(ECP_SHORTWEIERSTRASS)
-        if (ecp_get_type(grp) == ECP_TYPE_SHORT_WEIERSTRASS) {
-            /* SEC1 3.2.1: Generate d such that 1 <= n < N */
-            int count = 0;
+    }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        /* SEC1 3.2.1: Generate d such that 1 <= n < N */
+        int count = 0;
+        unsigned cmp = 0;
+
+        /*
+         * Match the procedure given in RFC 6979 (deterministic ECDSA):
+         * - use the same byte ordering;
+         * - keep the leftmost nbits bits of the generated octet string;
+         * - try until result is in the desired range.
+         * This also avoids any biais, which is especially important for ECDSA.
+         */
+        do {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_size, f_rng, p_rng));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_size - grp->nbits));
 
             /*
-             * Match the procedure given in RFC 6979 (deterministic ECDSA):
-             * - use the same byte ordering;
-             * - keep the leftmost nbits bits of the generated octet string;
-             * - try until result is in the desired range.
-             * This also avoids any biais, which is especially important for ECDSA.
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
              */
-            do {
-                MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_size, f_rng, p_rng));
-                MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_size - grp->nbits));
+            if (++count > 30) {
+                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+                goto cleanup;
+            }
 
-                /*
-                 * Each try has at worst a probability 1/2 of failing (the msb has
-                 * a probability 1/2 of being 0, and then the result will be < N),
-                 * so after 30 tries failure probability is a most 2**(-30).
-                 *
-                 * For most curves, 1 try is enough with overwhelming probability,
-                 * since N starts with a lot of 1s in binary, but some curves
-                 * such as secp224k1 are actually very close to the worst case.
-                 */
-                if (++count > 30)
-                    return (MBEDTLS_ERR_ECP_RANDOM_FAILED);
-            } while (mbedtls_mpi_cmp_int(d, 1) < 0 ||
-                     mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0);
-        } else
-#endif /* ECP_SHORTWEIERSTRASS */
-            return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+            ret = mbedtls_mpi_lt_mpi_ct(d, &grp->N, &cmp);
+            if (ret != 0) {
+                goto cleanup;
+            }
+        } while (mbedtls_mpi_cmp_int(d, 1) < 0 || cmp != 1);
+    }
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
 cleanup:
-    if (ret != 0)
-        return (ret);
+    return (ret);
+}
 
-    return (mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
+                                 const mbedtls_ecp_point *G,
+                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECP_VALIDATE_RET(grp   != NULL);
+    ECP_VALIDATE_RET(d     != NULL);
+    ECP_VALIDATE_RET(G     != NULL);
+    ECP_VALIDATE_RET(Q     != NULL);
+    ECP_VALIDATE_RET(f_rng != NULL);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
+
+cleanup:
+    return (ret);
 }
 
 /*
@@ -2022,6 +3039,11 @@ int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
                             mbedtls_mpi *d, mbedtls_ecp_point *Q,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng) {
+    ECP_VALIDATE_RET(grp   != NULL);
+    ECP_VALIDATE_RET(d     != NULL);
+    ECP_VALIDATE_RET(Q     != NULL);
+    ECP_VALIDATE_RET(f_rng != NULL);
+
     return (mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng));
 }
 
@@ -2030,7 +3052,9 @@ int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
  */
 int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ECP_VALIDATE_RET(key   != NULL);
+    ECP_VALIDATE_RET(f_rng != NULL);
 
     if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0)
         return (ret);
@@ -2038,13 +3062,113 @@ int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
     return (mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng));
 }
 
+#define ECP_CURVE25519_KEY_SIZE 32
+/*
+ * Read a private key.
+ */
+int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                         const unsigned char *buf, size_t buflen) {
+    int ret = 0;
+
+    ECP_VALIDATE_RET(key  != NULL);
+    ECP_VALIDATE_RET(buf  != NULL);
+
+    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0)
+        return (ret);
+
+    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        /*
+         * If it is Curve25519 curve then mask the key as mandated by RFC7748
+         */
+        if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
+            if (buflen != ECP_CURVE25519_KEY_SIZE)
+                return MBEDTLS_ERR_ECP_INVALID_KEY;
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
+
+            /* Set the three least significant bits to 0 */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
+
+            /* Set the most significant bit to 0 */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(&key->d,
+                                    ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
+            );
+
+            /* Set the second most significant bit to 1 */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(&key->d,
+                                    ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
+            );
+        } else
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
+
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
+    }
+
+#endif
+cleanup:
+
+    if (ret != 0)
+        mbedtls_mpi_free(&key->d);
+
+    return (ret);
+}
+
+/*
+ * Write a private key.
+ */
+int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
+                          unsigned char *buf, size_t buflen) {
+    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+    ECP_VALIDATE_RET(key != NULL);
+    ECP_VALIDATE_RET(buf != NULL);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
+            if (buflen < ECP_CURVE25519_KEY_SIZE)
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
+        } else
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
+    }
+
+#endif
+cleanup:
+
+    return (ret);
+}
+
+
 /*
  * Check a public-private key pair
  */
 int mbedtls_ecp_check_pub_priv(const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecp_point Q;
     mbedtls_ecp_group grp;
+    ECP_VALIDATE_RET(pub != NULL);
+    ECP_VALIDATE_RET(prv != NULL);
 
     if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
             pub->grp.id != prv->grp.id ||
@@ -2079,31 +3203,132 @@ cleanup:
 
 #if defined(MBEDTLS_SELF_TEST)
 
+/* Adjust the exponent to be a valid private point for the specified curve.
+ * This is sometimes necessary because we use a single set of exponents
+ * for all curves but the validity of values depends on the curve. */
+static int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
+                                     mbedtls_mpi *m) {
+    int ret = 0;
+    switch (grp->id) {
+            /* If Curve25519 is available, then that's what we use for the
+             * Montgomery test, so we don't need the adjustment code. */
+#if ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            /* Move highest bit from 254 to N-1. Setting bit N-1 is
+             * necessary to enforce the highest-bit-set constraint. */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
+            /* Copy second-highest bit from 253 to N-2. This is not
+             * necessary but improves the test variety a bit. */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(m, grp->nbits - 1,
+                                    mbedtls_mpi_get_bit(m, 253)));
+            break;
+#endif
+#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
+        default:
+            /* Non-Montgomery curves and Curve25519 need no adjustment. */
+            (void) grp;
+            (void) m;
+            goto cleanup;
+    }
+cleanup:
+    return (ret);
+}
+
+/* Calculate R = m.P for each m in exponents. Check that the number of
+ * basic operations doesn't depend on the value of m. */
+static int self_test_point(int verbose,
+                           mbedtls_ecp_group *grp,
+                           mbedtls_ecp_point *R,
+                           mbedtls_mpi *m,
+                           const mbedtls_ecp_point *P,
+                           const char *const *exponents,
+                           size_t n_exponents) {
+    int ret = 0;
+    size_t i = 0;
+    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
+    MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, NULL, NULL));
+
+    for (i = 1; i < n_exponents; i++) {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
+        MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, NULL, NULL));
+
+        if (add_count != add_c_prev ||
+                dbl_count != dbl_c_prev ||
+                mul_count != mul_c_prev) {
+            ret = 1;
+            break;
+        }
+    }
+
+cleanup:
+    if (verbose != 0) {
+        if (ret != 0)
+            mbedtls_printf("failed (%u)\n", (unsigned int) i);
+        else
+            mbedtls_printf("passed\n");
+    }
+    return (ret);
+}
+
 /*
  * Checkup routine
  */
 int mbedtls_ecp_self_test(int verbose) {
-    int ret;
-    size_t i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecp_group grp;
     mbedtls_ecp_point R, P;
     mbedtls_mpi m;
-    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
-    /* exponents especially adapted for secp192r1 */
-    const char *exponents[] = {
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    /* Exponents especially adapted for secp192k1, which has the lowest
+     * order n of all supported curves (secp192r1 is in a slightly larger
+     * field but the order of its base point is slightly smaller). */
+    const char *sw_exponents[] = {
         "000000000000000000000000000000000000000000000001", /* one */
-        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", /* N - 1 */
+        "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
         "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
         "400000000000000000000000000000000000000000000000", /* one and zeros */
         "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
         "555555555555555555555555555555555555555555555555", /* 101010... */
     };
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    const char *m_exponents[] = {
+        /* Valid private values for Curve25519. In a build with Curve448
+         * but not Curve25519, they will be adjusted in
+         * self_test_adjust_exponent(). */
+        "4000000000000000000000000000000000000000000000000000000000000000",
+        "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
+        "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
+        "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
+        "5555555555555555555555555555555555555555555555555555555555555550",
+        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
+    };
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
 
     mbedtls_ecp_group_init(&grp);
     mbedtls_ecp_point_init(&R);
     mbedtls_ecp_point_init(&P);
     mbedtls_mpi_init(&m);
 
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
     /* Use secp192r1 if available, or any available curve */
 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
     MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
@@ -2112,82 +3337,53 @@ int mbedtls_ecp_self_test(int verbose) {
 #endif
 
     if (verbose != 0)
-        mbedtls_printf("  ECP test #1 (constant op_count, base point G): ");
-
+        mbedtls_printf("  ECP SW test #1 (constant op_count, base point G): ");
     /* Do a dummy multiplication first to trigger precomputation */
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
     MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, NULL, NULL));
-
-    add_count = 0;
-    dbl_count = 0;
-    mul_count = 0;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&m, 16, exponents[0]));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &R, &m, &grp.G, NULL, NULL));
-
-    for (i = 1; i < sizeof(exponents) / sizeof(exponents[0]); i++) {
-        add_c_prev = add_count;
-        dbl_c_prev = dbl_count;
-        mul_c_prev = mul_count;
-        add_count = 0;
-        dbl_count = 0;
-        mul_count = 0;
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&m, 16, exponents[i]));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &R, &m, &grp.G, NULL, NULL));
-
-        if (add_count != add_c_prev ||
-                dbl_count != dbl_c_prev ||
-                mul_count != mul_c_prev) {
-            if (verbose != 0)
-                mbedtls_printf("failed (%u)\n", (unsigned int) i);
-
-            ret = 1;
-            goto cleanup;
-        }
-    }
+    ret = self_test_point(verbose,
+                          &grp, &R, &m, &grp.G,
+                          sw_exponents,
+                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
+    if (ret != 0)
+        goto cleanup;
 
     if (verbose != 0)
-        mbedtls_printf("passed\n");
-
-    if (verbose != 0)
-        mbedtls_printf("  ECP test #2 (constant op_count, other point): ");
+        mbedtls_printf("  ECP SW test #2 (constant op_count, other point): ");
     /* We computed P = 2G last time, use it */
+    ret = self_test_point(verbose,
+                          &grp, &R, &m, &P,
+                          sw_exponents,
+                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
+    if (ret != 0)
+        goto cleanup;
 
-    add_count = 0;
-    dbl_count = 0;
-    mul_count = 0;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&m, 16, exponents[0]));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &R, &m, &P, NULL, NULL));
-
-    for (i = 1; i < sizeof(exponents) / sizeof(exponents[0]); i++) {
-        add_c_prev = add_count;
-        dbl_c_prev = dbl_count;
-        mul_c_prev = mul_count;
-        add_count = 0;
-        dbl_count = 0;
-        mul_count = 0;
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&m, 16, exponents[i]));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &R, &m, &P, NULL, NULL));
-
-        if (add_count != add_c_prev ||
-                dbl_count != dbl_c_prev ||
-                mul_count != mul_c_prev) {
-            if (verbose != 0)
-                mbedtls_printf("failed (%u)\n", (unsigned int) i);
-
-            ret = 1;
-            goto cleanup;
-        }
-    }
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&R);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
     if (verbose != 0)
-        mbedtls_printf("passed\n");
+        mbedtls_printf("  ECP Montgomery test (constant op_count): ");
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
+#else
+#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
+#endif
+    ret = self_test_point(verbose,
+                          &grp, &R, &m, &grp.G,
+                          m_exponents,
+                          sizeof(m_exponents) / sizeof(m_exponents[0]));
+    if (ret != 0)
+        goto cleanup;
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
 
 cleanup:
 
     if (ret < 0 && verbose != 0)
-        mbedtls_printf("Unexpected error, return code = %08X\n", ret);
+        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
 
     mbedtls_ecp_group_free(&grp);
     mbedtls_ecp_point_free(&R);
diff --git a/common/mbedtls/ecp.h b/common/mbedtls/ecp.h
index 1c4bdd65c..9ea47ea82 100644
--- a/common/mbedtls/ecp.h
+++ b/common/mbedtls/ecp.h
@@ -15,30 +15,32 @@
  */
 
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_ECP_H
 #define MBEDTLS_ECP_H
 
-#include "bignum.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/bignum.h"
 
 /*
  * ECP error codes
@@ -51,8 +53,32 @@
 #define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as ephemeral key, failed. */
 #define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80  /**< Invalid private or public key. */
 #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< The ECP hardware accelerator failed. */
 
+#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00  /**< Operation in progress, call again with the same parameters to continue. */
+
+/* Flags indicating whether to include code that is specific to certain
+ * types of curves. These flags are for internal library use only. */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MONTGOMERY_ENABLED
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -66,6 +92,20 @@ extern "C" {
  * parameters. Therefore, only standardized domain parameters from trusted
  * sources should be used. See mbedtls_ecp_group_load().
  */
+/* Note: when adding a new curve:
+ * - Add it at the end of this enum, otherwise you'll break the ABI by
+ *   changing the numerical value for existing curves.
+ * - Increment MBEDTLS_ECP_DP_MAX below if needed.
+ * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to
+ *   config.h.
+ * - List the curve as a dependency of MBEDTLS_ECP_C and
+ *   MBEDTLS_ECDSA_C if supported in check_config.h.
+ * - Add the curve to the appropriate curve type macro
+ *   MBEDTLS_ECP_yyy_ENABLED above.
+ * - Add the necessary definitions to ecp_curves.c.
+ * - Add the curve to the ecp_supported_curves array in ecp.c.
+ * - Add the curve to applicable profiles in x509_crt.c if applicable.
+ */
 typedef enum {
     MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
     MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
@@ -91,6 +131,15 @@ typedef enum {
  */
 #define MBEDTLS_ECP_DP_MAX     12
 
+/*
+ * Curve types
+ */
+typedef enum {
+    MBEDTLS_ECP_TYPE_NONE = 0,
+    MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
+    MBEDTLS_ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
+} mbedtls_ecp_curve_type;
+
 /**
  * Curve information, for use by other modules.
  */
@@ -155,6 +204,10 @@ mbedtls_ecp_point;
  * additions or subtractions. Therefore, it is only an approximative modular
  * reduction. It must return 0 on success and non-zero on failure.
  *
+ * \note        Alternative implementations must keep the group IDs distinct. If
+ *              two group structures have the same ID, then they must be
+ *              identical.
+ *
  */
 typedef struct mbedtls_ecp_group {
     mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
@@ -242,6 +295,69 @@ mbedtls_ecp_group;
 #include "ecp_alt.h"
 #endif /* MBEDTLS_ECP_ALT */
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for multiplication
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
+
+/**
+ * \brief           Internal restart context for ecp_muladd()
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
+
+/**
+ * \brief           General context for resuming ECC operations
+ */
+typedef struct {
+    unsigned ops_done;                  /*!<  current ops count             */
+    unsigned depth;                     /*!<  call depth (0 = top-level)    */
+    mbedtls_ecp_restart_mul_ctx *rsm;   /*!<  ecp_mul_comb() sub-context    */
+    mbedtls_ecp_restart_muladd_ctx *ma; /*!<  ecp_muladd() sub-context      */
+} mbedtls_ecp_restart_ctx;
+
+/*
+ * Operation counts for restartable functions
+ */
+#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */
+#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */
+#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */
+#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */
+
+/**
+ * \brief           Internal; for restartable functions in other modules.
+ *                  Check and update basic ops budget.
+ *
+ * \param grp       Group structure
+ * \param rs_ctx    Restart context
+ * \param ops       Number of basic ops to do
+ *
+ * \return          \c 0 if doing \p ops basic ops is still allowed,
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
+ */
+int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
+                             mbedtls_ecp_restart_ctx *rs_ctx,
+                             unsigned ops);
+
+/* Utility macro for checking and updating ops budget */
+#define MBEDTLS_ECP_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \
+                                               (unsigned) (ops) ) );
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define MBEDTLS_ECP_BUDGET( ops )   /* no-op; for compatibility */
+
+/* We want to declare restartable versions of existing functions anyway */
+typedef void mbedtls_ecp_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 /**
  * \brief    The ECP key-pair structure.
  *
@@ -268,11 +384,91 @@ mbedtls_ecp_keypair;
  */
 #define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Set the maximum number of basic operations done in a row.
+ *
+ *                  If more operations are needed to complete a computation,
+ *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
+ *                  function performing the computation. It is then the
+ *                  caller's responsibility to either call again with the same
+ *                  parameters until it returns 0 or an error code; or to free
+ *                  the restart context if the operation is to be aborted.
+ *
+ *                  It is strictly required that all input parameters and the
+ *                  restart context be the same on successive calls for the
+ *                  same operation, but output parameters need not be the
+ *                  same; they must not be used until the function finally
+ *                  returns 0.
+ *
+ *                  This only applies to functions whose documentation
+ *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
+ *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
+ *                  SSL module). For functions that accept a "restart context"
+ *                  argument, passing NULL disables restart and makes the
+ *                  function equivalent to the function with the same name
+ *                  with \c _restartable removed. For functions in the ECDH
+ *                  module, restart is disabled unless the function accepts
+ *                  an "ECDH context" argument and
+ *                  mbedtls_ecdh_enable_restart() was previously called on
+ *                  that context. For function in the SSL module, restart is
+ *                  only enabled for specific sides and key exchanges
+ *                  (currently only for clients and ECDHE-ECDSA).
+ *
+ * \param max_ops   Maximum number of basic operations done in a row.
+ *                  Default: 0 (unlimited).
+ *                  Lower (non-zero) values mean ECC functions will block for
+ *                  a lesser maximum amount of time.
+ *
+ * \note            A "basic operation" is defined as a rough equivalent of a
+ *                  multiplication in GF(p) for the NIST P-256 curve.
+ *                  As an indication, with default settings, a scalar
+ *                  multiplication (full run of \c mbedtls_ecp_mul()) is:
+ *                  - about 3300 basic operations for P-256
+ *                  - about 9400 basic operations for P-384
+ *
+ * \note            Very low values are not always respected: sometimes
+ *                  functions need to block for a minimum number of
+ *                  operations, and will do so even if max_ops is set to a
+ *                  lower value.  That minimum depends on the curve size, and
+ *                  can be made lower by decreasing the value of
+ *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the
+ *                  lowest effective value for various curves and values of
+ *                  that parameter (w for short):
+ *                          w=6     w=5     w=4     w=3     w=2
+ *                  P-256   208     208     160     136     124
+ *                  P-384   682     416     320     272     248
+ *                  P-521  1364     832     640     544     496
+ *
+ * \note            This setting is currently ignored by Curve25519.
+ */
+void mbedtls_ecp_set_max_ops(unsigned max_ops);
+
+/**
+ * \brief           Check if restart is enabled (max_ops != 0)
+ *
+ * \return          \c 0 if \c max_ops == 0 (restart disabled)
+ * \return          \c 1 otherwise (restart enabled)
+ */
+int mbedtls_ecp_restart_is_enabled(void);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Get the type of a curve
+ */
+mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp);
+
 /**
  * \brief           This function retrieves the information defined in
  *                  mbedtls_ecp_curve_info() for all supported curves in order
  *                  of preference.
  *
+ * \note            This function returns information about all curves
+ *                  supported by the library. Some curves may not be
+ *                  supported for all algorithms. Call mbedtls_ecdh_can_do()
+ *                  or mbedtls_ecdsa_can_do() to check if a curve is
+ *                  supported for ECDH or ECDSA.
+ *
  * \return          A statically allocated array. The last entry is 0.
  */
 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void);
@@ -282,6 +478,12 @@ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void);
  *                  identifiers of all supported curves in the order of
  *                  preference.
  *
+ * \note            This function returns information about all curves
+ *                  supported by the library. Some curves may not be
+ *                  supported for all algorithms. Call mbedtls_ecdh_can_do()
+ *                  or mbedtls_ecdsa_can_do() to check if a curve is
+ *                  supported for ECDH or ECDSA.
+ *
  * \return          A statically allocated array,
  *                  terminated with MBEDTLS_ECP_DP_NONE.
  */
@@ -333,7 +535,7 @@ void mbedtls_ecp_point_init(mbedtls_ecp_point *pt);
  *
  * \note            After this function is called, domain parameters
  *                  for various ECP groups can be loaded through the
- *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group()
+ *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
  *                  functions.
  */
 void mbedtls_ecp_group_init(mbedtls_ecp_group *grp);
@@ -354,25 +556,51 @@ void mbedtls_ecp_point_free(mbedtls_ecp_point *pt);
 
 /**
  * \brief           This function frees the components of an ECP group.
- * \param grp       The group to free.
+ *
+ * \param grp       The group to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP group.
  */
 void mbedtls_ecp_group_free(mbedtls_ecp_group *grp);
 
 /**
  * \brief           This function frees the components of a key pair.
- * \param key       The key pair to free.
+ *
+ * \param key       The key pair to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP key pair.
  */
 void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key);
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized restart context.
+ */
+void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 /**
  * \brief           This function copies the contents of point \p Q into
  *                  point \p P.
  *
- * \param P         The destination point.
- * \param Q         The source point.
+ * \param P         The destination point. This must be initialized.
+ * \param Q         The source point. This must be initialized.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code for other kinds of failure.
  */
 int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q);
 
@@ -380,31 +608,35 @@ int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q);
  * \brief           This function copies the contents of group \p src into
  *                  group \p dst.
  *
- * \param dst       The destination group.
- * \param src       The source group.
+ * \param dst       The destination group. This must be initialized.
+ * \param src       The source group. This must be initialized.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src);
+int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst,
+                           const mbedtls_ecp_group *src);
 
 /**
- * \brief           This function sets a point to zero.
+ * \brief           This function sets a point to the point at infinity.
  *
- * \param pt        The point to set.
+ * \param pt        The point to set. This must be initialized.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt);
 
 /**
- * \brief           This function checks if a point is zero.
+ * \brief           This function checks if a point is the point at infinity.
  *
- * \param pt        The point to test.
+ * \param pt        The point to test. This must be initialized.
  *
  * \return          \c 1 if the point is zero.
  * \return          \c 0 if the point is non-zero.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt);
 
@@ -414,8 +646,8 @@ int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt);
  * \note            This assumes that the points are normalized. Otherwise,
  *                  they may compare as "not equal" even if they are.
  *
- * \param P         The first point to compare.
- * \param Q         The second point to compare.
+ * \param P         The first point to compare. This must be initialized.
+ * \param Q         The second point to compare. This must be initialized.
  *
  * \return          \c 0 if the points are equal.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
@@ -427,7 +659,7 @@ int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
  * \brief           This function imports a non-zero point from two ASCII
  *                  strings.
  *
- * \param P         The destination point.
+ * \param P         The destination point. This must be initialized.
  * \param radix     The numeric base of the input.
  * \param x         The first affine coordinate, as a null-terminated string.
  * \param y         The second affine coordinate, as a null-terminated string.
@@ -442,17 +674,29 @@ int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
  * \brief           This function exports a point into unsigned binary data.
  *
  * \param grp       The group to which the point should belong.
- * \param P         The point to export.
- * \param format    The point format. Should be an \c MBEDTLS_ECP_PF_XXX macro.
- * \param olen      The length of the output.
- * \param buf       The output buffer.
- * \param buflen    The length of the output buffer.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The point to export. This must be initialized.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ *                  (For groups without these formats, this parameter is
+ *                  ignored. But it still has to be either of the above
+ *                  values.)
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA
- *                  or #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  or the export for the given group is not implemented.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
+int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
+                                   const mbedtls_ecp_point *P,
                                    int format, size_t *olen,
                                    unsigned char *buf, size_t buflen);
 
@@ -464,108 +708,158 @@ int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp, const mbedtls_e
  *                  for that.
  *
  * \param grp       The group to which the point should belong.
- * \param P         The point to import.
- * \param buf       The input buffer.
- * \param ilen      The length of the input.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The destination context to import the point to.
+ *                  This must be initialized.
+ * \param buf       The input buffer. This must be a readable buffer
+ *                  of length \p ilen Bytes.
+ * \param ilen      The length of the input buffer \p buf in Bytes.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
  * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
- *                  is not implemented.
- *
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the
+ *                  given group is not implemented.
  */
-int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
+                                  mbedtls_ecp_point *P,
                                   const unsigned char *buf, size_t ilen);
 
 /**
  * \brief           This function imports a point from a TLS ECPoint record.
  *
- * \note            On function return, \p buf is updated to point to immediately
+ * \note            On function return, \p *buf is updated to point immediately
  *                  after the ECPoint record.
  *
- * \param grp       The ECP group used.
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
  * \param pt        The destination point.
  * \param buf       The address of the pointer to the start of the input buffer.
  * \param len       The length of the buffer.
  *
  * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization
+ *                  failure.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
  */
-int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *pt,
                                const unsigned char **buf, size_t len);
 
 /**
- * \brief           This function exports a point as a TLS ECPoint record.
+ * \brief           This function exports a point as a TLS ECPoint record
+ *                  defined in RFC 4492, Section 5.4.
  *
- * \param grp       The ECP group used.
- * \param pt        The point format to export to. The point format is an
- *                  \c MBEDTLS_ECP_PF_XXX constant.
- * \param format    The export format.
- * \param olen      The length of the data written.
- * \param buf       The buffer to write to.
- * \param blen      The length of the buffer.
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to be exported. This must be initialized.
+ * \param format    The point format to use. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length in Bytes
+ *                  of the data written.
+ * \param buf       The target buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the target buffer \p buf in Bytes.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA or
- *                  #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
+ *                  is too small to hold the exported point.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp,
+                                const mbedtls_ecp_point *pt,
                                 int format, size_t *olen,
                                 unsigned char *buf, size_t blen);
 
 /**
- * \brief           This function sets a group using standardized domain parameters.
+ * \brief           This function sets up an ECP group context
+ *                  from a standardized set of domain parameters.
  *
  * \note            The index should be a value of the NamedCurve enum,
  *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography
  *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
  *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
  *
- * \param grp       The destination group.
+ * \param grp       The group context to setup. This must be initialized.
  * \param id        The identifier of the domain parameter set to load.
  *
- * \return          \c 0 on success,
- * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unknown groups.
-
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id);
 
 /**
- * \brief           This function sets a group from a TLS ECParameters record.
+ * \brief           This function sets up an ECP group context from a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
  *
- * \note            \p buf is updated to point right after the ECParameters record
- *                  on exit.
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
  *
- * \param grp       The destination group.
+ * \param grp       The group context to setup. This must be initialized.
  * \param buf       The address of the pointer to the start of the input buffer.
- * \param len       The length of the buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
  *
  * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp, const unsigned char **buf, size_t len);
+int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
+                               const unsigned char **buf, size_t len);
 
 /**
- * \brief           This function writes the TLS ECParameters record for a group.
+ * \brief           This function extracts an elliptic curve group ID from a
+ *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.
  *
- * \param grp       The ECP group used.
- * \param olen      The number of Bytes written.
- * \param buf       The buffer to write to.
- * \param blen      The length of the buffer.
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The address at which to store the group id.
+ *                  This must not be \c NULL.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
+int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
+                                  const unsigned char **buf,
+                                  size_t len);
+/**
+ * \brief           This function exports an elliptic curve as a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to be exported.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The buffer to write to. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
+ *                  buffer is too small to hold the exported group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
+                                size_t *olen,
                                 unsigned char *buf, size_t blen);
 
 /**
- * \brief           This function performs multiplication of a point by
- *                  an integer: \p R = \p m * \p P.
+ * \brief           This function performs a scalar multiplication of a point
+ *                  by an integer: \p R = \p m * \p P.
  *
  *                  It is not thread-safe to use same group in multiple threads.
  *
@@ -578,23 +872,67 @@ int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
  *                  intermediate results to prevent potential timing attacks
  *                  targeting these results. We recommend always providing
  *                  a non-NULL \p f_rng. The overhead is negligible.
+ *                  Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
+ *                  \p f_rng is NULL, an internal RNG (seeded from the value
+ *                  of \p m) will be used instead.
  *
- * \param grp       The ECP group.
- * \param R         The destination point.
- * \param m         The integer by which to multiply.
- * \param P         The point to multiply.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
  *                  key, or \p P is not a valid public key.
  * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                     const mbedtls_mpi *m, const mbedtls_ecp_point *P,
                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
 
+/**
+ * \brief           This function performs multiplication of a point by
+ *                  an integer: \p R = \p m * \p P in a restartable way.
+ *
+ * \see             mbedtls_ecp_mul()
+ *
+ * \note            This function does the same as \c mbedtls_ecp_mul(), but
+ *                  it can return early and restart according to the limit set
+ *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx);
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
 /**
  * \brief           This function performs multiplication and addition of two
  *                  points by integers: \p R = \p m * \p P + \p n * \p Q
@@ -604,23 +942,83 @@ int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
  * \note            In contrast to mbedtls_ecp_mul(), this function does not
  *                  guarantee a constant execution flow and timing.
  *
- * \param grp       The ECP group.
- * \param R         The destination point.
+ * \note            This function is only defined for short Weierstrass curves.
+ *                  It may not be included in builds without any short
+ *                  Weierstrass curve.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
  * \param m         The integer by which to multiply \p P.
- * \param P         The point to multiply by \p m.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
  * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
  * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
  *                  valid private keys, or \p P or \p Q are not valid public
  *                  keys.
  * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
+ *                  designate a short Weierstrass curve.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
                        const mbedtls_mpi *n, const mbedtls_ecp_point *Q);
 
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a
+ *                  restartable way.
+ *
+ * \see             \c mbedtls_ecp_muladd()
+ *
+ * \note            This function works the same as \c mbedtls_ecp_muladd(),
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note            This function is only defined for short Weierstrass curves.
+ *                  It may not be included in builds without any short
+ *                  Weierstrass curve.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
+ *                  designate a short Weierstrass curve.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd_restartable(
+    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+    mbedtls_ecp_restart_ctx *rs_ctx);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
 /**
  * \brief           This function checks that a point is a valid public key
  *                  on this curve.
@@ -638,30 +1036,60 @@ int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
  *                  structures, such as ::mbedtls_ecdh_context or
  *                  ::mbedtls_ecdsa_context.
  *
- * \param grp       The curve the point should lie on.
- * \param pt        The point to check.
+ * \param grp       The ECP group the point should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to check. This must be initialized.
  *
  * \return          \c 0 if the point is a valid public key.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY on failure.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
+ *                  a valid public key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt);
+int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
+                             const mbedtls_ecp_point *pt);
 
 /**
- * \brief           This function checks that an \p mbedtls_mpi is a valid private
- *                  key for this curve.
+ * \brief           This function checks that an \p mbedtls_mpi is a
+ *                  valid private key for this curve.
  *
  * \note            This function uses bare components rather than an
  *                  ::mbedtls_ecp_keypair structure to ease use with other
  *                  structures, such as ::mbedtls_ecdh_context or
  *                  ::mbedtls_ecdsa_context.
  *
- * \param grp       The group used.
- * \param d         The integer to check.
+ * \param grp       The ECP group the private key should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The integer to check. This must be initialized.
  *
  * \return          \c 0 if the point is a valid private key.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY on failure.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
+ *                  private key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp, const mbedtls_mpi *d);
+int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
+                              const mbedtls_mpi *d);
+
+/**
+ * \brief           This function generates a private key.
+ *
+ * \param grp       The ECP group to generate a private key for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part). This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
+                            mbedtls_mpi *d,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
 
 /**
  * \brief           This function generates a keypair with a configurable base
@@ -672,12 +1100,19 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp, const mbedtls_mpi *d
  *                  structures, such as ::mbedtls_ecdh_context or
  *                  ::mbedtls_ecdsa_context.
  *
- * \param grp       The ECP group.
- * \param G         The chosen base point.
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param G         The base point to use. This must be initialized
+ *                  and belong to \p grp. It replaces the default base
+ *                  point \c grp->G used by mbedtls_ecp_gen_keypair().
  * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
  * \param Q         The destination point (public part).
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
@@ -697,17 +1132,23 @@ int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
  *                  structures, such as ::mbedtls_ecdh_context or
  *                  ::mbedtls_ecdsa_context.
  *
- * \param grp       The ECP group.
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
  * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
  * \param Q         The destination point (public part).
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
  *                  on failure.
  */
-int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d,
+                            mbedtls_ecp_point *Q,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng);
 
@@ -715,16 +1156,58 @@ int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_
  * \brief           This function generates an ECP key.
  *
  * \param grp_id    The ECP group identifier.
- * \param key       The destination key.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
+ * \param key       The destination key. This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
  *                  on failure.
  */
 int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng);
+
+/**
+ * \brief           This function reads an elliptic curve private key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The destination key.
+ * \param buf       The the buffer containing the binary representation of the
+ *                  key. (Big endian integer for Weierstrass curves, byte
+ *                  string for Montgomery curves.)
+ * \param buflen    The length of the buffer in bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is
+ *                  invalid.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ *                  the group is not implemented.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                         const unsigned char *buf, size_t buflen);
+
+/**
+ * \brief           This function exports an elliptic curve private key.
+ *
+ * \param key       The private key.
+ * \param buf       The output buffer for containing the binary representation
+ *                  of the key. (Big endian integer for Weierstrass curves, byte
+ *                  string for Montgomery curves.)
+ * \param buflen    The total length of the buffer in bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
+                    representation is larger than the available space in \p buf.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ *                  the group is not implemented.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
+                          unsigned char *buf, size_t buflen);
 
 /**
  * \brief           This function checks that the keypair objects
@@ -732,16 +1215,19 @@ int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
  *                  same public point, and that the private key in
  *                  \p prv is consistent with the public key.
  *
- * \param pub       The keypair structure holding the public key.
- *                  If it contains a private key, that part is ignored.
+ * \param pub       The keypair structure holding the public key. This
+ *                  must be initialized. If it contains a private key, that
+ *                  part is ignored.
  * \param prv       The keypair structure holding the full keypair.
+ *                  This must be initialized.
  *
  * \return          \c 0 on success, meaning that the keys are valid and match.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
  *                  error code on calculation failure.
  */
-int mbedtls_ecp_check_pub_priv(const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv);
+int mbedtls_ecp_check_pub_priv(const mbedtls_ecp_keypair *pub,
+                               const mbedtls_ecp_keypair *prv);
 
 #if defined(MBEDTLS_SELF_TEST)
 
diff --git a/common/mbedtls/ecp_curves.c b/common/mbedtls/ecp_curves.c
index 8242c9076..5b481565b 100644
--- a/common/mbedtls/ecp_curves.c
+++ b/common/mbedtls/ecp_curves.c
@@ -1,40 +1,40 @@
 /*
  *  Elliptic curves over GF(p): curve-specific data and functions
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_ECP_C)
 
 #include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
 #if !defined(MBEDTLS_ECP_ALT)
 
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
     !defined(inline) && !defined(__cplusplus)
 #define inline __inline
@@ -46,11 +46,11 @@
  */
 #if defined(MBEDTLS_HAVE_INT32)
 
-#define BYTES_TO_T_UINT_4( a, b, c, d )             \
-    ( (mbedtls_mpi_uint) a <<  0 ) |                          \
-    ( (mbedtls_mpi_uint) b <<  8 ) |                          \
-    ( (mbedtls_mpi_uint) c << 16 ) |                          \
-    ( (mbedtls_mpi_uint) d << 24 )
+#define BYTES_TO_T_UINT_4( a, b, c, d )                       \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 )
 
 #define BYTES_TO_T_UINT_2( a, b )                   \
     BYTES_TO_T_UINT_4( a, b, 0, 0 )
@@ -62,14 +62,14 @@
 #else /* 64-bits */
 
 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
-    ( (mbedtls_mpi_uint) a <<  0 ) |                          \
-    ( (mbedtls_mpi_uint) b <<  8 ) |                          \
-    ( (mbedtls_mpi_uint) c << 16 ) |                          \
-    ( (mbedtls_mpi_uint) d << 24 ) |                          \
-    ( (mbedtls_mpi_uint) e << 32 ) |                          \
-    ( (mbedtls_mpi_uint) f << 40 ) |                          \
-    ( (mbedtls_mpi_uint) g << 48 ) |                          \
-    ( (mbedtls_mpi_uint) h << 56 )
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 ) |                        \
+    ( (mbedtls_mpi_uint) (e) << 32 ) |                        \
+    ( (mbedtls_mpi_uint) (f) << 40 ) |                        \
+    ( (mbedtls_mpi_uint) (g) << 48 ) |                        \
+    ( (mbedtls_mpi_uint) (h) << 56 )
 
 #define BYTES_TO_T_UINT_4( a, b, c, d )             \
     BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
@@ -587,6 +587,23 @@ static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
 };
 #endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
 
+#if defined(MBEDTLS_ECP_DP_SECP128R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/* For these curves, we build the group parameters dynamically. */
+#define ECP_LOAD_GROUP
+#endif
+
+#if defined(ECP_LOAD_GROUP)
 /*
  * Create an MPI from embedded constants
  * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
@@ -634,6 +651,7 @@ static int ecp_group_load(mbedtls_ecp_group *grp,
 
     return (0);
 }
+#endif /* ECP_LOAD_GROUP */
 
 #if defined(MBEDTLS_ECP_NIST_OPTIM)
 /* Forward declarations */
@@ -675,28 +693,30 @@ static int ecp_mod_p224k1(mbedtls_mpi *);
 static int ecp_mod_p256k1(mbedtls_mpi *);
 #endif
 
+#if defined(ECP_LOAD_GROUP)
 #define LOAD_GROUP_A( G )   ecp_group_load( grp,            \
-                                            G ## _p,  sizeof( G ## _p  ),   \
-                                            G ## _a,  sizeof( G ## _a  ),   \
-                                            G ## _b,  sizeof( G ## _b  ),   \
-                                            G ## _gx, sizeof( G ## _gx ),   \
-                                            G ## _gy, sizeof( G ## _gy ),   \
-                                            G ## _n,  sizeof( G ## _n  ) )
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            G ## _a,  sizeof( G ## _a  ),   \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
 
 #define LOAD_GROUP( G )     ecp_group_load( grp,            \
-                                            G ## _p,  sizeof( G ## _p  ),   \
-                                            NULL,     0,                    \
-                                            G ## _b,  sizeof( G ## _b  ),   \
-                                            G ## _gx, sizeof( G ## _gx ),   \
-                                            G ## _gy, sizeof( G ## _gy ),   \
-                                            G ## _n,  sizeof( G ## _n  ) )
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            NULL,     0,                    \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+#endif /* ECP_LOAD_GROUP */
 
 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
 /*
  * Specialized function for creating the Curve25519 group
  */
 static int ecp_use_curve25519(mbedtls_ecp_group *grp) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     /* Actually ( A + 2 ) / 4 */
     MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&grp->A, 16, "01DB42"));
@@ -735,7 +755,7 @@ cleanup:
  */
 static int ecp_use_curve448(mbedtls_ecp_group *grp) {
     mbedtls_mpi Ns;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     mbedtls_mpi_init(&Ns);
 
@@ -778,6 +798,7 @@ cleanup:
  * Set a group using well-known domain parameters
  */
 int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) {
+    ECP_VALIDATE_RET(grp != NULL);
     mbedtls_ecp_group_free(grp);
 
     grp->id = id;
@@ -788,6 +809,7 @@ int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) {
             grp->modp = NULL;
             return (LOAD_GROUP_A(secp128r1));
 #endif /* MBEDTLS_ECP_DP_SECP128R1_ENABLED */
+
 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
         case MBEDTLS_ECP_DP_SECP192R1:
             NIST_MODP(p192);
@@ -864,7 +886,7 @@ int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) {
 #endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
 
         default:
-            mbedtls_ecp_group_free(grp);
+            grp->id = MBEDTLS_ECP_DP_NONE;
             return (MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
     }
 }
@@ -916,7 +938,7 @@ static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry) {
 }
 
 #define WIDTH       8 / sizeof( mbedtls_mpi_uint )
-#define A( i )      N->p + i * WIDTH
+#define A( i )      N->p + (i) * WIDTH
 #define ADD( i )    add64( p, A( i ), &c )
 #define NEXT        p += WIDTH; carry64( p, &c )
 #define LAST        p += WIDTH; *p = c; while( ++p < end ) *p = 0
@@ -925,7 +947,7 @@ static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry) {
  * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
  */
 static int ecp_mod_p192(mbedtls_mpi *N) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi_uint c = 0;
     mbedtls_mpi_uint *p, *end;
 
@@ -987,7 +1009,8 @@ cleanup:
 #else                               /* 64-bit */
 
 #define MAX32       N->n * 2
-#define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
+#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
+                         (uint32_t)( N->p[(j)/2] )
 #define STORE32                                   \
     if( i % 2 ) {                                 \
         N->p[i/2] &= 0x00000000FFFFFFFF;          \
@@ -1019,20 +1042,21 @@ static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry) {
  * Helpers for the main 'loop'
  * (see fix_negative for the motivation of C)
  */
-#define INIT( b )                                           \
-    int ret;                                                \
-    signed char c = 0, cc;                                  \
-    uint32_t cur;                                           \
-    size_t i = 0, bits = b;                                 \
-    mbedtls_mpi C;                                                  \
-    mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ];               \
-    \
-    C.s = 1;                                                \
-    C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
-    C.p = Cp;                                               \
-    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                \
-    \
-    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \
+#define INIT( b )                                                       \
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;                                                            \
+    signed char c = 0, cc;                                              \
+    uint32_t cur;                                                       \
+    size_t i = 0, bits = (b);                                           \
+    mbedtls_mpi C;                                                      \
+    mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ];     \
+                                                                        \
+    C.s = 1;                                                            \
+    C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
+    C.p = Cp;                                                           \
+    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                  \
+                                                                        \
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 /                 \
+                                       sizeof( mbedtls_mpi_uint ) ) );  \
     LOAD32;
 
 #define NEXT                    \
@@ -1047,14 +1071,14 @@ static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry) {
     STORE32; i++;                               \
     cur = c > 0 ? c : 0; STORE32;               \
     cur = 0; while( ++i < MAX32 ) { STORE32; }  \
-    if( c < 0 ) fix_negative( N, c, &C, bits );
+    if( c < 0 ) MBEDTLS_MPI_CHK( fix_negative( N, c, &C, bits ) );
 
 /*
  * If the result is negative, we get it in the form
  * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
  */
 static inline int fix_negative(mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     /* C = - c * 2^(bits + 32) */
 #if !defined(MBEDTLS_HAVE_INT64)
@@ -1326,7 +1350,7 @@ cleanup:
  * Write N as A1 + 2^521 A0, return A0 + A1
  */
 static int ecp_mod_p521(mbedtls_mpi *N) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i;
     mbedtls_mpi M;
     mbedtls_mpi_uint Mp[P521_WIDTH + 1];
@@ -1374,7 +1398,7 @@ cleanup:
  * Write N as A0 + 2^255 A1, return A0 + 19 * A1
  */
 static int ecp_mod_p255(mbedtls_mpi *N) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i;
     mbedtls_mpi M;
     mbedtls_mpi_uint Mp[P255_WIDTH + 2];
@@ -1430,7 +1454,7 @@ cleanup:
  * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
  */
 static int ecp_mod_p448(mbedtls_mpi *N) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i;
     mbedtls_mpi M, Q;
     mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
@@ -1491,7 +1515,7 @@ cleanup:
 #define P_KOBLITZ_R     ( 8 / sizeof( mbedtls_mpi_uint ) )        // Limbs in R
 static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
                                   size_t adjust, size_t shift, mbedtls_mpi_uint mask) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i;
     mbedtls_mpi M, R;
     mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
diff --git a/common/mbedtls/ecp_internal.h b/common/mbedtls/ecp_internal.h
index 50ae6e353..066b73628 100644
--- a/common/mbedtls/ecp_internal.h
+++ b/common/mbedtls/ecp_internal.h
@@ -5,24 +5,20 @@
  * point arithmetic.
  */
 /*
- *  Copyright (C) 2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -63,6 +59,12 @@
 #ifndef MBEDTLS_ECP_INTERNAL_H
 #define MBEDTLS_ECP_INTERNAL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
 
 /**
@@ -101,7 +103,7 @@ int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp);
  */
 void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp);
 
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
 
 #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
 /**
@@ -241,9 +243,9 @@ int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp,
                                        mbedtls_ecp_point *pt);
 #endif
 
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
 
 #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
 int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp,
@@ -287,7 +289,7 @@ int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp,
                                        mbedtls_ecp_point *P);
 #endif
 
-#endif /* ECP_MONTGOMERY */
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
 
 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
 
diff --git a/common/mbedtls/entropy.c b/common/mbedtls/entropy.c
index 4412322bb..b4db5aac7 100644
--- a/common/mbedtls/entropy.c
+++ b/common/mbedtls/entropy.c
@@ -1,31 +1,23 @@
 /*
  *  Entropy accumulator implementation
  *
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_ENTROPY_C)
 
@@ -38,6 +30,7 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -121,6 +114,11 @@ void mbedtls_entropy_init(mbedtls_entropy_context *ctx) {
 }
 
 void mbedtls_entropy_free(mbedtls_entropy_context *ctx) {
+    /* If the context was already free, don't call free() again.
+     * This is important for mutexes which don't allow double-free. */
+    if (ctx->accumulator_started == -1)
+        return;
+
 #if defined(MBEDTLS_HAVEGE_C)
     mbedtls_havege_free(&ctx->havege_data);
 #endif
@@ -137,7 +135,7 @@ void mbedtls_entropy_free(mbedtls_entropy_context *ctx) {
 #endif
     ctx->source_count = 0;
     mbedtls_platform_zeroize(ctx->source, sizeof(ctx->source));
-    ctx->accumulator_started = 0;
+    ctx->accumulator_started = -1;
 }
 
 int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx,
@@ -231,7 +229,7 @@ cleanup:
 
 int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
                                   const unsigned char *data, size_t len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
 #if defined(MBEDTLS_THREADING_C)
     if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
@@ -252,7 +250,9 @@ int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
  * Run through the different sources to add entropy to our accumulator
  */
 static int entropy_gather_internal(mbedtls_entropy_context *ctx) {
-    int ret, i, have_one_strong = 0;
+    int ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    int i;
+    int have_one_strong = 0;
     unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
     size_t olen;
 
@@ -296,7 +296,7 @@ cleanup:
  * Thread-safe wrapper for entropy_gather_internal()
  */
 int mbedtls_entropy_gather(mbedtls_entropy_context *ctx) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
 #if defined(MBEDTLS_THREADING_C)
     if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
@@ -314,7 +314,8 @@ int mbedtls_entropy_gather(mbedtls_entropy_context *ctx) {
 }
 
 int mbedtls_entropy_func(void *data, unsigned char *output, size_t len) {
-    int ret, count = 0, i, done;
+    int ret, count = 0, i, thresholds_reached;
+    size_t strong_size;
     mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
     unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
 
@@ -349,11 +350,15 @@ int mbedtls_entropy_func(void *data, unsigned char *output, size_t len) {
         if ((ret = entropy_gather_internal(ctx)) != 0)
             goto exit;
 
-        done = 1;
-        for (i = 0; i < ctx->source_count; i++)
+        thresholds_reached = 1;
+        strong_size = 0;
+        for (i = 0; i < ctx->source_count; i++) {
             if (ctx->source[i].size < ctx->source[i].threshold)
-                done = 0;
-    } while (! done);
+                thresholds_reached = 0;
+            if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG)
+                strong_size += ctx->source[i].size;
+        }
+    } while (! thresholds_reached || strong_size < MBEDTLS_ENTROPY_BLOCK_SIZE);
 
     memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
 
diff --git a/common/mbedtls/entropy.h b/common/mbedtls/entropy.h
index a7e4072ee..9c6c54bc7 100644
--- a/common/mbedtls/entropy.h
+++ b/common/mbedtls/entropy.h
@@ -4,30 +4,26 @@
  * \brief Entropy accumulator implementation
  */
 /*
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_ENTROPY_H
 #define MBEDTLS_ENTROPY_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -35,21 +31,21 @@
 #include <stddef.h>
 
 #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
-#include "sha512.h"
+#include "mbedtls/sha512.h"
 #define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
 #else
 #if defined(MBEDTLS_SHA256_C)
 #define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
-#include "sha256.h"
+#include "mbedtls/sha256.h"
 #endif
 #endif
 
 #if defined(MBEDTLS_THREADING_C)
-#include "threading.h"
+#include "mbedtls/threading.h"
 #endif
 
 #if defined(MBEDTLS_HAVEGE_C)
-#include "havege.h"
+#include "mbedtls/havege.h"
 #endif
 
 #define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C  /**< Critical entropy source failure. */
@@ -122,13 +118,15 @@ mbedtls_entropy_source_state;
  * \brief           Entropy context structure
  */
 typedef struct mbedtls_entropy_context {
-    int accumulator_started;
+    int accumulator_started; /* 0 after init.
+                              * 1 after the first update.
+                              * -1 after free. */
 #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
     mbedtls_sha512_context  accumulator;
 #else
     mbedtls_sha256_context  accumulator;
 #endif
-    int             source_count;
+    int             source_count; /* Number of entries used in source. */
     mbedtls_entropy_source_state    source[MBEDTLS_ENTROPY_MAX_SOURCES];
 #if defined(MBEDTLS_HAVEGE_C)
     mbedtls_havege_state    havege_data;
diff --git a/common/mbedtls/entropy_poll.c b/common/mbedtls/entropy_poll.c
index 6e3d7c931..b1c0a326f 100644
--- a/common/mbedtls/entropy_poll.c
+++ b/common/mbedtls/entropy_poll.c
@@ -1,36 +1,28 @@
 /*
  *  Platform-specific and custom entropy polling functions
  *
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if defined(__linux__)
+#if defined(__linux__) && !defined(_GNU_SOURCE)
 /* Ensure that syscall() is available even when compiling with -std=c99 */
 #define _GNU_SOURCE
 #endif
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #include <string.h>
 
@@ -38,6 +30,7 @@
 
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
+#include "mbedtls/error.h"
 
 #if defined(MBEDTLS_TIMING_C)
 #include "mbedtls/timing.h"
@@ -53,7 +46,7 @@
 
 #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
     !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
-    !defined(__HAIKU__)
+    !defined(__HAIKU__) && !defined(__midipix__)
 #error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
 #endif
 
@@ -93,11 +86,12 @@ int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
  * Since there is no wrapper in the libc yet, use the generic syscall wrapper
  * available in GNU libc and compatible libc's (eg uClibc).
  */
-#if defined(__linux__) && defined(__GLIBC__)
+#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
 #include <unistd.h>
 #include <sys/syscall.h>
 #if defined(SYS_getrandom)
 #define HAVE_GETRANDOM
+#include <errno.h>
 
 static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags) {
     /* MemSan cannot understand that the syscall writes to the buffer */
@@ -106,48 +100,57 @@ static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags) {
     memset(buf, 0, buflen);
 #endif
 #endif
-
     return (syscall(SYS_getrandom, buf, buflen, flags));
 }
+#endif /* SYS_getrandom */
+#endif /* __linux__ || __midipix__ */
 
-#include <sys/utsname.h>
-/* Check if version is at least 3.17.0 */
-static int check_version_3_17_plus(void) {
-    int minor;
-    struct utsname un;
-    const char *ver;
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+#include <sys/param.h>
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || \
+    (defined(__DragonFly__) && __DragonFly_version >= 500700)
+#include <errno.h>
+#include <sys/random.h>
+#define HAVE_GETRANDOM
+static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags) {
+    return getrandom(buf, buflen, flags);
+}
+#endif /* (__FreeBSD__ && __FreeBSD_version >= 1200000) ||
+          (__DragonFly__ && __DragonFly_version >= 500700) */
+#endif /* __FreeBSD__ || __DragonFly__ */
 
-    /* Get version information */
-    uname(&un);
-    ver = un.release;
+/*
+ * Some BSD systems provide KERN_ARND.
+ * This is equivalent to reading from /dev/urandom, only it doesn't require an
+ * open file descriptor, and provides up to 256 bytes per call (basically the
+ * same as getentropy(), but with a longer history).
+ *
+ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
+ */
+#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#if defined(KERN_ARND)
+#define HAVE_SYSCTL_ARND
 
-    /* Check major version; assume a single digit */
-    if (ver[0] < '3' || ver[0] > '9' || ver [1] != '.')
-        return (-1);
+static int sysctl_arnd_wrapper(unsigned char *buf, size_t buflen) {
+    int name[2];
+    size_t len;
 
-    if (ver[0] - '0' > 3)
-        return (0);
-
-    /* Ok, so now we know major == 3, check minor.
-     * Assume 1 or 2 digits. */
-    if (ver[2] < '0' || ver[2] > '9')
-        return (-1);
-
-    minor = ver[2] - '0';
-
-    if (ver[3] >= '0' && ver[3] <= '9')
-        minor = 10 * minor + ver[3] - '0';
-    else if (ver [3] != '.')
-        return (-1);
-
-    if (minor < 17)
-        return (-1);
+    name[0] = CTL_KERN;
+    name[1] = KERN_ARND;
 
+    while (buflen > 0) {
+        len = buflen > 256 ? 256 : buflen;
+        if (sysctl(name, 2, buf, &len, NULL, 0) == -1)
+            return (-1);
+        buflen -= len;
+        buf += len;
+    }
     return (0);
 }
-static int has_getrandom = -1;
-#endif /* SYS_getrandom */
-#endif /* __linux__ */
+#endif /* KERN_ARND */
+#endif /* __FreeBSD__ || __NetBSD__ */
 
 #include <stdio.h>
 
@@ -155,23 +158,30 @@ int mbedtls_platform_entropy_poll(void *data,
                                   unsigned char *output, size_t len, size_t *olen) {
     FILE *file;
     size_t read_len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     ((void) data);
 
 #if defined(HAVE_GETRANDOM)
-    if (has_getrandom == -1)
-        has_getrandom = (check_version_3_17_plus() == 0);
-
-    if (has_getrandom) {
-        int ret;
-
-        if ((ret = getrandom_wrapper(output, len, 0)) < 0)
-            return (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
-
+    ret = getrandom_wrapper(output, len, 0);
+    if (ret >= 0) {
         *olen = ret;
         return (0);
-    }
+    } else if (errno != ENOSYS)
+        return (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
+    /* Fall through if the system call isn't known. */
+#else
+    ((void) ret);
 #endif /* HAVE_GETRANDOM */
 
+#if defined(HAVE_SYSCTL_ARND)
+    ((void) file);
+    ((void) read_len);
+    if (sysctl_arnd_wrapper(output, len) == -1)
+        return (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
+    *olen = len;
+    return (0);
+#else
+
     *olen = 0;
 
     file = fopen("/dev/urandom", "rb");
@@ -188,6 +198,7 @@ int mbedtls_platform_entropy_poll(void *data,
     *olen = len;
 
     return (0);
+#endif /* HAVE_SYSCTL_ARND */
 }
 #endif /* _WIN32 && !EFIX64 && !EFI32 */
 #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
@@ -197,13 +208,13 @@ int mbedtls_null_entropy_poll(void *data,
                               unsigned char *output, size_t len, size_t *olen) {
     ((void) data);
     ((void) output);
-    *olen = 0;
 
+    *olen = 0;
     if (len < sizeof(unsigned char))
         return (0);
 
+    output[0] = 0;
     *olen = sizeof(unsigned char);
-
     return (0);
 }
 #endif
diff --git a/common/mbedtls/entropy_poll.h b/common/mbedtls/entropy_poll.h
index fd49d8519..eca3b5620 100644
--- a/common/mbedtls/entropy_poll.h
+++ b/common/mbedtls/entropy_poll.h
@@ -4,30 +4,26 @@
  * \brief Platform-specific and custom entropy polling functions
  */
 /*
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_ENTROPY_POLL_H
 #define MBEDTLS_ENTROPY_POLL_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
diff --git a/common/mbedtls/error.c b/common/mbedtls/error.c
index b85ceb041..d5a46c557 100644
--- a/common/mbedtls/error.c
+++ b/common/mbedtls/error.c
@@ -1,47 +1,38 @@
 /*
  *  Error message information
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
+
+#include "mbedtls/error.h"
 
 #if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
-#include "mbedtls/error.h"
-#include <string.h>
-#endif
+
+#if defined(MBEDTLS_ERROR_C)
 
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
 #define mbedtls_snprintf snprintf
-#define mbedtls_time_t   time_t
 #endif
 
-#if defined(MBEDTLS_ERROR_C)
-
 #include <stdio.h>
+#include <string.h>
 
 #if defined(MBEDTLS_AES_C)
 #include "mbedtls/aes.h"
@@ -55,6 +46,10 @@
 #include "mbedtls/aria.h"
 #endif
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
 #if defined(MBEDTLS_BASE64_C)
 #include "mbedtls/base64.h"
 #endif
@@ -111,6 +106,10 @@
 #include "mbedtls/entropy.h"
 #endif
 
+#if defined(MBEDTLS_ERROR_C)
+#include "mbedtls/error.h"
+#endif
+
 #if defined(MBEDTLS_GCM_C)
 #include "mbedtls/gcm.h"
 #endif
@@ -167,6 +166,10 @@
 #include "mbedtls/pkcs5.h"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
 #if defined(MBEDTLS_POLY1305_C)
 #include "mbedtls/poly1305.h"
 #endif
@@ -208,9 +211,689 @@
 #endif
 
 
+const char *mbedtls_high_level_strerr(int error_code) {
+    int high_level_error_code;
+
+    if (error_code < 0)
+        error_code = -error_code;
+
+    /* Extract the high-level part from the error code. */
+    high_level_error_code = error_code & 0xFF80;
+
+    switch (high_level_error_code) {
+            /* Begin Auto-Generated Code. */
+#if defined(MBEDTLS_CIPHER_C)
+        case -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE):
+            return ("CIPHER - The selected feature is not available");
+        case -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA):
+            return ("CIPHER - Bad input parameters");
+        case -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED):
+            return ("CIPHER - Failed to allocate memory");
+        case -(MBEDTLS_ERR_CIPHER_INVALID_PADDING):
+            return ("CIPHER - Input data contains invalid padding and is rejected");
+        case -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED):
+            return ("CIPHER - Decryption of block requires a full block");
+        case -(MBEDTLS_ERR_CIPHER_AUTH_FAILED):
+            return ("CIPHER - Authentication failed (for AEAD modes)");
+        case -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT):
+            return ("CIPHER - The context is invalid. For example, because it was freed");
+        case -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED):
+            return ("CIPHER - Cipher hardware accelerator failed");
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_DHM_C)
+        case -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA):
+            return ("DHM - Bad input parameters");
+        case -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED):
+            return ("DHM - Reading of the DHM parameters failed");
+        case -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED):
+            return ("DHM - Making of the DHM parameters failed");
+        case -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED):
+            return ("DHM - Reading of the public values failed");
+        case -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED):
+            return ("DHM - Making of the public value failed");
+        case -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED):
+            return ("DHM - Calculation of the DHM secret failed");
+        case -(MBEDTLS_ERR_DHM_INVALID_FORMAT):
+            return ("DHM - The ASN.1 data is not formatted correctly");
+        case -(MBEDTLS_ERR_DHM_ALLOC_FAILED):
+            return ("DHM - Allocation of memory failed");
+        case -(MBEDTLS_ERR_DHM_FILE_IO_ERROR):
+            return ("DHM - Read or write of file failed");
+        case -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED):
+            return ("DHM - DHM hardware accelerator failed");
+        case -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED):
+            return ("DHM - Setting the modulus and generator failed");
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECP_C)
+        case -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA):
+            return ("ECP - Bad input parameters to function");
+        case -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL):
+            return ("ECP - The buffer is too small to write to");
+        case -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE):
+            return ("ECP - The requested feature is not available, for example, the requested curve is not supported");
+        case -(MBEDTLS_ERR_ECP_VERIFY_FAILED):
+            return ("ECP - The signature is not valid");
+        case -(MBEDTLS_ERR_ECP_ALLOC_FAILED):
+            return ("ECP - Memory allocation failed");
+        case -(MBEDTLS_ERR_ECP_RANDOM_FAILED):
+            return ("ECP - Generation of random value, such as ephemeral key, failed");
+        case -(MBEDTLS_ERR_ECP_INVALID_KEY):
+            return ("ECP - Invalid private or public key");
+        case -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH):
+            return ("ECP - The buffer contains a valid signature followed by more data");
+        case -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED):
+            return ("ECP - The ECP hardware accelerator failed");
+        case -(MBEDTLS_ERR_ECP_IN_PROGRESS):
+            return ("ECP - Operation in progress, call again with the same parameters to continue");
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+        case -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE):
+            return ("MD - The selected feature is not available");
+        case -(MBEDTLS_ERR_MD_BAD_INPUT_DATA):
+            return ("MD - Bad input parameters to function");
+        case -(MBEDTLS_ERR_MD_ALLOC_FAILED):
+            return ("MD - Failed to allocate memory");
+        case -(MBEDTLS_ERR_MD_FILE_IO_ERROR):
+            return ("MD - Opening or reading of file failed");
+        case -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED):
+            return ("MD - MD hardware accelerator failed");
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+        case -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT):
+            return ("PEM - No PEM header or footer found");
+        case -(MBEDTLS_ERR_PEM_INVALID_DATA):
+            return ("PEM - PEM string is not as expected");
+        case -(MBEDTLS_ERR_PEM_ALLOC_FAILED):
+            return ("PEM - Failed to allocate memory");
+        case -(MBEDTLS_ERR_PEM_INVALID_ENC_IV):
+            return ("PEM - RSA IV is not in hex-format");
+        case -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG):
+            return ("PEM - Unsupported key encryption algorithm");
+        case -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED):
+            return ("PEM - Private key password can't be empty");
+        case -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH):
+            return ("PEM - Given private key password does not allow for correct decryption");
+        case -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE):
+            return ("PEM - Unavailable feature, e.g. hashing/encryption combination");
+        case -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA):
+            return ("PEM - Bad input parameters to function");
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+        case -(MBEDTLS_ERR_PK_ALLOC_FAILED):
+            return ("PK - Memory allocation failed");
+        case -(MBEDTLS_ERR_PK_TYPE_MISMATCH):
+            return ("PK - Type mismatch, eg attempt to encrypt with an ECDSA key");
+        case -(MBEDTLS_ERR_PK_BAD_INPUT_DATA):
+            return ("PK - Bad input parameters to function");
+        case -(MBEDTLS_ERR_PK_FILE_IO_ERROR):
+            return ("PK - Read/write of file failed");
+        case -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION):
+            return ("PK - Unsupported key version");
+        case -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT):
+            return ("PK - Invalid key tag or value");
+        case -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG):
+            return ("PK - Key algorithm is unsupported (only RSA and EC are supported)");
+        case -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED):
+            return ("PK - Private key password can't be empty");
+        case -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH):
+            return ("PK - Given private key password does not allow for correct decryption");
+        case -(MBEDTLS_ERR_PK_INVALID_PUBKEY):
+            return ("PK - The pubkey tag or value is invalid (only RSA and EC are supported)");
+        case -(MBEDTLS_ERR_PK_INVALID_ALG):
+            return ("PK - The algorithm tag or value is invalid");
+        case -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE):
+            return ("PK - Elliptic curve is unsupported (only NIST curves are supported)");
+        case -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE):
+            return ("PK - Unavailable feature, e.g. RSA disabled for RSA key");
+        case -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH):
+            return ("PK - The buffer contains a valid signature followed by more data");
+        case -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED):
+            return ("PK - PK hardware accelerator failed");
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+        case -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA):
+            return ("PKCS12 - Bad input parameters to function");
+        case -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE):
+            return ("PKCS12 - Feature not available, e.g. unsupported encryption scheme");
+        case -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT):
+            return ("PKCS12 - PBE ASN.1 data not as expected");
+        case -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH):
+            return ("PKCS12 - Given private key password does not allow for correct decryption");
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+        case -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA):
+            return ("PKCS5 - Bad input parameters to function");
+        case -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT):
+            return ("PKCS5 - Unexpected ASN.1 data");
+        case -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE):
+            return ("PKCS5 - Requested encryption or digest alg not available");
+        case -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH):
+            return ("PKCS5 - Given private key password does not allow for correct decryption");
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_RSA_C)
+        case -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA):
+            return ("RSA - Bad input parameters to function");
+        case -(MBEDTLS_ERR_RSA_INVALID_PADDING):
+            return ("RSA - Input data contains invalid padding and is rejected");
+        case -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
+            return ("RSA - Something failed during generation of a key");
+        case -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED):
+            return ("RSA - Key failed to pass the validity check of the library");
+        case -(MBEDTLS_ERR_RSA_PUBLIC_FAILED):
+            return ("RSA - The public key operation failed");
+        case -(MBEDTLS_ERR_RSA_PRIVATE_FAILED):
+            return ("RSA - The private key operation failed");
+        case -(MBEDTLS_ERR_RSA_VERIFY_FAILED):
+            return ("RSA - The PKCS#1 verification failed");
+        case -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE):
+            return ("RSA - The output buffer for decryption is not large enough");
+        case -(MBEDTLS_ERR_RSA_RNG_FAILED):
+            return ("RSA - The random generator failed to generate non-zeros");
+        case -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION):
+            return ("RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality");
+        case -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED):
+            return ("RSA - RSA hardware accelerator failed");
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+        case -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE):
+            return ("SSL - The requested feature is not available");
+        case -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA):
+            return ("SSL - Bad input parameters to function");
+        case -(MBEDTLS_ERR_SSL_INVALID_MAC):
+            return ("SSL - Verification of the message MAC failed");
+        case -(MBEDTLS_ERR_SSL_INVALID_RECORD):
+            return ("SSL - An invalid SSL record was received");
+        case -(MBEDTLS_ERR_SSL_CONN_EOF):
+            return ("SSL - The connection indicated an EOF");
+        case -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER):
+            return ("SSL - An unknown cipher was received");
+        case -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN):
+            return ("SSL - The server has no ciphersuites in common with the client");
+        case -(MBEDTLS_ERR_SSL_NO_RNG):
+            return ("SSL - No RNG was provided to the SSL module");
+        case -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE):
+            return ("SSL - No client certification received from the client, but required by the authentication mode");
+        case -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE):
+            return ("SSL - Our own certificate(s) is/are too large to send in an SSL message");
+        case -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED):
+            return ("SSL - The own certificate is not set, but needed by the server");
+        case -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED):
+            return ("SSL - The own private key or pre-shared key is not set, but needed");
+        case -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED):
+            return ("SSL - No CA Chain is set, but required to operate");
+        case -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE):
+            return ("SSL - An unexpected message was received from our peer");
+        case -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE):
+            return ("SSL - A fatal alert message was received from our peer");
+        case -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED):
+            return ("SSL - Verification of our peer failed");
+        case -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY):
+            return ("SSL - The peer notified us that the connection is going to be closed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO):
+            return ("SSL - Processing of the ClientHello handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO):
+            return ("SSL - Processing of the ServerHello handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE):
+            return ("SSL - Processing of the Certificate handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST):
+            return ("SSL - Processing of the CertificateRequest handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE):
+            return ("SSL - Processing of the ServerKeyExchange handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE):
+            return ("SSL - Processing of the ServerHelloDone handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE):
+            return ("SSL - Processing of the ClientKeyExchange handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP):
+            return ("SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS):
+            return ("SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY):
+            return ("SSL - Processing of the CertificateVerify handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC):
+            return ("SSL - Processing of the ChangeCipherSpec handshake message failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED):
+            return ("SSL - Processing of the Finished handshake message failed");
+        case -(MBEDTLS_ERR_SSL_ALLOC_FAILED):
+            return ("SSL - Memory allocation failed");
+        case -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED):
+            return ("SSL - Hardware acceleration function returned with error");
+        case -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH):
+            return ("SSL - Hardware acceleration function skipped / left alone data");
+        case -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED):
+            return ("SSL - Processing of the compression / decompression failed");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION):
+            return ("SSL - Handshake protocol not within min/max boundaries");
+        case -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET):
+            return ("SSL - Processing of the NewSessionTicket handshake message failed");
+        case -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED):
+            return ("SSL - Session ticket has expired");
+        case -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH):
+            return ("SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)");
+        case -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY):
+            return ("SSL - Unknown identity received (eg, PSK identity)");
+        case -(MBEDTLS_ERR_SSL_INTERNAL_ERROR):
+            return ("SSL - Internal error (eg, unexpected failure in lower-level module)");
+        case -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING):
+            return ("SSL - A counter would wrap (eg, too many messages exchanged)");
+        case -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO):
+            return ("SSL - Unexpected message at ServerHello in renegotiation");
+        case -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED):
+            return ("SSL - DTLS client must retry for hello verification");
+        case -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL):
+            return ("SSL - A buffer is too small to receive or write a message");
+        case -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE):
+            return ("SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)");
+        case -(MBEDTLS_ERR_SSL_WANT_READ):
+            return ("SSL - No data of requested type currently available on underlying transport");
+        case -(MBEDTLS_ERR_SSL_WANT_WRITE):
+            return ("SSL - Connection requires a write call");
+        case -(MBEDTLS_ERR_SSL_TIMEOUT):
+            return ("SSL - The operation timed out");
+        case -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT):
+            return ("SSL - The client initiated a reconnect from the same port");
+        case -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD):
+            return ("SSL - Record header looks valid but is not expected");
+        case -(MBEDTLS_ERR_SSL_NON_FATAL):
+            return ("SSL - The alert message received indicates a non-fatal error");
+        case -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH):
+            return ("SSL - Couldn't set the hash for verifying CertificateVerify");
+        case -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING):
+            return ("SSL - Internal-only message signaling that further message-processing should be done");
+        case -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS):
+            return ("SSL - The asynchronous operation is not completed yet");
+        case -(MBEDTLS_ERR_SSL_EARLY_MESSAGE):
+            return ("SSL - Internal-only message signaling that a message arrived early");
+        case -(MBEDTLS_ERR_SSL_UNEXPECTED_CID):
+            return ("SSL - An encrypted DTLS-frame with an unexpected CID was received");
+        case -(MBEDTLS_ERR_SSL_VERSION_MISMATCH):
+            return ("SSL - An operation failed due to an unexpected version or configuration");
+        case -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS):
+            return ("SSL - A cryptographic operation is in progress. Try again later");
+        case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
+            return ("SSL - Invalid value in SSL config");
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+        case -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE):
+            return ("X509 - Unavailable feature, e.g. RSA hashing/encryption combination");
+        case -(MBEDTLS_ERR_X509_UNKNOWN_OID):
+            return ("X509 - Requested OID is unknown");
+        case -(MBEDTLS_ERR_X509_INVALID_FORMAT):
+            return ("X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected");
+        case -(MBEDTLS_ERR_X509_INVALID_VERSION):
+            return ("X509 - The CRT/CRL/CSR version element is invalid");
+        case -(MBEDTLS_ERR_X509_INVALID_SERIAL):
+            return ("X509 - The serial tag or value is invalid");
+        case -(MBEDTLS_ERR_X509_INVALID_ALG):
+            return ("X509 - The algorithm tag or value is invalid");
+        case -(MBEDTLS_ERR_X509_INVALID_NAME):
+            return ("X509 - The name tag or value is invalid");
+        case -(MBEDTLS_ERR_X509_INVALID_DATE):
+            return ("X509 - The date tag or value is invalid");
+        case -(MBEDTLS_ERR_X509_INVALID_SIGNATURE):
+            return ("X509 - The signature tag or value invalid");
+        case -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS):
+            return ("X509 - The extension tag or value is invalid");
+        case -(MBEDTLS_ERR_X509_UNKNOWN_VERSION):
+            return ("X509 - CRT/CRL/CSR has an unsupported version number");
+        case -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG):
+            return ("X509 - Signature algorithm (oid) is unsupported");
+        case -(MBEDTLS_ERR_X509_SIG_MISMATCH):
+            return ("X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)");
+        case -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED):
+            return ("X509 - Certificate verification failed, e.g. CRL, CA or signature check failed");
+        case -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT):
+            return ("X509 - Format not recognized as DER or PEM");
+        case -(MBEDTLS_ERR_X509_BAD_INPUT_DATA):
+            return ("X509 - Input invalid");
+        case -(MBEDTLS_ERR_X509_ALLOC_FAILED):
+            return ("X509 - Allocation of memory failed");
+        case -(MBEDTLS_ERR_X509_FILE_IO_ERROR):
+            return ("X509 - Read/write of file failed");
+        case -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL):
+            return ("X509 - Destination buffer is too small");
+        case -(MBEDTLS_ERR_X509_FATAL_ERROR):
+            return ("X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed");
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+        /* End Auto-Generated Code. */
+
+        default:
+            break;
+    }
+
+    return (NULL);
+}
+
+const char *mbedtls_low_level_strerr(int error_code) {
+    int low_level_error_code;
+
+    if (error_code < 0)
+        error_code = -error_code;
+
+    /* Extract the low-level part from the error code. */
+    low_level_error_code = error_code & ~0xFF80;
+
+    switch (low_level_error_code) {
+            /* Begin Auto-Generated Code. */
+#if defined(MBEDTLS_AES_C)
+        case -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH):
+            return ("AES - Invalid key length");
+        case -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH):
+            return ("AES - Invalid data input length");
+        case -(MBEDTLS_ERR_AES_BAD_INPUT_DATA):
+            return ("AES - Invalid input data");
+        case -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE):
+            return ("AES - Feature not available. For example, an unsupported AES key size");
+        case -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED):
+            return ("AES - AES hardware accelerator failed");
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+        case -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED):
+            return ("ARC4 - ARC4 hardware accelerator failed");
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_ARIA_C)
+        case -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA):
+            return ("ARIA - Bad input data");
+        case -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH):
+            return ("ARIA - Invalid data input length");
+        case -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE):
+            return ("ARIA - Feature not available. For example, an unsupported ARIA key size");
+        case -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED):
+            return ("ARIA - ARIA hardware accelerator failed");
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+        case -(MBEDTLS_ERR_ASN1_OUT_OF_DATA):
+            return ("ASN1 - Out of data when parsing an ASN1 data structure");
+        case -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG):
+            return ("ASN1 - ASN1 tag was of an unexpected value");
+        case -(MBEDTLS_ERR_ASN1_INVALID_LENGTH):
+            return ("ASN1 - Error when trying to determine the length or invalid length");
+        case -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH):
+            return ("ASN1 - Actual length differs from expected length");
+        case -(MBEDTLS_ERR_ASN1_INVALID_DATA):
+            return ("ASN1 - Data is invalid");
+        case -(MBEDTLS_ERR_ASN1_ALLOC_FAILED):
+            return ("ASN1 - Memory allocation failed");
+        case -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL):
+            return ("ASN1 - Buffer too small when writing ASN.1 data structure");
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+        case -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL):
+            return ("BASE64 - Output buffer too small");
+        case -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER):
+            return ("BASE64 - Invalid character in input");
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+        case -(MBEDTLS_ERR_MPI_FILE_IO_ERROR):
+            return ("BIGNUM - An error occurred while reading from or writing to a file");
+        case -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA):
+            return ("BIGNUM - Bad input parameters to function");
+        case -(MBEDTLS_ERR_MPI_INVALID_CHARACTER):
+            return ("BIGNUM - There is an invalid character in the digit string");
+        case -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL):
+            return ("BIGNUM - The buffer is too small to write to");
+        case -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE):
+            return ("BIGNUM - The input arguments are negative or result in illegal output");
+        case -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO):
+            return ("BIGNUM - The input argument for division is zero, which is not allowed");
+        case -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE):
+            return ("BIGNUM - The input arguments are not acceptable");
+        case -(MBEDTLS_ERR_MPI_ALLOC_FAILED):
+            return ("BIGNUM - Memory allocation failed");
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+        case -(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA):
+            return ("BLOWFISH - Bad input data");
+        case -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH):
+            return ("BLOWFISH - Invalid data input length");
+        case -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED):
+            return ("BLOWFISH - Blowfish hardware accelerator failed");
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+        case -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA):
+            return ("CAMELLIA - Bad input data");
+        case -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH):
+            return ("CAMELLIA - Invalid data input length");
+        case -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED):
+            return ("CAMELLIA - Camellia hardware accelerator failed");
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+        case -(MBEDTLS_ERR_CCM_BAD_INPUT):
+            return ("CCM - Bad input parameters to the function");
+        case -(MBEDTLS_ERR_CCM_AUTH_FAILED):
+            return ("CCM - Authenticated decryption failed");
+        case -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED):
+            return ("CCM - CCM hardware accelerator failed");
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+        case -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA):
+            return ("CHACHA20 - Invalid input parameter(s)");
+        case -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE):
+            return ("CHACHA20 - Feature not available. For example, s part of the API is not implemented");
+        case -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED):
+            return ("CHACHA20 - Chacha20 hardware accelerator failed");
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+        case -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE):
+            return ("CHACHAPOLY - The requested operation is not permitted in the current state");
+        case -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED):
+            return ("CHACHAPOLY - Authenticated decryption failed: data was not authentic");
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CMAC_C)
+        case -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED):
+            return ("CMAC - CMAC hardware accelerator failed");
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+        case -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED):
+            return ("CTR_DRBG - The entropy source failed");
+        case -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG):
+            return ("CTR_DRBG - The requested random buffer length is too big");
+        case -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG):
+            return ("CTR_DRBG - The input (entropy + additional data) is too large");
+        case -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR):
+            return ("CTR_DRBG - Read or write error in file");
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DES_C)
+        case -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH):
+            return ("DES - The data input has an invalid length");
+        case -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED):
+            return ("DES - DES hardware accelerator failed");
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+        case -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
+            return ("ENTROPY - Critical entropy source failure");
+        case -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES):
+            return ("ENTROPY - No more sources can be added");
+        case -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED):
+            return ("ENTROPY - No sources have been added to poll");
+        case -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE):
+            return ("ENTROPY - No strong sources have been added to poll");
+        case -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR):
+            return ("ENTROPY - Read/write error in file");
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_ERROR_C)
+        case -(MBEDTLS_ERR_ERROR_GENERIC_ERROR):
+            return ("ERROR - Generic error");
+        case -(MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED):
+            return ("ERROR - This is a bug in the library");
+#endif /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_GCM_C)
+        case -(MBEDTLS_ERR_GCM_AUTH_FAILED):
+            return ("GCM - Authenticated decryption failed");
+        case -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED):
+            return ("GCM - GCM hardware accelerator failed");
+        case -(MBEDTLS_ERR_GCM_BAD_INPUT):
+            return ("GCM - Bad input parameters to function");
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HKDF_C)
+        case -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA):
+            return ("HKDF - Bad input parameters to function");
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+        case -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG):
+            return ("HMAC_DRBG - Too many random requested in single call");
+        case -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG):
+            return ("HMAC_DRBG - Input too large (Entropy + additional)");
+        case -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR):
+            return ("HMAC_DRBG - Read/write error in file");
+        case -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED):
+            return ("HMAC_DRBG - The entropy source failed");
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_MD2_C)
+        case -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED):
+            return ("MD2 - MD2 hardware accelerator failed");
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+        case -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED):
+            return ("MD4 - MD4 hardware accelerator failed");
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+        case -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED):
+            return ("MD5 - MD5 hardware accelerator failed");
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_NET_C)
+        case -(MBEDTLS_ERR_NET_SOCKET_FAILED):
+            return ("NET - Failed to open a socket");
+        case -(MBEDTLS_ERR_NET_CONNECT_FAILED):
+            return ("NET - The connection to the given server / port failed");
+        case -(MBEDTLS_ERR_NET_BIND_FAILED):
+            return ("NET - Binding of the socket failed");
+        case -(MBEDTLS_ERR_NET_LISTEN_FAILED):
+            return ("NET - Could not listen on the socket");
+        case -(MBEDTLS_ERR_NET_ACCEPT_FAILED):
+            return ("NET - Could not accept the incoming connection");
+        case -(MBEDTLS_ERR_NET_RECV_FAILED):
+            return ("NET - Reading information from the socket failed");
+        case -(MBEDTLS_ERR_NET_SEND_FAILED):
+            return ("NET - Sending information through the socket failed");
+        case -(MBEDTLS_ERR_NET_CONN_RESET):
+            return ("NET - Connection was reset by peer");
+        case -(MBEDTLS_ERR_NET_UNKNOWN_HOST):
+            return ("NET - Failed to get an IP address for the given hostname");
+        case -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL):
+            return ("NET - Buffer is too small to hold the data");
+        case -(MBEDTLS_ERR_NET_INVALID_CONTEXT):
+            return ("NET - The context is invalid, eg because it was free()ed");
+        case -(MBEDTLS_ERR_NET_POLL_FAILED):
+            return ("NET - Polling the net context failed");
+        case -(MBEDTLS_ERR_NET_BAD_INPUT_DATA):
+            return ("NET - Input invalid");
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+        case -(MBEDTLS_ERR_OID_NOT_FOUND):
+            return ("OID - OID is not found");
+        case -(MBEDTLS_ERR_OID_BUF_TOO_SMALL):
+            return ("OID - output buffer is too small");
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_PADLOCK_C)
+        case -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED):
+            return ("PADLOCK - Input data should be aligned");
+#endif /* MBEDTLS_PADLOCK_C */
+
+#if defined(MBEDTLS_PLATFORM_C)
+        case -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED):
+            return ("PLATFORM - Hardware accelerator failed");
+        case -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED):
+            return ("PLATFORM - The requested feature is not supported by the platform");
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+        case -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA):
+            return ("POLY1305 - Invalid input parameter(s)");
+        case -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE):
+            return ("POLY1305 - Feature not available. For example, s part of the API is not implemented");
+        case -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED):
+            return ("POLY1305 - Poly1305 hardware accelerator failed");
+#endif /* MBEDTLS_POLY1305_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+        case -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED):
+            return ("RIPEMD160 - RIPEMD160 hardware accelerator failed");
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+        case -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED):
+            return ("SHA1 - SHA-1 hardware accelerator failed");
+        case -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA):
+            return ("SHA1 - SHA-1 input data was malformed");
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+        case -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED):
+            return ("SHA256 - SHA-256 hardware accelerator failed");
+        case -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA):
+            return ("SHA256 - SHA-256 input data was malformed");
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+        case -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED):
+            return ("SHA512 - SHA-512 hardware accelerator failed");
+        case -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA):
+            return ("SHA512 - SHA-512 input data was malformed");
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_THREADING_C)
+        case -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE):
+            return ("THREADING - The selected feature is not available");
+        case -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA):
+            return ("THREADING - Bad input parameters to function");
+        case -(MBEDTLS_ERR_THREADING_MUTEX_ERROR):
+            return ("THREADING - Locking / unlocking / free failed with error code");
+#endif /* MBEDTLS_THREADING_C */
+
+#if defined(MBEDTLS_XTEA_C)
+        case -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH):
+            return ("XTEA - The data input has an invalid length");
+        case -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED):
+            return ("XTEA - XTEA hardware accelerator failed");
+#endif /* MBEDTLS_XTEA_C */
+        /* End Auto-Generated Code. */
+
+        default:
+            break;
+    }
+
+    return (NULL);
+}
+
 void mbedtls_strerror(int ret, char *buf, size_t buflen) {
     size_t len;
     int use_ret;
+    const char *high_level_error_description = NULL;
+    const char *low_level_error_description = NULL;
 
     if (buflen == 0)
         return;
@@ -223,347 +906,20 @@ void mbedtls_strerror(int ret, char *buf, size_t buflen) {
     if (ret & 0xFF80) {
         use_ret = ret & 0xFF80;
 
-        // High level error codes
-        //
-        // BEGIN generated code
-#if defined(MBEDTLS_CIPHER_C)
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "CIPHER - The selected feature is not available");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "CIPHER - Bad input parameters");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "CIPHER - Failed to allocate memory");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_PADDING))
-            mbedtls_snprintf(buf, buflen, "CIPHER - Input data contains invalid padding and is rejected");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED))
-            mbedtls_snprintf(buf, buflen, "CIPHER - Decryption of block requires a full block");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_AUTH_FAILED))
-            mbedtls_snprintf(buf, buflen, "CIPHER - Authentication failed (for AEAD modes)");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT))
-            mbedtls_snprintf(buf, buflen, "CIPHER - The context is invalid. For example, because it was freed");
-        if (use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "CIPHER - Cipher hardware accelerator failed");
-#endif /* MBEDTLS_CIPHER_C */
+        // Translate high level error code.
+        high_level_error_description = mbedtls_high_level_strerr(ret);
 
-#if defined(MBEDTLS_DHM_C)
-        if (use_ret == -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "DHM - Bad input parameters");
-        if (use_ret == -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Reading of the DHM parameters failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Making of the DHM parameters failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Reading of the public values failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Making of the public value failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Calculation of the DHM secret failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_INVALID_FORMAT))
-            mbedtls_snprintf(buf, buflen, "DHM - The ASN.1 data is not formatted correctly");
-        if (use_ret == -(MBEDTLS_ERR_DHM_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Allocation of memory failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR))
-            mbedtls_snprintf(buf, buflen, "DHM - Read or write of file failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - DHM hardware accelerator failed");
-        if (use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED))
-            mbedtls_snprintf(buf, buflen, "DHM - Setting the modulus and generator failed");
-#endif /* MBEDTLS_DHM_C */
-
-#if defined(MBEDTLS_ECP_C)
-        if (use_ret == -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "ECP - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL))
-            mbedtls_snprintf(buf, buflen, "ECP - The buffer is too small to write to");
-        if (use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "ECP - The requested feature is not available, for example, the requested curve is not supported");
-        if (use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED))
-            mbedtls_snprintf(buf, buflen, "ECP - The signature is not valid");
-        if (use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "ECP - Memory allocation failed");
-        if (use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED))
-            mbedtls_snprintf(buf, buflen, "ECP - Generation of random value, such as ephemeral key, failed");
-        if (use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY))
-            mbedtls_snprintf(buf, buflen, "ECP - Invalid private or public key");
-        if (use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "ECP - The buffer contains a valid signature followed by more data");
-        if (use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "ECP - The ECP hardware accelerator failed");
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_MD_C)
-        if (use_ret == -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "MD - The selected feature is not available");
-        if (use_ret == -(MBEDTLS_ERR_MD_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "MD - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_MD_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "MD - Failed to allocate memory");
-        if (use_ret == -(MBEDTLS_ERR_MD_FILE_IO_ERROR))
-            mbedtls_snprintf(buf, buflen, "MD - Opening or reading of file failed");
-        if (use_ret == -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "MD - MD hardware accelerator failed");
-#endif /* MBEDTLS_MD_C */
-
-#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
-        if (use_ret == -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT))
-            mbedtls_snprintf(buf, buflen, "PEM - No PEM header or footer found");
-        if (use_ret == -(MBEDTLS_ERR_PEM_INVALID_DATA))
-            mbedtls_snprintf(buf, buflen, "PEM - PEM string is not as expected");
-        if (use_ret == -(MBEDTLS_ERR_PEM_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "PEM - Failed to allocate memory");
-        if (use_ret == -(MBEDTLS_ERR_PEM_INVALID_ENC_IV))
-            mbedtls_snprintf(buf, buflen, "PEM - RSA IV is not in hex-format");
-        if (use_ret == -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG))
-            mbedtls_snprintf(buf, buflen, "PEM - Unsupported key encryption algorithm");
-        if (use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED))
-            mbedtls_snprintf(buf, buflen, "PEM - Private key password can't be empty");
-        if (use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "PEM - Given private key password does not allow for correct decryption");
-        if (use_ret == -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "PEM - Unavailable feature, e.g. hashing/encryption combination");
-        if (use_ret == -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "PEM - Bad input parameters to function");
-#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
-
-#if defined(MBEDTLS_PK_C)
-        if (use_ret == -(MBEDTLS_ERR_PK_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "PK - Memory allocation failed");
-        if (use_ret == -(MBEDTLS_ERR_PK_TYPE_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "PK - Type mismatch, eg attempt to encrypt with an ECDSA key");
-        if (use_ret == -(MBEDTLS_ERR_PK_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "PK - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_PK_FILE_IO_ERROR))
-            mbedtls_snprintf(buf, buflen, "PK - Read/write of file failed");
-        if (use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION))
-            mbedtls_snprintf(buf, buflen, "PK - Unsupported key version");
-        if (use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT))
-            mbedtls_snprintf(buf, buflen, "PK - Invalid key tag or value");
-        if (use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG))
-            mbedtls_snprintf(buf, buflen, "PK - Key algorithm is unsupported (only RSA and EC are supported)");
-        if (use_ret == -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED))
-            mbedtls_snprintf(buf, buflen, "PK - Private key password can't be empty");
-        if (use_ret == -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "PK - Given private key password does not allow for correct decryption");
-        if (use_ret == -(MBEDTLS_ERR_PK_INVALID_PUBKEY))
-            mbedtls_snprintf(buf, buflen, "PK - The pubkey tag or value is invalid (only RSA and EC are supported)");
-        if (use_ret == -(MBEDTLS_ERR_PK_INVALID_ALG))
-            mbedtls_snprintf(buf, buflen, "PK - The algorithm tag or value is invalid");
-        if (use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE))
-            mbedtls_snprintf(buf, buflen, "PK - Elliptic curve is unsupported (only NIST curves are supported)");
-        if (use_ret == -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "PK - Unavailable feature, e.g. RSA disabled for RSA key");
-        if (use_ret == -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "PK - The buffer contains a valid signature followed by more data");
-        if (use_ret == -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "PK - PK hardware accelerator failed");
-#endif /* MBEDTLS_PK_C */
-
-#if defined(MBEDTLS_PKCS12_C)
-        if (use_ret == -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "PKCS12 - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "PKCS12 - Feature not available, e.g. unsupported encryption scheme");
-        if (use_ret == -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT))
-            mbedtls_snprintf(buf, buflen, "PKCS12 - PBE ASN.1 data not as expected");
-        if (use_ret == -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "PKCS12 - Given private key password does not allow for correct decryption");
-#endif /* MBEDTLS_PKCS12_C */
-
-#if defined(MBEDTLS_PKCS5_C)
-        if (use_ret == -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "PKCS5 - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT))
-            mbedtls_snprintf(buf, buflen, "PKCS5 - Unexpected ASN.1 data");
-        if (use_ret == -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "PKCS5 - Requested encryption or digest alg not available");
-        if (use_ret == -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "PKCS5 - Given private key password does not allow for correct decryption");
-#endif /* MBEDTLS_PKCS5_C */
-
-#if defined(MBEDTLS_RSA_C)
-        if (use_ret == -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "RSA - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_RSA_INVALID_PADDING))
-            mbedtls_snprintf(buf, buflen, "RSA - Input data contains invalid padding and is rejected");
-        if (use_ret == -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - Something failed during generation of a key");
-        if (use_ret == -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - Key failed to pass the validity check of the library");
-        if (use_ret == -(MBEDTLS_ERR_RSA_PUBLIC_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - The public key operation failed");
-        if (use_ret == -(MBEDTLS_ERR_RSA_PRIVATE_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - The private key operation failed");
-        if (use_ret == -(MBEDTLS_ERR_RSA_VERIFY_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - The PKCS#1 verification failed");
-        if (use_ret == -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE))
-            mbedtls_snprintf(buf, buflen, "RSA - The output buffer for decryption is not large enough");
-        if (use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - The random generator failed to generate non-zeros");
-        if (use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION))
-            mbedtls_snprintf(buf, buflen, "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality");
-        if (use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "RSA - RSA hardware accelerator failed");
-#endif /* MBEDTLS_RSA_C */
+        if (high_level_error_description == NULL)
+            mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret);
+        else
+            mbedtls_snprintf(buf, buflen, "%s", high_level_error_description);
 
 #if defined(MBEDTLS_SSL_TLS_C)
-        if (use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "SSL - The requested feature is not available");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "SSL - Bad input parameters to function");
-        if (use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC))
-            mbedtls_snprintf(buf, buflen, "SSL - Verification of the message MAC failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD))
-            mbedtls_snprintf(buf, buflen, "SSL - An invalid SSL record was received");
-        if (use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF))
-            mbedtls_snprintf(buf, buflen, "SSL - The connection indicated an EOF");
-        if (use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER))
-            mbedtls_snprintf(buf, buflen, "SSL - An unknown cipher was received");
-        if (use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN))
-            mbedtls_snprintf(buf, buflen, "SSL - The server has no ciphersuites in common with the client");
-        if (use_ret == -(MBEDTLS_ERR_SSL_NO_RNG))
-            mbedtls_snprintf(buf, buflen, "SSL - No RNG was provided to the SSL module");
-        if (use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE))
-            mbedtls_snprintf(buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode");
-        if (use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE))
-            mbedtls_snprintf(buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message");
-        if (use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED))
-            mbedtls_snprintf(buf, buflen, "SSL - The own certificate is not set, but needed by the server");
-        if (use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED))
-            mbedtls_snprintf(buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED))
-            mbedtls_snprintf(buf, buflen, "SSL - No CA Chain is set, but required to operate");
-        if (use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE))
-            mbedtls_snprintf(buf, buflen, "SSL - An unexpected message was received from our peer");
-        if (use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE)) {
-            mbedtls_snprintf(buf, buflen, "SSL - A fatal alert message was received from our peer");
+        // Early return in case of a fatal error - do not try to translate low
+        // level code.
+        if (use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE))
             return;
-        }
-        if (use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED))
-            mbedtls_snprintf(buf, buflen, "SSL - Verification of our peer failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY))
-            mbedtls_snprintf(buf, buflen, "SSL - The peer notified us that the connection is going to be closed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ClientHello handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ServerHello handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the Certificate handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the Finished handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "SSL - Memory allocation failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED))
-            mbedtls_snprintf(buf, buflen, "SSL - Hardware acceleration function returned with error");
-        if (use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH))
-            mbedtls_snprintf(buf, buflen, "SSL - Hardware acceleration function skipped / left alone data");
-        if (use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the compression / decompression failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION))
-            mbedtls_snprintf(buf, buflen, "SSL - Handshake protocol not within min/max boundaries");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET))
-            mbedtls_snprintf(buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed");
-        if (use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED))
-            mbedtls_snprintf(buf, buflen, "SSL - Session ticket has expired");
-        if (use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)");
-        if (use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY))
-            mbedtls_snprintf(buf, buflen, "SSL - Unknown identity received (eg, PSK identity)");
-        if (use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR))
-            mbedtls_snprintf(buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)");
-        if (use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING))
-            mbedtls_snprintf(buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)");
-        if (use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO))
-            mbedtls_snprintf(buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation");
-        if (use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED))
-            mbedtls_snprintf(buf, buflen, "SSL - DTLS client must retry for hello verification");
-        if (use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL))
-            mbedtls_snprintf(buf, buflen, "SSL - A buffer is too small to receive or write a message");
-        if (use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE))
-            mbedtls_snprintf(buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)");
-        if (use_ret == -(MBEDTLS_ERR_SSL_WANT_READ))
-            mbedtls_snprintf(buf, buflen, "SSL - No data of requested type currently available on underlying transport");
-        if (use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE))
-            mbedtls_snprintf(buf, buflen, "SSL - Connection requires a write call");
-        if (use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT))
-            mbedtls_snprintf(buf, buflen, "SSL - The operation timed out");
-        if (use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT))
-            mbedtls_snprintf(buf, buflen, "SSL - The client initiated a reconnect from the same port");
-        if (use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD))
-            mbedtls_snprintf(buf, buflen, "SSL - Record header looks valid but is not expected");
-        if (use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL))
-            mbedtls_snprintf(buf, buflen, "SSL - The alert message received indicates a non-fatal error");
-        if (use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH))
-            mbedtls_snprintf(buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify");
-        if (use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING))
-            mbedtls_snprintf(buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done");
-        if (use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS))
-            mbedtls_snprintf(buf, buflen, "SSL - The asynchronous operation is not completed yet");
-        if (use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE))
-            mbedtls_snprintf(buf, buflen, "SSL - Internal-only message signaling that a message arrived early");
 #endif /* MBEDTLS_SSL_TLS_C */
-
-#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
-        if (use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE))
-            mbedtls_snprintf(buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination");
-        if (use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID))
-            mbedtls_snprintf(buf, buflen, "X509 - Requested OID is unknown");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT))
-            mbedtls_snprintf(buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION))
-            mbedtls_snprintf(buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL))
-            mbedtls_snprintf(buf, buflen, "X509 - The serial tag or value is invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG))
-            mbedtls_snprintf(buf, buflen, "X509 - The algorithm tag or value is invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME))
-            mbedtls_snprintf(buf, buflen, "X509 - The name tag or value is invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE))
-            mbedtls_snprintf(buf, buflen, "X509 - The date tag or value is invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE))
-            mbedtls_snprintf(buf, buflen, "X509 - The signature tag or value invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS))
-            mbedtls_snprintf(buf, buflen, "X509 - The extension tag or value is invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION))
-            mbedtls_snprintf(buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number");
-        if (use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG))
-            mbedtls_snprintf(buf, buflen, "X509 - Signature algorithm (oid) is unsupported");
-        if (use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH))
-            mbedtls_snprintf(buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)");
-        if (use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED))
-            mbedtls_snprintf(buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed");
-        if (use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT))
-            mbedtls_snprintf(buf, buflen, "X509 - Format not recognized as DER or PEM");
-        if (use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA))
-            mbedtls_snprintf(buf, buflen, "X509 - Input invalid");
-        if (use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED))
-            mbedtls_snprintf(buf, buflen, "X509 - Allocation of memory failed");
-        if (use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR))
-            mbedtls_snprintf(buf, buflen, "X509 - Read/write of file failed");
-        if (use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL))
-            mbedtls_snprintf(buf, buflen, "X509 - Destination buffer is too small");
-        if (use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR))
-            mbedtls_snprintf(buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed");
-#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
-        // END generated code
-
-        if (strlen(buf) == 0)
-            mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret);
     }
 
     use_ret = ret & ~0xFF80;
@@ -586,297 +942,17 @@ void mbedtls_strerror(int ret, char *buf, size_t buflen) {
         buflen -= len + 3;
     }
 
-    // Low level error codes
-    //
-    // BEGIN generated code
-#if defined(MBEDTLS_AES_C)
-    if (use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH))
-        mbedtls_snprintf(buf, buflen, "AES - Invalid key length");
-    if (use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH))
-        mbedtls_snprintf(buf, buflen, "AES - Invalid data input length");
-    if (use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "AES - Invalid input data");
-    if (use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE))
-        mbedtls_snprintf(buf, buflen, "AES - Feature not available. For example, an unsupported AES key size");
-    if (use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "AES - AES hardware accelerator failed");
-#endif /* MBEDTLS_AES_C */
+    // Translate low level error code.
+    low_level_error_description = mbedtls_low_level_strerr(ret);
 
-#if defined(MBEDTLS_ARC4_C)
-    if (use_ret == -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "ARC4 - ARC4 hardware accelerator failed");
-#endif /* MBEDTLS_ARC4_C */
-
-#if defined(MBEDTLS_ARIA_C)
-    if (use_ret == -(MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH))
-        mbedtls_snprintf(buf, buflen, "ARIA - Invalid key length");
-    if (use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH))
-        mbedtls_snprintf(buf, buflen, "ARIA - Invalid data input length");
-    if (use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE))
-        mbedtls_snprintf(buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size");
-    if (use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "ARIA - ARIA hardware accelerator failed");
-#endif /* MBEDTLS_ARIA_C */
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-    if (use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA))
-        mbedtls_snprintf(buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure");
-    if (use_ret == -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))
-        mbedtls_snprintf(buf, buflen, "ASN1 - ASN1 tag was of an unexpected value");
-    if (use_ret == -(MBEDTLS_ERR_ASN1_INVALID_LENGTH))
-        mbedtls_snprintf(buf, buflen, "ASN1 - Error when trying to determine the length or invalid length");
-    if (use_ret == -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH))
-        mbedtls_snprintf(buf, buflen, "ASN1 - Actual length differs from expected length");
-    if (use_ret == -(MBEDTLS_ERR_ASN1_INVALID_DATA))
-        mbedtls_snprintf(buf, buflen, "ASN1 - Data is invalid. (not used)");
-    if (use_ret == -(MBEDTLS_ERR_ASN1_ALLOC_FAILED))
-        mbedtls_snprintf(buf, buflen, "ASN1 - Memory allocation failed");
-    if (use_ret == -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL))
-        mbedtls_snprintf(buf, buflen, "ASN1 - Buffer too small when writing ASN.1 data structure");
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-#if defined(MBEDTLS_BASE64_C)
-    if (use_ret == -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL))
-        mbedtls_snprintf(buf, buflen, "BASE64 - Output buffer too small");
-    if (use_ret == -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER))
-        mbedtls_snprintf(buf, buflen, "BASE64 - Invalid character in input");
-#endif /* MBEDTLS_BASE64_C */
-
-#if defined(MBEDTLS_BIGNUM_C)
-    if (use_ret == -(MBEDTLS_ERR_MPI_FILE_IO_ERROR))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - An error occurred while reading from or writing to a file");
-    if (use_ret == -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - Bad input parameters to function");
-    if (use_ret == -(MBEDTLS_ERR_MPI_INVALID_CHARACTER))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - There is an invalid character in the digit string");
-    if (use_ret == -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - The buffer is too small to write to");
-    if (use_ret == -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output");
-    if (use_ret == -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed");
-    if (use_ret == -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - The input arguments are not acceptable");
-    if (use_ret == -(MBEDTLS_ERR_MPI_ALLOC_FAILED))
-        mbedtls_snprintf(buf, buflen, "BIGNUM - Memory allocation failed");
-#endif /* MBEDTLS_BIGNUM_C */
-
-#if defined(MBEDTLS_BLOWFISH_C)
-    if (use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH))
-        mbedtls_snprintf(buf, buflen, "BLOWFISH - Invalid key length");
-    if (use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed");
-    if (use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH))
-        mbedtls_snprintf(buf, buflen, "BLOWFISH - Invalid data input length");
-#endif /* MBEDTLS_BLOWFISH_C */
-
-#if defined(MBEDTLS_CAMELLIA_C)
-    if (use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH))
-        mbedtls_snprintf(buf, buflen, "CAMELLIA - Invalid key length");
-    if (use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH))
-        mbedtls_snprintf(buf, buflen, "CAMELLIA - Invalid data input length");
-    if (use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "CAMELLIA - Camellia hardware accelerator failed");
-#endif /* MBEDTLS_CAMELLIA_C */
-
-#if defined(MBEDTLS_CCM_C)
-    if (use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT))
-        mbedtls_snprintf(buf, buflen, "CCM - Bad input parameters to the function");
-    if (use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED))
-        mbedtls_snprintf(buf, buflen, "CCM - Authenticated decryption failed");
-    if (use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "CCM - CCM hardware accelerator failed");
-#endif /* MBEDTLS_CCM_C */
-
-#if defined(MBEDTLS_CHACHA20_C)
-    if (use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "CHACHA20 - Invalid input parameter(s)");
-    if (use_ret == -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE))
-        mbedtls_snprintf(buf, buflen, "CHACHA20 - Feature not available. For example, s part of the API is not implemented");
-    if (use_ret == -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "CHACHA20 - Chacha20 hardware accelerator failed");
-#endif /* MBEDTLS_CHACHA20_C */
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (use_ret == -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE))
-        mbedtls_snprintf(buf, buflen, "CHACHAPOLY - The requested operation is not permitted in the current state");
-    if (use_ret == -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED))
-        mbedtls_snprintf(buf, buflen, "CHACHAPOLY - Authenticated decryption failed: data was not authentic");
-#endif /* MBEDTLS_CHACHAPOLY_C */
-
-#if defined(MBEDTLS_CMAC_C)
-    if (use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "CMAC - CMAC hardware accelerator failed");
-#endif /* MBEDTLS_CMAC_C */
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-    if (use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED))
-        mbedtls_snprintf(buf, buflen, "CTR_DRBG - The entropy source failed");
-    if (use_ret == -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG))
-        mbedtls_snprintf(buf, buflen, "CTR_DRBG - The requested random buffer length is too big");
-    if (use_ret == -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG))
-        mbedtls_snprintf(buf, buflen, "CTR_DRBG - The input (entropy + additional data) is too large");
-    if (use_ret == -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR))
-        mbedtls_snprintf(buf, buflen, "CTR_DRBG - Read or write error in file");
-#endif /* MBEDTLS_CTR_DRBG_C */
-
-#if defined(MBEDTLS_DES_C)
-    if (use_ret == -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH))
-        mbedtls_snprintf(buf, buflen, "DES - The data input has an invalid length");
-    if (use_ret == -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "DES - DES hardware accelerator failed");
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_ENTROPY_C)
-    if (use_ret == -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED))
-        mbedtls_snprintf(buf, buflen, "ENTROPY - Critical entropy source failure");
-    if (use_ret == -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES))
-        mbedtls_snprintf(buf, buflen, "ENTROPY - No more sources can be added");
-    if (use_ret == -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED))
-        mbedtls_snprintf(buf, buflen, "ENTROPY - No sources have been added to poll");
-    if (use_ret == -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE))
-        mbedtls_snprintf(buf, buflen, "ENTROPY - No strong sources have been added to poll");
-    if (use_ret == -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR))
-        mbedtls_snprintf(buf, buflen, "ENTROPY - Read/write error in file");
-#endif /* MBEDTLS_ENTROPY_C */
-
-#if defined(MBEDTLS_GCM_C)
-    if (use_ret == -(MBEDTLS_ERR_GCM_AUTH_FAILED))
-        mbedtls_snprintf(buf, buflen, "GCM - Authenticated decryption failed");
-    if (use_ret == -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "GCM - GCM hardware accelerator failed");
-    if (use_ret == -(MBEDTLS_ERR_GCM_BAD_INPUT))
-        mbedtls_snprintf(buf, buflen, "GCM - Bad input parameters to function");
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_HKDF_C)
-    if (use_ret == -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "HKDF - Bad input parameters to function");
-#endif /* MBEDTLS_HKDF_C */
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
-    if (use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG))
-        mbedtls_snprintf(buf, buflen, "HMAC_DRBG - Too many random requested in single call");
-    if (use_ret == -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG))
-        mbedtls_snprintf(buf, buflen, "HMAC_DRBG - Input too large (Entropy + additional)");
-    if (use_ret == -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR))
-        mbedtls_snprintf(buf, buflen, "HMAC_DRBG - Read/write error in file");
-    if (use_ret == -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED))
-        mbedtls_snprintf(buf, buflen, "HMAC_DRBG - The entropy source failed");
-#endif /* MBEDTLS_HMAC_DRBG_C */
-
-#if defined(MBEDTLS_MD2_C)
-    if (use_ret == -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "MD2 - MD2 hardware accelerator failed");
-#endif /* MBEDTLS_MD2_C */
-
-#if defined(MBEDTLS_MD4_C)
-    if (use_ret == -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "MD4 - MD4 hardware accelerator failed");
-#endif /* MBEDTLS_MD4_C */
-
-#if defined(MBEDTLS_MD5_C)
-    if (use_ret == -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "MD5 - MD5 hardware accelerator failed");
-#endif /* MBEDTLS_MD5_C */
-
-#if defined(MBEDTLS_NET_C)
-    if (use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Failed to open a socket");
-    if (use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - The connection to the given server / port failed");
-    if (use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Binding of the socket failed");
-    if (use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Could not listen on the socket");
-    if (use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Could not accept the incoming connection");
-    if (use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Reading information from the socket failed");
-    if (use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Sending information through the socket failed");
-    if (use_ret == -(MBEDTLS_ERR_NET_CONN_RESET))
-        mbedtls_snprintf(buf, buflen, "NET - Connection was reset by peer");
-    if (use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST))
-        mbedtls_snprintf(buf, buflen, "NET - Failed to get an IP address for the given hostname");
-    if (use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL))
-        mbedtls_snprintf(buf, buflen, "NET - Buffer is too small to hold the data");
-    if (use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT))
-        mbedtls_snprintf(buf, buflen, "NET - The context is invalid, eg because it was free()ed");
-    if (use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED))
-        mbedtls_snprintf(buf, buflen, "NET - Polling the net context failed");
-    if (use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "NET - Input invalid");
-#endif /* MBEDTLS_NET_C */
-
-#if defined(MBEDTLS_OID_C)
-    if (use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND))
-        mbedtls_snprintf(buf, buflen, "OID - OID is not found");
-    if (use_ret == -(MBEDTLS_ERR_OID_BUF_TOO_SMALL))
-        mbedtls_snprintf(buf, buflen, "OID - output buffer is too small");
-#endif /* MBEDTLS_OID_C */
-
-#if defined(MBEDTLS_PADLOCK_C)
-    if (use_ret == -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED))
-        mbedtls_snprintf(buf, buflen, "PADLOCK - Input data should be aligned");
-#endif /* MBEDTLS_PADLOCK_C */
-
-#if defined(MBEDTLS_POLY1305_C)
-    if (use_ret == -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "POLY1305 - Invalid input parameter(s)");
-    if (use_ret == -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE))
-        mbedtls_snprintf(buf, buflen, "POLY1305 - Feature not available. For example, s part of the API is not implemented");
-    if (use_ret == -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "POLY1305 - Poly1305 hardware accelerator failed");
-#endif /* MBEDTLS_POLY1305_C */
-
-#if defined(MBEDTLS_RIPEMD160_C)
-    if (use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed");
-#endif /* MBEDTLS_RIPEMD160_C */
-
-#if defined(MBEDTLS_SHA1_C)
-    if (use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "SHA1 - SHA-1 hardware accelerator failed");
-#endif /* MBEDTLS_SHA1_C */
-
-#if defined(MBEDTLS_SHA256_C)
-    if (use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "SHA256 - SHA-256 hardware accelerator failed");
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA512_C)
-    if (use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "SHA512 - SHA-512 hardware accelerator failed");
-#endif /* MBEDTLS_SHA512_C */
-
-#if defined(MBEDTLS_THREADING_C)
-    if (use_ret == -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE))
-        mbedtls_snprintf(buf, buflen, "THREADING - The selected feature is not available");
-    if (use_ret == -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA))
-        mbedtls_snprintf(buf, buflen, "THREADING - Bad input parameters to function");
-    if (use_ret == -(MBEDTLS_ERR_THREADING_MUTEX_ERROR))
-        mbedtls_snprintf(buf, buflen, "THREADING - Locking / unlocking / free failed with error code");
-#endif /* MBEDTLS_THREADING_C */
-
-#if defined(MBEDTLS_XTEA_C)
-    if (use_ret == -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH))
-        mbedtls_snprintf(buf, buflen, "XTEA - The data input has an invalid length");
-    if (use_ret == -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED))
-        mbedtls_snprintf(buf, buflen, "XTEA - XTEA hardware accelerator failed");
-#endif /* MBEDTLS_XTEA_C */
-    // END generated code
-
-    if (strlen(buf) != 0)
-        return;
-
-    mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret);
+    if (low_level_error_description == NULL)
+        mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret);
+    else
+        mbedtls_snprintf(buf, buflen, "%s", low_level_error_description);
 }
 
 #else /* MBEDTLS_ERROR_C */
 
-#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
-
 /*
  * Provide an non-function in case MBEDTLS_ERROR_C is not defined
  */
@@ -887,6 +963,6 @@ void mbedtls_strerror(int ret, char *buf, size_t buflen) {
         buf[0] = '\0';
 }
 
-#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
-
 #endif /* MBEDTLS_ERROR_C */
+
+#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */
diff --git a/common/mbedtls/error.h b/common/mbedtls/error.h
index 9e1867f32..fa63292a6 100644
--- a/common/mbedtls/error.h
+++ b/common/mbedtls/error.h
@@ -4,28 +4,30 @@
  * \brief Error to string translation
  */
 /*
- *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_ERROR_H
 #define MBEDTLS_ERROR_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 /**
@@ -48,9 +50,10 @@
  * For historical reasons, low-level error codes are divided in even and odd,
  * even codes were assigned first, and -1 is reserved for other errors.
  *
- * Low-level module errors (0x0002-0x007E, 0x0003-0x007F)
+ * Low-level module errors (0x0002-0x007E, 0x0001-0x007F)
  *
  * Module   Nr  Codes assigned
+ * ERROR     2  0x006E          0x0001
  * MPI       7  0x0002-0x0010
  * GCM       3  0x0012-0x0014   0x0013-0x0013
  * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
@@ -76,12 +79,13 @@
  * MD4       1                  0x002D-0x002D
  * MD5       1                  0x002F-0x002F
  * RIPEMD160 1                  0x0031-0x0031
- * SHA1      1                  0x0035-0x0035
- * SHA256    1                  0x0037-0x0037
- * SHA512    1                  0x0039-0x0039
+ * SHA1      1                  0x0035-0x0035 0x0073-0x0073
+ * SHA256    1                  0x0037-0x0037 0x0074-0x0074
+ * SHA512    1                  0x0039-0x0039 0x0075-0x0075
  * CHACHA20  3                  0x0051-0x0055
  * POLY1305  3                  0x0057-0x005B
  * CHACHAPOLY 2 0x0054-0x0056
+ * PLATFORM  2  0x0070-0x0072
  *
  * High-level module nr (3 bits - 0x0...-0x7...)
  * Name      ID  Nr of Errors
@@ -92,12 +96,13 @@
  * DHM       3   11
  * PK        3   15 (Started from top)
  * RSA       4   11
- * ECP       4   9 (Started from top)
+ * ECP       4   10 (Started from top)
  * MD        5   5
  * HKDF      5   1 (Started from top)
- * CIPHER    6   8
- * SSL       6   22 (Started from top)
- * SSL       7   31
+ * SSL       5   2 (Started from 0x5F00)
+ * CIPHER    6   8 (Started from 0x6080)
+ * SSL       6   24 (Started from top, plus 0x6000)
+ * SSL       7   32
  *
  * Module dependent error code (5 bits 0x.00.-0x.F8.)
  */
@@ -106,6 +111,9 @@
 extern "C" {
 #endif
 
+#define MBEDTLS_ERR_ERROR_GENERIC_ERROR       -0x0001  /**< Generic error */
+#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E  /**< This is a bug in the library */
+
 /**
  * \brief Translate a mbed TLS error code into a string representation,
  *        Result is truncated if necessary and always includes a terminating
@@ -117,6 +125,36 @@ extern "C" {
  */
 void mbedtls_strerror(int errnum, char *buffer, size_t buflen);
 
+/**
+ * \brief Translate the high-level part of an Mbed TLS error code into a string
+ *        representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code    error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ *         code is unknown.
+ */
+const char *mbedtls_high_level_strerr(int error_code);
+
+/**
+ * \brief Translate the low-level part of an Mbed TLS error code into a string
+ *        representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code    error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ *         code is unknown.
+ */
+const char *mbedtls_low_level_strerr(int error_code);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/gcm.c b/common/mbedtls/gcm.c
new file mode 100644
index 000000000..cb1baae06
--- /dev/null
+++ b/common/mbedtls/gcm.c
@@ -0,0 +1,1051 @@
+/*
+ *  NIST SP800-38D compliant GCM implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+ *
+ * See also:
+ * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ *
+ * We use the algorithm described as Shoup's method with 4-bit tables in
+ * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_GCM_C)
+
+#include "mbedtls/gcm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/* Parameter validation macros */
+#define GCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT )
+#define GCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/*
+ * Initialize a context
+ */
+void mbedtls_gcm_init(mbedtls_gcm_context *ctx) {
+    GCM_VALIDATE(ctx != NULL);
+    memset(ctx, 0, sizeof(mbedtls_gcm_context));
+}
+
+/*
+ * Precompute small multiples of H, that is set
+ *      HH[i] || HL[i] = H times i,
+ * where i is seen as a field element as in [MGV], ie high-order bits
+ * correspond to low powers of P. The result is stored in the same way, that
+ * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
+ * corresponds to P^127.
+ */
+static int gcm_gen_table(mbedtls_gcm_context *ctx) {
+    int ret, i, j;
+    uint64_t hi, lo;
+    uint64_t vl, vh;
+    unsigned char h[16];
+    size_t olen = 0;
+
+    memset(h, 0, 16);
+    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen)) != 0)
+        return (ret);
+
+    /* pack h as two 64-bits ints, big-endian */
+    GET_UINT32_BE(hi, h,  0);
+    GET_UINT32_BE(lo, h,  4);
+    vh = (uint64_t) hi << 32 | lo;
+
+    GET_UINT32_BE(hi, h,  8);
+    GET_UINT32_BE(lo, h,  12);
+    vl = (uint64_t) hi << 32 | lo;
+
+    /* 8 = 1000 corresponds to 1 in GF(2^128) */
+    ctx->HL[8] = vl;
+    ctx->HH[8] = vh;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    /* With CLMUL support, we need only h, not the rest of the table */
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL))
+        return (0);
+#endif
+
+    /* 0 corresponds to 0 in GF(2^128) */
+    ctx->HH[0] = 0;
+    ctx->HL[0] = 0;
+
+    for (i = 4; i > 0; i >>= 1) {
+        uint32_t T = (vl & 1) * 0xe1000000U;
+        vl  = (vh << 63) | (vl >> 1);
+        vh  = (vh >> 1) ^ ((uint64_t) T << 32);
+
+        ctx->HL[i] = vl;
+        ctx->HH[i] = vh;
+    }
+
+    for (i = 2; i <= 8; i *= 2) {
+        uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
+        vh = *HiH;
+        vl = *HiL;
+        for (j = 1; j < i; j++) {
+            HiH[j] = vh ^ ctx->HH[j];
+            HiL[j] = vl ^ ctx->HL[j];
+        }
+    }
+
+    return (0);
+}
+
+int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    GCM_VALIDATE_RET(ctx != NULL);
+    GCM_VALIDATE_RET(key != NULL);
+    GCM_VALIDATE_RET(keybits == 128 || keybits == 192 || keybits == 256);
+
+    cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
+                                                  MBEDTLS_MODE_ECB);
+    if (cipher_info == NULL)
+        return (MBEDTLS_ERR_GCM_BAD_INPUT);
+
+    if (cipher_info->block_size != 16)
+        return (MBEDTLS_ERR_GCM_BAD_INPUT);
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0)
+        return (ret);
+
+    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+                                     MBEDTLS_ENCRYPT)) != 0) {
+        return (ret);
+    }
+
+    if ((ret = gcm_gen_table(ctx)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+/*
+ * Shoup's method for multiplication use this table with
+ *      last4[x] = x times P^128
+ * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
+ */
+static const uint64_t last4[16] = {
+    0x0000, 0x1c20, 0x3840, 0x2460,
+    0x7080, 0x6ca0, 0x48c0, 0x54e0,
+    0xe100, 0xfd20, 0xd940, 0xc560,
+    0x9180, 0x8da0, 0xa9c0, 0xb5e0
+};
+
+/*
+ * Sets output to x times H using the precomputed tables.
+ * x and output are seen as elements of GF(2^128) as in [MGV].
+ */
+static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
+                     unsigned char output[16]) {
+    int i = 0;
+    unsigned char lo, hi, rem;
+    uint64_t zh, zl;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
+        unsigned char h[16];
+
+        PUT_UINT32_BE(ctx->HH[8] >> 32, h,  0);
+        PUT_UINT32_BE(ctx->HH[8],       h,  4);
+        PUT_UINT32_BE(ctx->HL[8] >> 32, h,  8);
+        PUT_UINT32_BE(ctx->HL[8],       h, 12);
+
+        mbedtls_aesni_gcm_mult(output, x, h);
+        return;
+    }
+#endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */
+
+    lo = x[15] & 0xf;
+
+    zh = ctx->HH[lo];
+    zl = ctx->HL[lo];
+
+    for (i = 15; i >= 0; i--) {
+        lo = x[i] & 0xf;
+        hi = (x[i] >> 4) & 0xf;
+
+        if (i != 15) {
+            rem = (unsigned char) zl & 0xf;
+            zl = (zh << 60) | (zl >> 4);
+            zh = (zh >> 4);
+            zh ^= (uint64_t) last4[rem] << 48;
+            zh ^= ctx->HH[lo];
+            zl ^= ctx->HL[lo];
+
+        }
+
+        rem = (unsigned char) zl & 0xf;
+        zl = (zh << 60) | (zl >> 4);
+        zh = (zh >> 4);
+        zh ^= (uint64_t) last4[rem] << 48;
+        zh ^= ctx->HH[hi];
+        zl ^= ctx->HL[hi];
+    }
+
+    PUT_UINT32_BE(zh >> 32, output, 0);
+    PUT_UINT32_BE(zh, output, 4);
+    PUT_UINT32_BE(zl >> 32, output, 8);
+    PUT_UINT32_BE(zl, output, 12);
+}
+
+int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char work_buf[16];
+    size_t i;
+    const unsigned char *p;
+    size_t use_len, olen = 0;
+
+    GCM_VALIDATE_RET(ctx != NULL);
+    GCM_VALIDATE_RET(iv != NULL);
+    GCM_VALIDATE_RET(add_len == 0 || add != NULL);
+
+    /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
+    /* IV is not allowed to be zero length */
+    if (iv_len == 0 ||
+            ((uint64_t) iv_len) >> 61 != 0 ||
+            ((uint64_t) add_len) >> 61 != 0) {
+        return (MBEDTLS_ERR_GCM_BAD_INPUT);
+    }
+
+    memset(ctx->y, 0x00, sizeof(ctx->y));
+    memset(ctx->buf, 0x00, sizeof(ctx->buf));
+
+    ctx->mode = mode;
+    ctx->len = 0;
+    ctx->add_len = 0;
+
+    if (iv_len == 12) {
+        memcpy(ctx->y, iv, iv_len);
+        ctx->y[15] = 1;
+    } else {
+        memset(work_buf, 0x00, 16);
+        PUT_UINT32_BE(iv_len * 8, work_buf, 12);
+
+        p = iv;
+        while (iv_len > 0) {
+            use_len = (iv_len < 16) ? iv_len : 16;
+
+            for (i = 0; i < use_len; i++)
+                ctx->y[i] ^= p[i];
+
+            gcm_mult(ctx, ctx->y, ctx->y);
+
+            iv_len -= use_len;
+            p += use_len;
+        }
+
+        for (i = 0; i < 16; i++)
+            ctx->y[i] ^= work_buf[i];
+
+        gcm_mult(ctx, ctx->y, ctx->y);
+    }
+
+    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16,
+                                     ctx->base_ectr, &olen)) != 0) {
+        return (ret);
+    }
+
+    ctx->add_len = add_len;
+    p = add;
+    while (add_len > 0) {
+        use_len = (add_len < 16) ? add_len : 16;
+
+        for (i = 0; i < use_len; i++)
+            ctx->buf[i] ^= p[i];
+
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+
+        add_len -= use_len;
+        p += use_len;
+    }
+
+    return (0);
+}
+
+int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
+                       size_t length,
+                       const unsigned char *input,
+                       unsigned char *output) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char ectr[16];
+    size_t i;
+    const unsigned char *p;
+    unsigned char *out_p = output;
+    size_t use_len, olen = 0;
+
+    GCM_VALIDATE_RET(ctx != NULL);
+    GCM_VALIDATE_RET(length == 0 || input != NULL);
+    GCM_VALIDATE_RET(length == 0 || output != NULL);
+
+    if (output > input && (size_t)(output - input) < length)
+        return (MBEDTLS_ERR_GCM_BAD_INPUT);
+
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * Also check for possible overflow */
+    if (ctx->len + length < ctx->len ||
+            (uint64_t) ctx->len + length > 0xFFFFFFFE0ull) {
+        return (MBEDTLS_ERR_GCM_BAD_INPUT);
+    }
+
+    ctx->len += length;
+
+    p = input;
+    while (length > 0) {
+        use_len = (length < 16) ? length : 16;
+
+        for (i = 16; i > 12; i--)
+            if (++ctx->y[i - 1] != 0)
+                break;
+
+        if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ectr,
+                                         &olen)) != 0) {
+            return (ret);
+        }
+
+        for (i = 0; i < use_len; i++) {
+            if (ctx->mode == MBEDTLS_GCM_DECRYPT)
+                ctx->buf[i] ^= p[i];
+            out_p[i] = ectr[i] ^ p[i];
+            if (ctx->mode == MBEDTLS_GCM_ENCRYPT)
+                ctx->buf[i] ^= out_p[i];
+        }
+
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+
+        length -= use_len;
+        p += use_len;
+        out_p += use_len;
+    }
+
+    return (0);
+}
+
+int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
+                       unsigned char *tag,
+                       size_t tag_len) {
+    unsigned char work_buf[16];
+    size_t i;
+    uint64_t orig_len;
+    uint64_t orig_add_len;
+
+    GCM_VALIDATE_RET(ctx != NULL);
+    GCM_VALIDATE_RET(tag != NULL);
+
+    orig_len = ctx->len * 8;
+    orig_add_len = ctx->add_len * 8;
+
+    if (tag_len > 16 || tag_len < 4)
+        return (MBEDTLS_ERR_GCM_BAD_INPUT);
+
+    memcpy(tag, ctx->base_ectr, tag_len);
+
+    if (orig_len || orig_add_len) {
+        memset(work_buf, 0x00, 16);
+
+        PUT_UINT32_BE((orig_add_len >> 32), work_buf, 0);
+        PUT_UINT32_BE((orig_add_len), work_buf, 4);
+        PUT_UINT32_BE((orig_len     >> 32), work_buf, 8);
+        PUT_UINT32_BE((orig_len), work_buf, 12);
+
+        for (i = 0; i < 16; i++)
+            ctx->buf[i] ^= work_buf[i];
+
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+
+        for (i = 0; i < tag_len; i++)
+            tag[i] ^= ctx->buf[i];
+    }
+
+    return (0);
+}
+
+int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
+                              int mode,
+                              size_t length,
+                              const unsigned char *iv,
+                              size_t iv_len,
+                              const unsigned char *add,
+                              size_t add_len,
+                              const unsigned char *input,
+                              unsigned char *output,
+                              size_t tag_len,
+                              unsigned char *tag) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    GCM_VALIDATE_RET(ctx != NULL);
+    GCM_VALIDATE_RET(iv != NULL);
+    GCM_VALIDATE_RET(add_len == 0 || add != NULL);
+    GCM_VALIDATE_RET(length == 0 || input != NULL);
+    GCM_VALIDATE_RET(length == 0 || output != NULL);
+    GCM_VALIDATE_RET(tag != NULL);
+
+    if ((ret = mbedtls_gcm_starts(ctx, mode, iv, iv_len, add, add_len)) != 0)
+        return (ret);
+
+    if ((ret = mbedtls_gcm_update(ctx, length, input, output)) != 0)
+        return (ret);
+
+    if ((ret = mbedtls_gcm_finish(ctx, tag, tag_len)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
+                             size_t length,
+                             const unsigned char *iv,
+                             size_t iv_len,
+                             const unsigned char *add,
+                             size_t add_len,
+                             const unsigned char *tag,
+                             size_t tag_len,
+                             const unsigned char *input,
+                             unsigned char *output) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+
+    GCM_VALIDATE_RET(ctx != NULL);
+    GCM_VALIDATE_RET(iv != NULL);
+    GCM_VALIDATE_RET(add_len == 0 || add != NULL);
+    GCM_VALIDATE_RET(tag != NULL);
+    GCM_VALIDATE_RET(length == 0 || input != NULL);
+    GCM_VALIDATE_RET(length == 0 || output != NULL);
+
+    if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
+                                         iv, iv_len, add, add_len,
+                                         input, output, tag_len, check_tag)) != 0) {
+        return (ret);
+    }
+
+    /* Check tag in "constant-time" */
+    for (diff = 0, i = 0; i < tag_len; i++)
+        diff |= tag[i] ^ check_tag[i];
+
+    if (diff != 0) {
+        mbedtls_platform_zeroize(output, length);
+        return (MBEDTLS_ERR_GCM_AUTH_FAILED);
+    }
+
+    return (0);
+}
+
+void mbedtls_gcm_free(mbedtls_gcm_context *ctx) {
+    if (ctx == NULL)
+        return;
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_gcm_context));
+}
+
+#endif /* !MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * AES-GCM test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
+ */
+#define MAX_TESTS   6
+
+static const int key_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char key_test_data[MAX_TESTS][32] = {
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+    },
+};
+
+static const size_t iv_len_test_data[MAX_TESTS] =
+{ 12, 12, 12, 12, 8, 60 };
+
+static const int iv_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 2 };
+
+static const unsigned char iv_test_data[MAX_TESTS][64] = {
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+        0xde, 0xca, 0xf8, 0x88
+    },
+    {
+        0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+        0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+        0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+        0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+        0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+        0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+        0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+        0xa6, 0x37, 0xb3, 0x9b
+    },
+};
+
+static const size_t add_len_test_data[MAX_TESTS] =
+{ 0, 0, 0, 20, 20, 20 };
+
+static const int add_index_test_data[MAX_TESTS] =
+{ 0, 0, 0, 1, 1, 1 };
+
+static const unsigned char additional_test_data[MAX_TESTS][64] = {
+    { 0x00 },
+    {
+        0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+        0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+        0xab, 0xad, 0xda, 0xd2
+    },
+};
+
+static const size_t pt_len_test_data[MAX_TESTS] =
+{ 0, 16, 64, 60, 60, 60 };
+
+static const int pt_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char pt_test_data[MAX_TESTS][64] = {
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+        0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+        0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+        0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+        0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+        0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+        0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+        0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
+    },
+};
+
+static const unsigned char ct_test_data[MAX_TESTS * 3][64] = {
+    { 0x00 },
+    {
+        0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+        0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78
+    },
+    {
+        0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+        0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+        0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+        0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+        0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+        0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+        0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+        0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85
+    },
+    {
+        0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+        0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+        0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+        0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+        0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+        0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+        0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+        0x3d, 0x58, 0xe0, 0x91
+    },
+    {
+        0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+        0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+        0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+        0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+        0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+        0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+        0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+        0xc2, 0x3f, 0x45, 0x98
+    },
+    {
+        0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+        0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+        0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+        0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+        0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+        0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+        0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+        0x4c, 0x34, 0xae, 0xe5
+    },
+    { 0x00 },
+    {
+        0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+        0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00
+    },
+    {
+        0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+        0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+        0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+        0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+        0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+        0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+        0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+        0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56
+    },
+    {
+        0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+        0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+        0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+        0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+        0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+        0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+        0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+        0xcc, 0xda, 0x27, 0x10
+    },
+    {
+        0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
+        0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
+        0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
+        0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
+        0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
+        0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
+        0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
+        0xa0, 0xf0, 0x62, 0xf7
+    },
+    {
+        0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+        0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+        0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+        0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+        0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+        0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+        0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+        0xe9, 0xb7, 0x37, 0x3b
+    },
+    { 0x00 },
+    {
+        0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+        0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18
+    },
+    {
+        0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+        0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+        0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+        0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+        0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+        0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+        0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+        0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad
+    },
+    {
+        0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+        0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+        0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+        0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+        0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+        0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+        0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+        0xbc, 0xc9, 0xf6, 0x62
+    },
+    {
+        0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
+        0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
+        0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+        0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
+        0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
+        0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+        0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
+        0xf4, 0x7c, 0x9b, 0x1f
+    },
+    {
+        0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
+        0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
+        0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
+        0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
+        0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
+        0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
+        0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
+        0x44, 0xae, 0x7e, 0x3f
+    },
+};
+
+static const unsigned char tag_test_data[MAX_TESTS * 3][16] = {
+    {
+        0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
+        0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a
+    },
+    {
+        0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+        0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf
+    },
+    {
+        0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+        0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4
+    },
+    {
+        0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+        0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47
+    },
+    {
+        0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+        0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb
+    },
+    {
+        0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+        0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50
+    },
+    {
+        0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
+        0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35
+    },
+    {
+        0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+        0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb
+    },
+    {
+        0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+        0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14
+    },
+    {
+        0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
+        0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c
+    },
+    {
+        0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
+        0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8
+    },
+    {
+        0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+        0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9
+    },
+    {
+        0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
+        0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b
+    },
+    {
+        0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+        0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19
+    },
+    {
+        0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+        0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c
+    },
+    {
+        0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
+        0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
+    },
+    {
+        0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
+        0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2
+    },
+    {
+        0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
+        0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a
+    },
+};
+
+int mbedtls_gcm_self_test(int verbose) {
+    mbedtls_gcm_context ctx;
+    unsigned char buf[64];
+    unsigned char tag_buf[16];
+    int i, j, ret;
+    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
+
+    for (j = 0; j < 3; j++) {
+        int key_len = 128 + 64 * j;
+
+        for (i = 0; i < MAX_TESTS; i++) {
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("  AES-GCM-%3d #%d (%s): ",
+                               key_len, i, "enc");
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192) {
+                mbedtls_printf("skipped\n");
+                break;
+            } else if (ret != 0) {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT,
+                                            pt_len_test_data[i],
+                                            iv_test_data[iv_index_test_data[i]],
+                                            iv_len_test_data[i],
+                                            additional_test_data[add_index_test_data[i]],
+                                            add_len_test_data[i],
+                                            pt_test_data[pt_index_test_data[i]],
+                                            buf, 16, tag_buf);
+#if defined(MBEDTLS_GCM_ALT)
+            /* Allow alternative implementations to only support 12-byte nonces. */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED &&
+                    iv_len_test_data[i] != 12) {
+                mbedtls_printf("skipped\n");
+                break;
+            }
+#endif /* defined(MBEDTLS_GCM_ALT) */
+            if (ret != 0)
+                goto exit;
+
+            if (memcmp(buf, ct_test_data[j * 6 + i],
+                       pt_len_test_data[i]) != 0 ||
+                    memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("passed\n");
+
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("  AES-GCM-%3d #%d (%s): ",
+                               key_len, i, "dec");
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            if (ret != 0)
+                goto exit;
+
+            ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_DECRYPT,
+                                            pt_len_test_data[i],
+                                            iv_test_data[iv_index_test_data[i]],
+                                            iv_len_test_data[i],
+                                            additional_test_data[add_index_test_data[i]],
+                                            add_len_test_data[i],
+                                            ct_test_data[j * 6 + i], buf, 16, tag_buf);
+
+            if (ret != 0)
+                goto exit;
+
+            if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
+                       pt_len_test_data[i]) != 0 ||
+                    memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("passed\n");
+
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("  AES-GCM-%3d #%d split (%s): ",
+                               key_len, i, "enc");
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            if (ret != 0)
+                goto exit;
+
+            ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_ENCRYPT,
+                                     iv_test_data[iv_index_test_data[i]],
+                                     iv_len_test_data[i],
+                                     additional_test_data[add_index_test_data[i]],
+                                     add_len_test_data[i]);
+            if (ret != 0)
+                goto exit;
+
+            if (pt_len_test_data[i] > 32) {
+                size_t rest_len = pt_len_test_data[i] - 32;
+                ret = mbedtls_gcm_update(&ctx, 32,
+                                         pt_test_data[pt_index_test_data[i]],
+                                         buf);
+                if (ret != 0)
+                    goto exit;
+
+                ret = mbedtls_gcm_update(&ctx, rest_len,
+                                         pt_test_data[pt_index_test_data[i]] + 32,
+                                         buf + 32);
+                if (ret != 0)
+                    goto exit;
+            } else {
+                ret = mbedtls_gcm_update(&ctx, pt_len_test_data[i],
+                                         pt_test_data[pt_index_test_data[i]],
+                                         buf);
+                if (ret != 0)
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish(&ctx, tag_buf, 16);
+            if (ret != 0)
+                goto exit;
+
+            if (memcmp(buf, ct_test_data[j * 6 + i],
+                       pt_len_test_data[i]) != 0 ||
+                    memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("passed\n");
+
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("  AES-GCM-%3d #%d split (%s): ",
+                               key_len, i, "dec");
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            if (ret != 0)
+                goto exit;
+
+            ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT,
+                                     iv_test_data[iv_index_test_data[i]],
+                                     iv_len_test_data[i],
+                                     additional_test_data[add_index_test_data[i]],
+                                     add_len_test_data[i]);
+            if (ret != 0)
+                goto exit;
+
+            if (pt_len_test_data[i] > 32) {
+                size_t rest_len = pt_len_test_data[i] - 32;
+                ret = mbedtls_gcm_update(&ctx, 32, ct_test_data[j * 6 + i],
+                                         buf);
+                if (ret != 0)
+                    goto exit;
+
+                ret = mbedtls_gcm_update(&ctx, rest_len,
+                                         ct_test_data[j * 6 + i] + 32,
+                                         buf + 32);
+                if (ret != 0)
+                    goto exit;
+            } else {
+                ret = mbedtls_gcm_update(&ctx, pt_len_test_data[i],
+                                         ct_test_data[j * 6 + i],
+                                         buf);
+                if (ret != 0)
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish(&ctx, tag_buf, 16);
+            if (ret != 0)
+                goto exit;
+
+            if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
+                       pt_len_test_data[i]) != 0 ||
+                    memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0)
+                mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    ret = 0;
+
+exit:
+    if (ret != 0) {
+        if (verbose != 0)
+            mbedtls_printf("failed\n");
+        mbedtls_gcm_free(&ctx);
+    }
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_GCM_C */
diff --git a/common/mbedtls/gcm.h b/common/mbedtls/gcm.h
new file mode 100644
index 000000000..59c7886cf
--- /dev/null
+++ b/common/mbedtls/gcm.h
@@ -0,0 +1,323 @@
+/**
+ * \file gcm.h
+ *
+ * \brief This file contains GCM definitions and functions.
+ *
+ * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
+ * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ * (GCM), Natl. Inst. Stand. Technol.</em>
+ *
+ * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
+ * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_GCM_H
+#define MBEDTLS_GCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/cipher.h"
+
+#include <stdint.h>
+
+#define MBEDTLS_GCM_ENCRYPT     1
+#define MBEDTLS_GCM_DECRYPT     0
+
+#define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013  /**< GCM hardware accelerator failed. */
+
+#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/**
+ * \brief          The GCM context structure.
+ */
+typedef struct mbedtls_gcm_context {
+    mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
+    uint64_t HL[16];                      /*!< Precalculated HTable low. */
+    uint64_t HH[16];                      /*!< Precalculated HTable high. */
+    uint64_t len;                         /*!< The total length of the encrypted data. */
+    uint64_t add_len;                     /*!< The total length of the additional data. */
+    unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
+    unsigned char y[16];                  /*!< The Y working value. */
+    unsigned char buf[16];                /*!< The buf working value. */
+    int mode;                             /*!< The operation to perform:
+                                               #MBEDTLS_GCM_ENCRYPT or
+                                               #MBEDTLS_GCM_DECRYPT. */
+}
+mbedtls_gcm_context;
+
+#else  /* !MBEDTLS_GCM_ALT */
+#include "gcm_alt.h"
+#endif /* !MBEDTLS_GCM_ALT */
+
+/**
+ * \brief           This function initializes the specified GCM context,
+ *                  to make references valid, and prepares the context
+ *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
+ *
+ *                  The function does not bind the GCM context to a particular
+ *                  cipher, nor set the key. For this purpose, use
+ *                  mbedtls_gcm_setkey().
+ *
+ * \param ctx       The GCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_gcm_init(mbedtls_gcm_context *ctx);
+
+/**
+ * \brief           This function associates a GCM context with a
+ *                  cipher algorithm and a key.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must be a readable buffer of at
+ *                  least \p keybits bits.
+ * \param keybits   The key size in bits. Valid options are:
+ *                  <ul><li>128 bits</li>
+ *                  <li>192 bits</li>
+ *                  <li>256 bits</li></ul>
+ *
+ * \return          \c 0 on success.
+ * \return          A cipher-specific error code on failure.
+ */
+int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits);
+
+/**
+ * \brief           This function performs GCM encryption or decryption of a buffer.
+ *
+ * \note            For encryption, the output buffer can be the same as the
+ *                  input buffer. For decryption, the output buffer cannot be
+ *                  the same as input buffer. If the buffers overlap, the output
+ *                  buffer must trail at least 8 Bytes behind the input buffer.
+ *
+ * \warning         When this function performs a decryption, it outputs the
+ *                  authentication tag and does not verify that the data is
+ *                  authentic. You should use this function to perform encryption
+ *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ *
+ * \param ctx       The GCM context to use for encryption or decryption. This
+ *                  must be initialized.
+ * \param mode      The operation to perform:
+ *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
+ *                    The ciphertext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
+ *                    The plaintext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                    Note that this mode is not recommended, because it does
+ *                    not verify the authenticity of the data. For this reason,
+ *                    you should use mbedtls_gcm_auth_decrypt() instead of
+ *                    calling this function in decryption mode.
+ * \param length    The length of the input data, which is equal to the length
+ *                  of the output data.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is greater
+ *                  than zero, this must be a writable buffer of at least that
+ *                  size in Bytes.
+ * \param tag_len   The length of the tag to generate.
+ * \param tag       The buffer for holding the tag. This must be a writable
+ *                  buffer of at least \p tag_len Bytes.
+ *
+ * \return          \c 0 if the encryption or decryption was performed
+ *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
+ *                  this does not indicate that the data is authentic.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the encryption
+ *                  or decryption failed.
+ */
+int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
+                              int mode,
+                              size_t length,
+                              const unsigned char *iv,
+                              size_t iv_len,
+                              const unsigned char *add,
+                              size_t add_len,
+                              const unsigned char *input,
+                              unsigned char *output,
+                              size_t tag_len,
+                              unsigned char *tag);
+
+/**
+ * \brief           This function performs a GCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the ciphertext to decrypt, which is also
+ *                  the length of the decrypted plaintext.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param tag       The buffer holding the tag to verify. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to verify.
+ * \param input     The buffer holding the ciphertext. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size.
+ * \param output    The buffer for holding the decrypted plaintext. If \p length
+ *                  is greater than zero, this must be a writable buffer of at
+ *                  least that size.
+ *
+ * \return          \c 0 if successful and authenticated.
+ * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the decryption
+ *                  failed.
+ */
+int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
+                             size_t length,
+                             const unsigned char *iv,
+                             size_t iv_len,
+                             const unsigned char *add,
+                             size_t add_len,
+                             const unsigned char *tag,
+                             size_t tag_len,
+                             const unsigned char *input,
+                             unsigned char *output);
+
+/**
+ * \brief           This function starts a GCM encryption or decryption
+ *                  operation.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
+ *                  #MBEDTLS_GCM_DECRYPT.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data, or \c NULL
+ *                  if \p add_len is \c 0.
+ * \param add_len   The length of the additional data. If \c 0,
+ *                  \p add may be \c NULL.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len);
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing GCM
+ *                  encryption or decryption operation.
+ *
+ *    `             The function expects input to be a multiple of 16
+ *                  Bytes. Only the last call before calling
+ *                  mbedtls_gcm_finish() can be less than 16 Bytes.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the input data. This must be a multiple of
+ *                  16 except in the last call before mbedtls_gcm_finish().
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is
+ *                  greater than zero, this must be a writable buffer of at
+ *                  least that size in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
+                       size_t length,
+                       const unsigned char *input,
+                       unsigned char *output);
+
+/**
+ * \brief           This function finishes the GCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the GCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param tag       The buffer for holding the tag. This must be a writable
+ *                  buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to generate. This must be at least
+ *                  four.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
+                       unsigned char *tag,
+                       size_t tag_len);
+
+/**
+ * \brief           This function clears a GCM context and the underlying
+ *                  cipher sub-context.
+ *
+ * \param ctx       The GCM context to clear. If this is \c NULL, the call has
+ *                  no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_gcm_free(mbedtls_gcm_context *ctx);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The GCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_gcm_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* gcm.h */
diff --git a/common/mbedtls/havege.c b/common/mbedtls/havege.c
new file mode 100644
index 000000000..1be2cf9a3
--- /dev/null
+++ b/common/mbedtls/havege.c
@@ -0,0 +1,231 @@
+/**
+ *  \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The HAVEGE RNG was designed by Andre Seznec in 2002.
+ *
+ *  http://www.irisa.fr/caps/projects/hipsor/publi.php
+ *
+ *  Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_HAVEGE_C)
+
+#include "mbedtls/havege.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdint.h>
+#include <string.h>
+
+/* ------------------------------------------------------------------------
+ * On average, one iteration accesses two 8-word blocks in the havege WALK
+ * table, and generates 16 words in the RES array.
+ *
+ * The data read in the WALK table is updated and permuted after each use.
+ * The result of the hardware clock counter read is used  for this update.
+ *
+ * 25 conditional tests are present.  The conditional tests are grouped in
+ * two nested  groups of 12 conditional tests and 1 test that controls the
+ * permutation; on average, there should be 6 tests executed and 3 of them
+ * should be mispredicted.
+ * ------------------------------------------------------------------------
+ */
+
+#define SWAP(X,Y) { uint32_t *T = (X); (X) = (Y); (Y) = T; }
+
+#define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+#define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+
+#define TST1_LEAVE U1++; }
+#define TST2_LEAVE U2++; }
+
+#define ONE_ITERATION                                   \
+                                                        \
+    PTEST = PT1 >> 20;                                  \
+                                                        \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+                                                        \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+                                                        \
+    PTX = (PT1 >> 18) & 7;                              \
+    PT1 &= 0x1FFF;                                      \
+    PT2 &= 0x1FFF;                                      \
+    CLK = (uint32_t) mbedtls_timing_hardclock();        \
+                                                        \
+    i = 0;                                              \
+    A = &WALK[PT1    ]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2    ]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 1]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 4]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (1)) ^ (*A << (31)) ^ CLK;              \
+    *A = (*B >> (2)) ^ (*B << (30)) ^ CLK;              \
+    *B = IN ^ U1;                                       \
+    *C = (*C >> (3)) ^ (*C << (29)) ^ CLK;              \
+    *D = (*D >> (4)) ^ (*D << (28)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 2]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 2]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 3]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 6]; RES[i++] ^= *D;                 \
+                                                        \
+    if( PTEST & 1 ) SWAP( A, C );                       \
+                                                        \
+    IN = (*A >> (5)) ^ (*A << (27)) ^ CLK;              \
+    *A = (*B >> (6)) ^ (*B << (26)) ^ CLK;              \
+    *B = IN; CLK = (uint32_t) mbedtls_timing_hardclock();       \
+    *C = (*C >> (7)) ^ (*C << (25)) ^ CLK;              \
+    *D = (*D >> (8)) ^ (*D << (24)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 4];                                 \
+    B = &WALK[PT2 ^ 1];                                 \
+                                                        \
+    PTEST = PT2 >> 1;                                   \
+                                                        \
+    PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]);   \
+    PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8);  \
+    PTY = (PT2 >> 10) & 7;                              \
+                                                        \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+                                                        \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+                                                        \
+    C = &WALK[PT1 ^ 5];                                 \
+    D = &WALK[PT2 ^ 5];                                 \
+                                                        \
+    RES[i++] ^= *A;                                     \
+    RES[i++] ^= *B;                                     \
+    RES[i++] ^= *C;                                     \
+    RES[i++] ^= *D;                                     \
+                                                        \
+    IN = (*A >> ( 9)) ^ (*A << (23)) ^ CLK;             \
+    *A = (*B >> (10)) ^ (*B << (22)) ^ CLK;             \
+    *B = IN ^ U2;                                       \
+    *C = (*C >> (11)) ^ (*C << (21)) ^ CLK;             \
+    *D = (*D >> (12)) ^ (*D << (20)) ^ CLK;             \
+                                                        \
+    A = &WALK[PT1 ^ 6]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 3]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 7]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 7]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (13)) ^ (*A << (19)) ^ CLK;             \
+    *A = (*B >> (14)) ^ (*B << (18)) ^ CLK;             \
+    *B = IN;                                            \
+    *C = (*C >> (15)) ^ (*C << (17)) ^ CLK;             \
+    *D = (*D >> (16)) ^ (*D << (16)) ^ CLK;             \
+                                                        \
+    PT1 = ( RES[( i - 8 ) ^ PTX] ^                      \
+            WALK[PT1 ^ PTX ^ 7] ) & (~1);               \
+    PT1 ^= (PT2 ^ 0x10) & 0x10;                         \
+                                                        \
+    for( n++, i = 0; i < 16; i++ )                      \
+        hs->pool[n % MBEDTLS_HAVEGE_COLLECT_SIZE] ^= RES[i];
+
+/*
+ * Entropy gathering function
+ */
+static void havege_fill(mbedtls_havege_state *hs) {
+    size_t n = 0;
+    size_t i;
+    uint32_t  U1,  U2, *A, *B, *C, *D;
+    uint32_t PT1, PT2, *WALK, RES[16];
+    uint32_t PTX, PTY, CLK, PTEST, IN;
+
+    WALK = hs->WALK;
+    PT1  = hs->PT1;
+    PT2  = hs->PT2;
+
+    PTX  = U1 = 0;
+    PTY  = U2 = 0;
+
+    (void)PTX;
+
+    memset(RES, 0, sizeof(RES));
+
+    while (n < MBEDTLS_HAVEGE_COLLECT_SIZE * 4) {
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+    }
+
+    hs->PT1 = PT1;
+    hs->PT2 = PT2;
+
+    hs->offset[0] = 0;
+    hs->offset[1] = MBEDTLS_HAVEGE_COLLECT_SIZE / 2;
+}
+
+/*
+ * HAVEGE initialization
+ */
+void mbedtls_havege_init(mbedtls_havege_state *hs) {
+    memset(hs, 0, sizeof(mbedtls_havege_state));
+
+    havege_fill(hs);
+}
+
+void mbedtls_havege_free(mbedtls_havege_state *hs) {
+    if (hs == NULL)
+        return;
+
+    mbedtls_platform_zeroize(hs, sizeof(mbedtls_havege_state));
+}
+
+/*
+ * HAVEGE rand function
+ */
+int mbedtls_havege_random(void *p_rng, unsigned char *buf, size_t len) {
+    uint32_t val;
+    size_t use_len;
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) p_rng;
+    unsigned char *p = buf;
+
+    while (len > 0) {
+        use_len = len;
+        if (use_len > sizeof(val))
+            use_len = sizeof(val);
+
+        if (hs->offset[1] >= MBEDTLS_HAVEGE_COLLECT_SIZE)
+            havege_fill(hs);
+
+        val  = hs->pool[hs->offset[0]++];
+        val ^= hs->pool[hs->offset[1]++];
+
+        memcpy(p, &val, use_len);
+
+        len -= use_len;
+        p += use_len;
+    }
+
+    return (0);
+}
+
+#endif /* MBEDTLS_HAVEGE_C */
diff --git a/common/mbedtls/havege.h b/common/mbedtls/havege.h
new file mode 100644
index 000000000..7d042d196
--- /dev/null
+++ b/common/mbedtls/havege.h
@@ -0,0 +1,79 @@
+/**
+ * \file havege.h
+ *
+ * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_HAVEGE_H
+#define MBEDTLS_HAVEGE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          HAVEGE state structure
+ */
+typedef struct mbedtls_havege_state {
+    uint32_t PT1, PT2, offset[2];
+    uint32_t pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
+    uint32_t WALK[8192];
+}
+mbedtls_havege_state;
+
+/**
+ * \brief          HAVEGE initialization
+ *
+ * \param hs       HAVEGE state to be initialized
+ */
+void mbedtls_havege_init(mbedtls_havege_state *hs);
+
+/**
+ * \brief          Clear HAVEGE state
+ *
+ * \param hs       HAVEGE state to be cleared
+ */
+void mbedtls_havege_free(mbedtls_havege_state *hs);
+
+/**
+ * \brief          HAVEGE rand function
+ *
+ * \param p_rng    A HAVEGE state
+ * \param output   Buffer to fill
+ * \param len      Length of buffer
+ *
+ * \return         0
+ */
+int mbedtls_havege_random(void *p_rng, unsigned char *output, size_t len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* havege.h */
diff --git a/common/mbedtls/hkdf.c b/common/mbedtls/hkdf.c
new file mode 100644
index 000000000..cf4000b07
--- /dev/null
+++ b/common/mbedtls/hkdf.c
@@ -0,0 +1,170 @@
+/*
+ *  HKDF implementation -- RFC 5869
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
+                 size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                 const unsigned char *info, size_t info_len,
+                 unsigned char *okm, size_t okm_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+    ret = mbedtls_hkdf_extract(md, salt, salt_len, ikm, ikm_len, prk);
+
+    if (ret == 0) {
+        ret = mbedtls_hkdf_expand(md, prk, mbedtls_md_get_size(md),
+                                  info, info_len, okm, okm_len);
+    }
+
+    mbedtls_platform_zeroize(prk, sizeof(prk));
+
+    return (ret);
+}
+
+int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
+                         const unsigned char *salt, size_t salt_len,
+                         const unsigned char *ikm, size_t ikm_len,
+                         unsigned char *prk) {
+    unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+    if (salt == NULL) {
+        size_t hash_len;
+
+        if (salt_len != 0) {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        hash_len = mbedtls_md_get_size(md);
+
+        if (hash_len == 0) {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        salt = null_salt;
+        salt_len = hash_len;
+    }
+
+    return (mbedtls_md_hmac(md, salt, salt_len, ikm, ikm_len, prk));
+}
+
+int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
+                        size_t prk_len, const unsigned char *info,
+                        size_t info_len, unsigned char *okm, size_t okm_len) {
+    size_t hash_len;
+    size_t where = 0;
+    size_t n;
+    size_t t_len = 0;
+    size_t i;
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+    if (okm == NULL) {
+        return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
+    }
+
+    hash_len = mbedtls_md_get_size(md);
+
+    if (prk_len < hash_len || hash_len == 0) {
+        return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
+    }
+
+    if (info == NULL) {
+        info = (const unsigned char *) "";
+        info_len = 0;
+    }
+
+    n = okm_len / hash_len;
+
+    if (okm_len % hash_len != 0) {
+        n++;
+    }
+
+    /*
+     * Per RFC 5869 Section 2.3, okm_len must not exceed
+     * 255 times the hash length
+     */
+    if (n > 255) {
+        return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
+    }
+
+    mbedtls_md_init(&ctx);
+
+    if ((ret = mbedtls_md_setup(&ctx, md, 1)) != 0) {
+        goto exit;
+    }
+
+    memset(t, 0, hash_len);
+
+    /*
+     * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+     * Where T(N) is defined in RFC 5869 Section 2.3
+     */
+    for (i = 1; i <= n; i++) {
+        size_t num_to_copy;
+        unsigned char c = i & 0xff;
+
+        ret = mbedtls_md_hmac_starts(&ctx, prk, prk_len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update(&ctx, t, t_len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update(&ctx, info, info_len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        /* The constant concatenated to the end of each T(n) is a single octet.
+         * */
+        ret = mbedtls_md_hmac_update(&ctx, &c, 1);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_finish(&ctx, t);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        num_to_copy = i != n ? hash_len : okm_len - where;
+        memcpy(okm + where, t, num_to_copy);
+        where += hash_len;
+        t_len = hash_len;
+    }
+
+exit:
+    mbedtls_md_free(&ctx);
+    mbedtls_platform_zeroize(t, sizeof(t));
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/common/mbedtls/hkdf.h b/common/mbedtls/hkdf.h
new file mode 100644
index 000000000..449b7a7a6
--- /dev/null
+++ b/common/mbedtls/hkdf.h
@@ -0,0 +1,139 @@
+/**
+ * \file hkdf.h
+ *
+ * \brief   This file contains the HKDF interface.
+ *
+ *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
+ *          specified by RFC 5869.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_HKDF_H
+#define MBEDTLS_HKDF_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/md.h"
+
+/**
+ *  \name HKDF Error codes
+ *  \{
+ */
+#define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
+ *          (HKDF).
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  salt      An optional salt value (a non-secret random value);
+ *                    if the salt is not provided, a string of all zeros of
+ *                    md.size length is used as the salt.
+ *  \param  salt_len  The length in bytes of the optional \p salt.
+ *  \param  ikm       The input keying material.
+ *  \param  ikm_len   The length in bytes of \p ikm.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
+                 size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                 const unsigned char *info, size_t info_len,
+                 unsigned char *okm, size_t okm_len);
+
+/**
+ *  \brief  Take the input keying material \p ikm and extract from it a
+ *          fixed-length pseudorandom key \p prk.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param       md        A hash function; md.size denotes the length of the
+ *                         hash function output in bytes.
+ *  \param       salt      An optional salt value (a non-secret random value);
+ *                         if the salt is not provided, a string of all zeros
+ *                         of md.size length is used as the salt.
+ *  \param       salt_len  The length in bytes of the optional \p salt.
+ *  \param       ikm       The input keying material.
+ *  \param       ikm_len   The length in bytes of \p ikm.
+ *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
+                         const unsigned char *salt, size_t salt_len,
+                         const unsigned char *ikm, size_t ikm_len,
+                         unsigned char *prk);
+
+/**
+ *  \brief  Expand the supplied \p prk into several additional pseudorandom
+ *          keys, which is the output of the HKDF.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
+ *                    usually the output from the HKDF extract step.
+ *  \param  prk_len   The length in bytes of \p prk.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
+                        size_t prk_len, const unsigned char *info,
+                        size_t info_len, unsigned char *okm, size_t okm_len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hkdf.h */
diff --git a/common/mbedtls/hmac_drbg.c b/common/mbedtls/hmac_drbg.c
new file mode 100644
index 000000000..a6fabb619
--- /dev/null
+++ b/common/mbedtls/hmac_drbg.c
@@ -0,0 +1,600 @@
+/*
+ *  HMAC_DRBG implementation (NIST SP 800-90)
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ *  The NIST SP 800-90A DRBGs are described in the following publication.
+ *  http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+ *  References below are based on rev. 1 (January 2012).
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+/*
+ * HMAC_DRBG context initialization
+ */
+void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_hmac_drbg_context));
+
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ * HMAC_DRBG update, using optional additional data (10.1.2.2)
+ */
+int mbedtls_hmac_drbg_update_ret(mbedtls_hmac_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len) {
+    size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
+    unsigned char rounds = (additional != NULL && add_len != 0) ? 2 : 1;
+    unsigned char sep[1];
+    unsigned char K[MBEDTLS_MD_MAX_SIZE];
+    int ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+
+    for (sep[0] = 0; sep[0] < rounds; sep[0]++) {
+        /* Step 1 or 4 */
+        if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          ctx->V, md_len)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          sep, 1)) != 0)
+            goto exit;
+        if (rounds == 2) {
+            if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                              additional, add_len)) != 0)
+                goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, K)) != 0)
+            goto exit;
+
+        /* Step 2 or 5 */
+        if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, K, md_len)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          ctx->V, md_len)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0)
+            goto exit;
+    }
+
+exit:
+    mbedtls_platform_zeroize(K, sizeof(K));
+    return (ret);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
+                              const unsigned char *additional,
+                              size_t add_len) {
+    (void) mbedtls_hmac_drbg_update_ret(ctx, additional, add_len);
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
+ */
+int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
+                               const mbedtls_md_info_t *md_info,
+                               const unsigned char *data, size_t data_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0)
+        return (ret);
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V,
+                                      mbedtls_md_get_size(md_info))) != 0)
+        return (ret);
+    memset(ctx->V, 0x01, mbedtls_md_get_size(md_info));
+
+    if ((ret = mbedtls_hmac_drbg_update_ret(ctx, data, data_len)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+/*
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
+ */
+static int hmac_drbg_reseed_core(mbedtls_hmac_drbg_context *ctx,
+                                 const unsigned char *additional, size_t len,
+                                 int use_nonce) {
+    unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    {
+        size_t total_entropy_len;
+
+        if (use_nonce == 0)
+            total_entropy_len = ctx->entropy_len;
+        else
+            total_entropy_len = ctx->entropy_len * 3 / 2;
+
+        /* III. Check input length */
+        if (len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+                total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) {
+            return (MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG);
+        }
+    }
+
+    memset(seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT);
+
+    /* IV. Gather entropy_len bytes of entropy for the seed */
+    if ((ret = ctx->f_entropy(ctx->p_entropy,
+                              seed, ctx->entropy_len)) != 0) {
+        return (MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED);
+    }
+    seedlen += ctx->entropy_len;
+
+    /* For initial seeding, allow adding of nonce generated
+     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+    if (use_nonce) {
+        /* Note: We don't merge the two calls to f_entropy() in order
+         *       to avoid requesting too much entropy from f_entropy()
+         *       at once. Specifically, if the underlying digest is not
+         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+         *       is larger than the maximum of 32 Bytes that our own
+         *       entropy source implementation can emit in a single
+         *       call in configurations disabling SHA-512. */
+        if ((ret = ctx->f_entropy(ctx->p_entropy,
+                                  seed + seedlen,
+                                  ctx->entropy_len / 2)) != 0) {
+            return (MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED);
+        }
+
+        seedlen += ctx->entropy_len / 2;
+    }
+
+
+    /* 1. Concatenate entropy and additional data if any */
+    if (additional != NULL && len != 0) {
+        memcpy(seed + seedlen, additional, len);
+        seedlen += len;
+    }
+
+    /* 2. Update state */
+    if ((ret = mbedtls_hmac_drbg_update_ret(ctx, seed, seedlen)) != 0)
+        goto exit;
+
+    /* 3. Reset reseed_counter */
+    ctx->reseed_counter = 1;
+
+exit:
+    /* 4. Done */
+    mbedtls_platform_zeroize(seed, seedlen);
+    return (ret);
+}
+
+/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional, size_t len) {
+    return (hmac_drbg_reseed_core(ctx, additional, len, 0));
+}
+
+/*
+ * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
+ */
+int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
+                           const mbedtls_md_info_t *md_info,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t md_size;
+
+    if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0)
+        return (ret);
+
+    /* The mutex is initialized iff the md context is set up. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    md_size = mbedtls_md_get_size(md_info);
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V, md_size)) != 0)
+        return (ret);
+    memset(ctx->V, 0x01, md_size);
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if (ctx->entropy_len == 0) {
+        /*
+         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+         * each hash function, then according to SP800-90A rev1 10.1 table 2,
+         * min_entropy_len (in bits) is security_strength.
+         *
+         * (This also matches the sizes used in the NIST test vectors.)
+         */
+        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+                           32;  /* better (256+) -> 256 bits */
+    }
+
+    if ((ret = hmac_drbg_reseed_core(ctx, custom, len,
+                                     1 /* add nonce */)) != 0) {
+        return (ret);
+    }
+
+    return (0);
+}
+
+/*
+ * Set prediction resistance
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
+                                                 int resistance) {
+    ctx->prediction_resistance = resistance;
+}
+
+/*
+ * Set entropy length grabbed for seeding
+ */
+void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx, size_t len) {
+    ctx->entropy_len = len;
+}
+
+/*
+ * Set reseed interval
+ */
+void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx, int interval) {
+    ctx->reseed_interval = interval;
+}
+
+/*
+ * HMAC_DRBG random function with optional additional data:
+ * 10.1.2.5 (arabic) + 9.3 (Roman)
+ */
+int mbedtls_hmac_drbg_random_with_add(void *p_rng,
+                                      unsigned char *output, size_t out_len,
+                                      const unsigned char *additional, size_t add_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+    size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
+    size_t left = out_len;
+    unsigned char *out = output;
+
+    /* II. Check request length */
+    if (out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+        return (MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG);
+
+    /* III. Check input length */
+    if (add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT)
+        return (MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG);
+
+    /* 1. (aka VII and IX) Check reseed counter and PR */
+    if (ctx->f_entropy != NULL && /* For no-reseeding instances */
+            (ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
+             ctx->reseed_counter > ctx->reseed_interval)) {
+        if ((ret = mbedtls_hmac_drbg_reseed(ctx, additional, add_len)) != 0)
+            return (ret);
+
+        add_len = 0; /* VII.4 */
+    }
+
+    /* 2. Use additional data if any */
+    if (additional != NULL && add_len != 0) {
+        if ((ret = mbedtls_hmac_drbg_update_ret(ctx,
+                                                additional, add_len)) != 0)
+            goto exit;
+    }
+
+    /* 3, 4, 5. Generate bytes */
+    while (left != 0) {
+        size_t use_len = left > md_len ? md_len : left;
+
+        if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          ctx->V, md_len)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0)
+            goto exit;
+
+        memcpy(out, ctx->V, use_len);
+        out += use_len;
+        left -= use_len;
+    }
+
+    /* 6. Update */
+    if ((ret = mbedtls_hmac_drbg_update_ret(ctx,
+                                            additional, add_len)) != 0)
+        goto exit;
+
+    /* 7. Update reseed counter */
+    ctx->reseed_counter++;
+
+exit:
+    /* 8. Done */
+    return (ret);
+}
+
+/*
+ * HMAC_DRBG random function
+ */
+int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
+        return (ret);
+#endif
+
+    ret = mbedtls_hmac_drbg_random_with_add(ctx, output, out_len, NULL, 0);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0)
+        return (MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+#endif
+
+    return (ret);
+}
+
+/*
+ *  This function resets HMAC_DRBG context to the state immediately
+ *  after initial call of mbedtls_hmac_drbg_init().
+ */
+void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    /* The mutex is initialized iff the md context is set up. */
+    if (ctx->md_ctx.md_info != NULL)
+        mbedtls_mutex_free(&ctx->mutex);
+#endif
+    mbedtls_md_free(&ctx->md_ctx);
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_hmac_drbg_context));
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+
+    if ((f = fopen(path, "wb")) == NULL)
+        return (MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR);
+
+    if ((ret = mbedtls_hmac_drbg_random(ctx, buf, sizeof(buf))) != 0)
+        goto exit;
+
+    if (fwrite(buf, 1, sizeof(buf), f) != sizeof(buf)) {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    fclose(f);
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    return (ret);
+}
+
+int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path) {
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+    unsigned char c;
+
+    if ((f = fopen(path, "rb")) == NULL)
+        return (MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR);
+
+    n = fread(buf, 1, sizeof(buf), f);
+    if (fread(&c, 1, 1, f) != 0) {
+        ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if (n == 0 || ferror(f)) {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose(f);
+    f = NULL;
+
+    ret = mbedtls_hmac_drbg_update_ret(ctx, buf, n);
+
+exit:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    if (f != NULL)
+        fclose(f);
+    if (ret != 0)
+        return (ret);
+    return (mbedtls_hmac_drbg_write_seed_file(ctx, path));
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+/* Dummy checkup routine */
+int mbedtls_hmac_drbg_self_test(int verbose) {
+    (void) verbose;
+    return (0);
+}
+#else
+
+#define OUTPUT_LEN  80
+
+/* From a NIST PR=true test vector */
+static const unsigned char entropy_pr[] = {
+    0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
+    0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
+    0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
+    0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
+    0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4
+};
+static const unsigned char result_pr[OUTPUT_LEN] = {
+    0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
+    0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
+    0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
+    0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
+    0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
+    0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
+    0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44
+};
+
+/* From a NIST PR=false test vector */
+static const unsigned char entropy_nopr[] = {
+    0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
+    0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
+    0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
+    0xe9, 0x9d, 0xfe, 0xdf
+};
+static const unsigned char result_nopr[OUTPUT_LEN] = {
+    0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
+    0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
+    0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
+    0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
+    0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
+    0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
+    0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7
+};
+
+/* "Entropy" from buffer */
+static size_t test_offset;
+static int hmac_drbg_self_test_entropy(void *data,
+                                       unsigned char *buf, size_t len) {
+    const unsigned char *p = data;
+    memcpy(buf, p + test_offset, len);
+    test_offset += len;
+    return (0);
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine for HMAC_DRBG with SHA-1
+ */
+int mbedtls_hmac_drbg_self_test(int verbose) {
+    mbedtls_hmac_drbg_context ctx;
+    unsigned char buf[OUTPUT_LEN];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
+
+    mbedtls_hmac_drbg_init(&ctx);
+
+    /*
+     * PR = True
+     */
+    if (verbose != 0)
+        mbedtls_printf("  HMAC_DRBG (PR = True) : ");
+
+    test_offset = 0;
+    CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
+                               hmac_drbg_self_test_entropy, (void *) entropy_pr,
+                               NULL, 0));
+    mbedtls_hmac_drbg_set_prediction_resistance(&ctx, MBEDTLS_HMAC_DRBG_PR_ON);
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(memcmp(buf, result_pr, OUTPUT_LEN));
+    mbedtls_hmac_drbg_free(&ctx);
+
+    mbedtls_hmac_drbg_free(&ctx);
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+    /*
+     * PR = False
+     */
+    if (verbose != 0)
+        mbedtls_printf("  HMAC_DRBG (PR = False) : ");
+
+    mbedtls_hmac_drbg_init(&ctx);
+
+    test_offset = 0;
+    CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
+                               hmac_drbg_self_test_entropy, (void *) entropy_nopr,
+                               NULL, 0));
+    CHK(mbedtls_hmac_drbg_reseed(&ctx, NULL, 0));
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(memcmp(buf, result_nopr, OUTPUT_LEN));
+    mbedtls_hmac_drbg_free(&ctx);
+
+    mbedtls_hmac_drbg_free(&ctx);
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+}
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/common/mbedtls/hmac_drbg.h b/common/mbedtls/hmac_drbg.h
new file mode 100644
index 000000000..f380f9234
--- /dev/null
+++ b/common/mbedtls/hmac_drbg.h
@@ -0,0 +1,469 @@
+/**
+ * \file hmac_drbg.h
+ *
+ * \brief The HMAC_DRBG pseudorandom generator.
+ *
+ * This module implements the HMAC_DRBG pseudorandom generator described
+ * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
+ * Deterministic Random Bit Generators</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_HMAC_DRBG_H
+#define MBEDTLS_HMAC_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/*
+ * Error codes
+ */
+#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003  /**< Too many random requested in single call. */
+#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005  /**< Input too large (Entropy + additional). */
+#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007  /**< Read/write error in file. */
+#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009  /**< The entropy source failed. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+#define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
+#define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * HMAC_DRBG context.
+ */
+typedef struct mbedtls_hmac_drbg_context {
+    /* Working state: the key K is not stored explicitly,
+     * but is implied by the HMAC context */
+    mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
+    unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
+    int reseed_counter;                     /*!< reseed counter         */
+
+    /* Administrative state */
+    size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
+    int prediction_resistance;  /*!< enable prediction resistance (Automatic
+                                     reseed before every random generation) */
+    int reseed_interval;        /*!< reseed interval   */
+
+    /* Callbacks */
+    int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
+    void *p_entropy;            /*!< context for the entropy function        */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized if and only if
+     * md_ctx->md_info != NULL. This means that the mutex is initialized
+     * during the initial seeding in mbedtls_hmac_drbg_seed() or
+     * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
+     *
+     * Note that this invariant may change without notice. Do not rely on it
+     * and do not access the mutex directly in application code.
+     */
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_hmac_drbg_context;
+
+/**
+ * \brief               HMAC_DRBG context initialization.
+ *
+ * This function makes the context ready for mbedtls_hmac_drbg_seed(),
+ * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
+ *
+ * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+ *                      by default. Override this value by calling
+ *                      mbedtls_hmac_drbg_set_reseed_interval().
+ *
+ * \param ctx           HMAC_DRBG context to be initialized.
+ */
+void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx);
+
+/**
+ * \brief               HMAC_DRBG initial seeding.
+ *
+ * Set the initial seed and set up the entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                By default, the security strength as defined by NIST is:
+ *                      - 128 bits if \p md_info is SHA-1;
+ *                      - 192 bits if \p md_info is SHA-224;
+ *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
+ *                      Note that SHA-256 is just as efficient as SHA-224.
+ *                      The security strength can be reduced if a smaller
+ *                      entropy length is set with
+ *                      mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                The default entropy length is the security strength
+ *                      (converted from bits to bytes). You can override
+ *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                During the initial seeding, this function calls
+ *                      the entropy source to obtain a nonce
+ *                      whose length is half the entropy length.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_hmac_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           HMAC_DRBG context to be seeded.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a length that is
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
+ *                      where \p entropy_len is the entropy length
+ *                      described above.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the call to \p f_entropy failed.
+ */
+int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
+                           const mbedtls_md_info_t *md_info,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len);
+
+/**
+ * \brief               Initilisation of simpified HMAC_DRBG (never reseeds).
+ *
+ * This function is meant for use in algorithms that need a pseudorandom
+ * input such as deterministic ECDSA.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_hmac_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           HMAC_DRBG context to be initialised.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param data          Concatenation of the initial entropy string and
+ *                      the additional data.
+ * \param data_len      Length of \p data in bytes.
+ *
+ * \return              \c 0 if successful. or
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ */
+int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
+                               const mbedtls_md_info_t *md_info,
+                               const unsigned char *data, size_t data_len);
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_hmac_drbg_random_with_add()
+ *                      or mbedtls_hmac_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
+                                                 int resistance);
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ */
+void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx,
+                                       size_t len);
+
+/**
+ * \brief               Set the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
+ * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx,
+                                           int interval);
+
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ *
+ * \return              \c 0 on success, or an error from the underlying
+ *                      hash calculation.
+ */
+int mbedtls_hmac_drbg_update_ret(mbedtls_hmac_drbg_context *ctx,
+                                 const unsigned char *additional, size_t add_len);
+
+/**
+ * \brief               This function reseeds the HMAC_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    Additional data to add to the state.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p len should be \c 0.
+ * \param len           The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
+ *                      where \p entropy_len is the entropy length
+ *                      (see mbedtls_hmac_drbg_set_entropy_len()).
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy function failed.
+ */
+int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional, size_t len);
+
+/**
+ * \brief   This function updates an HMAC_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \param additional    Additional data to update with.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p add_len should be \c 0.
+ * \param add_len       The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ */
+int mbedtls_hmac_drbg_random_with_add(void *p_rng,
+                                      unsigned char *output, size_t output_len,
+                                      const unsigned char *additional,
+                                      size_t add_len);
+
+/**
+ * \brief   This function uses HMAC_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param out_len       The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ */
+int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len);
+
+/**
+ * \brief               This function resets HMAC_DRBG context to the state immediately
+ *                      after initial call of mbedtls_hmac_drbg_init().
+ *
+ * \param ctx           The HMAC_DRBG context to free.
+ */
+void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx);
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
+ *                      in 2.16.0.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ */
+MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
+    mbedtls_hmac_drbg_context *ctx,
+    const unsigned char *additional, size_t add_len);
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief               The HMAC_DRBG Checkup routine.
+ *
+ * \return              \c 0 if successful.
+ * \return              \c 1 if the test failed.
+ */
+int mbedtls_hmac_drbg_self_test(int verbose);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hmac_drbg.h */
diff --git a/common/mbedtls/md.c b/common/mbedtls/md.c
index 294896c3d..9e0991914 100644
--- a/common/mbedtls/md.c
+++ b/common/mbedtls/md.c
@@ -1,41 +1,42 @@
 /**
- * \file mbedtls_md.c
+ * \file md.c
  *
  * \brief Generic message digest wrapper for mbed TLS
  *
  * \author Adriaan de Jong <dejong@fox-it.com>
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_MD_C)
 
 #include "mbedtls/md.h"
 #include "mbedtls/md_internal.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "mbedtls/md2.h"
+#include "mbedtls/md4.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
 
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
@@ -51,6 +52,85 @@
 #include <stdio.h>
 #endif
 
+#if defined(MBEDTLS_MD2_C)
+const mbedtls_md_info_t mbedtls_md2_info = {
+    "MD2",
+    MBEDTLS_MD_MD2,
+    16,
+    16,
+};
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+const mbedtls_md_info_t mbedtls_md4_info = {
+    "MD4",
+    MBEDTLS_MD_MD4,
+    16,
+    64,
+};
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+const mbedtls_md_info_t mbedtls_md5_info = {
+    "MD5",
+    MBEDTLS_MD_MD5,
+    16,
+    64,
+};
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+const mbedtls_md_info_t mbedtls_ripemd160_info = {
+    "RIPEMD160",
+    MBEDTLS_MD_RIPEMD160,
+    20,
+    64,
+};
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+const mbedtls_md_info_t mbedtls_sha1_info = {
+    "SHA1",
+    MBEDTLS_MD_SHA1,
+    20,
+    64,
+};
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+const mbedtls_md_info_t mbedtls_sha224_info = {
+    "SHA224",
+    MBEDTLS_MD_SHA224,
+    28,
+    64,
+};
+
+const mbedtls_md_info_t mbedtls_sha256_info = {
+    "SHA256",
+    MBEDTLS_MD_SHA256,
+    32,
+    64,
+};
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+const mbedtls_md_info_t mbedtls_sha384_info = {
+    "SHA384",
+    MBEDTLS_MD_SHA384,
+    48,
+    128,
+};
+#endif
+
+const mbedtls_md_info_t mbedtls_sha512_info = {
+    "SHA512",
+    MBEDTLS_MD_SHA512,
+    64,
+    128,
+};
+#endif
+
 /*
  * Reminder: update profiles in x509_crt.c when adding a new hash!
  */
@@ -58,8 +138,10 @@ static const int supported_digests[] = {
 
 #if defined(MBEDTLS_SHA512_C)
     MBEDTLS_MD_SHA512,
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
     MBEDTLS_MD_SHA384,
 #endif
+#endif
 
 #if defined(MBEDTLS_SHA256_C)
     MBEDTLS_MD_SHA256,
@@ -125,8 +207,10 @@ const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name) {
         return mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
 #endif
 #if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
     if (!strcmp("SHA384", md_name))
         return mbedtls_md_info_from_type(MBEDTLS_MD_SHA384);
+#endif
     if (!strcmp("SHA512", md_name))
         return mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
 #endif
@@ -162,8 +246,10 @@ const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type) {
             return (&mbedtls_sha256_info);
 #endif
 #if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
         case MBEDTLS_MD_SHA384:
             return (&mbedtls_sha384_info);
+#endif
         case MBEDTLS_MD_SHA512:
             return (&mbedtls_sha512_info);
 #endif
@@ -180,8 +266,53 @@ void mbedtls_md_free(mbedtls_md_context_t *ctx) {
     if (ctx == NULL || ctx->md_info == NULL)
         return;
 
-    if (ctx->md_ctx != NULL)
-        ctx->md_info->ctx_free_func(ctx->md_ctx);
+    if (ctx->md_ctx != NULL) {
+        switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+            case MBEDTLS_MD_MD2:
+                mbedtls_md2_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_MD4_C)
+            case MBEDTLS_MD_MD4:
+                mbedtls_md4_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_MD5_C)
+            case MBEDTLS_MD_MD5:
+                mbedtls_md5_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+            case MBEDTLS_MD_RIPEMD160:
+                mbedtls_ripemd160_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+            case MBEDTLS_MD_SHA1:
+                mbedtls_sha1_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+            case MBEDTLS_MD_SHA224:
+            case MBEDTLS_MD_SHA256:
+                mbedtls_sha256_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+            case MBEDTLS_MD_SHA384:
+#endif
+            case MBEDTLS_MD_SHA512:
+                mbedtls_sha512_free(ctx->md_ctx);
+                break;
+#endif
+            default:
+                /* Shouldn't happen */
+                break;
+        }
+        mbedtls_free(ctx->md_ctx);
+    }
 
     if (ctx->hmac_ctx != NULL) {
         mbedtls_platform_zeroize(ctx->hmac_ctx,
@@ -200,7 +331,49 @@ int mbedtls_md_clone(mbedtls_md_context_t *dst,
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
     }
 
-    dst->md_info->clone_func(dst->md_ctx, src->md_ctx);
+    switch (src->md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            mbedtls_md2_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            mbedtls_md4_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            mbedtls_md5_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            mbedtls_ripemd160_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            mbedtls_sha1_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+        case MBEDTLS_MD_SHA256:
+            mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+#endif
+        case MBEDTLS_MD_SHA512:
+            mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 
     return (0);
 }
@@ -211,45 +384,205 @@ int mbedtls_md_init_ctx(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_i
 }
 #endif
 
+#define ALLOC( type )                                                   \
+    do {                                                                \
+        ctx->md_ctx = mbedtls_calloc( 1, sizeof( mbedtls_##type##_context ) ); \
+        if( ctx->md_ctx == NULL )                                       \
+            return( MBEDTLS_ERR_MD_ALLOC_FAILED );                      \
+        mbedtls_##type##_init( ctx->md_ctx );                           \
+    }                                                                   \
+    while( 0 )
+
 int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac) {
     if (md_info == NULL || ctx == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    if ((ctx->md_ctx = md_info->ctx_alloc_func()) == NULL)
-        return (MBEDTLS_ERR_MD_ALLOC_FAILED);
+    ctx->md_info = md_info;
+    ctx->md_ctx = NULL;
+    ctx->hmac_ctx = NULL;
+
+    switch (md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            ALLOC(md2);
+            break;
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            ALLOC(md4);
+            break;
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            ALLOC(md5);
+            break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            ALLOC(ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            ALLOC(sha1);
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+        case MBEDTLS_MD_SHA256:
+            ALLOC(sha256);
+            break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+#endif
+        case MBEDTLS_MD_SHA512:
+            ALLOC(sha512);
+            break;
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 
     if (hmac != 0) {
         ctx->hmac_ctx = mbedtls_calloc(2, md_info->block_size);
         if (ctx->hmac_ctx == NULL) {
-            md_info->ctx_free_func(ctx->md_ctx);
+            mbedtls_md_free(ctx);
             return (MBEDTLS_ERR_MD_ALLOC_FAILED);
         }
     }
 
-    ctx->md_info = md_info;
-
     return (0);
 }
+#undef ALLOC
 
 int mbedtls_md_starts(mbedtls_md_context_t *ctx) {
     if (ctx == NULL || ctx->md_info == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    return (ctx->md_info->starts_func(ctx->md_ctx));
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return (mbedtls_md2_starts_ret(ctx->md_ctx));
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return (mbedtls_md4_starts_ret(ctx->md_ctx));
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (mbedtls_md5_starts_ret(ctx->md_ctx));
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return (mbedtls_ripemd160_starts_ret(ctx->md_ctx));
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (mbedtls_sha1_starts_ret(ctx->md_ctx));
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return (mbedtls_sha256_starts_ret(ctx->md_ctx, 1));
+        case MBEDTLS_MD_SHA256:
+            return (mbedtls_sha256_starts_ret(ctx->md_ctx, 0));
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+            return (mbedtls_sha512_starts_ret(ctx->md_ctx, 1));
+#endif
+        case MBEDTLS_MD_SHA512:
+            return (mbedtls_sha512_starts_ret(ctx->md_ctx, 0));
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 }
 
 int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen) {
     if (ctx == NULL || ctx->md_info == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    return (ctx->md_info->update_func(ctx->md_ctx, input, ilen));
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return (mbedtls_md2_update_ret(ctx->md_ctx, input, ilen));
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return (mbedtls_md4_update_ret(ctx->md_ctx, input, ilen));
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (mbedtls_md5_update_ret(ctx->md_ctx, input, ilen));
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return (mbedtls_ripemd160_update_ret(ctx->md_ctx, input, ilen));
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (mbedtls_sha1_update_ret(ctx->md_ctx, input, ilen));
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+        case MBEDTLS_MD_SHA256:
+            return (mbedtls_sha256_update_ret(ctx->md_ctx, input, ilen));
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+#endif
+        case MBEDTLS_MD_SHA512:
+            return (mbedtls_sha512_update_ret(ctx->md_ctx, input, ilen));
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 }
 
 int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output) {
     if (ctx == NULL || ctx->md_info == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    return (ctx->md_info->finish_func(ctx->md_ctx, output));
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return (mbedtls_md2_finish_ret(ctx->md_ctx, output));
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return (mbedtls_md4_finish_ret(ctx->md_ctx, output));
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (mbedtls_md5_finish_ret(ctx->md_ctx, output));
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return (mbedtls_ripemd160_finish_ret(ctx->md_ctx, output));
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (mbedtls_sha1_finish_ret(ctx->md_ctx, output));
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+        case MBEDTLS_MD_SHA256:
+            return (mbedtls_sha256_finish_ret(ctx->md_ctx, output));
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+#endif
+        case MBEDTLS_MD_SHA512:
+            return (mbedtls_sha512_finish_ret(ctx->md_ctx, output));
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 }
 
 int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
@@ -257,12 +590,49 @@ int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, siz
     if (md_info == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    return (md_info->digest_func(input, ilen, output));
+    switch (md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return (mbedtls_md2_ret(input, ilen, output));
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return (mbedtls_md4_ret(input, ilen, output));
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (mbedtls_md5_ret(input, ilen, output));
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return (mbedtls_ripemd160_ret(input, ilen, output));
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (mbedtls_sha1_ret(input, ilen, output));
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return (mbedtls_sha256_ret(input, ilen, output, 1));
+        case MBEDTLS_MD_SHA256:
+            return (mbedtls_sha256_ret(input, ilen, output, 0));
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+            return (mbedtls_sha512_ret(input, ilen, output, 1));
+#endif
+        case MBEDTLS_MD_SHA512:
+            return (mbedtls_sha512_ret(input, ilen, output, 0));
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 }
 
 #if defined(MBEDTLS_FS_IO)
 int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path, unsigned char *output) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     FILE *f;
     size_t n;
     mbedtls_md_context_t ctx;
@@ -279,17 +649,17 @@ int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path, unsigned
     if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0)
         goto cleanup;
 
-    if ((ret = md_info->starts_func(ctx.md_ctx)) != 0)
+    if ((ret = mbedtls_md_starts(&ctx)) != 0)
         goto cleanup;
 
     while ((n = fread(buf, 1, sizeof(buf), f)) > 0)
-        if ((ret = md_info->update_func(ctx.md_ctx, buf, n)) != 0)
+        if ((ret = mbedtls_md_update(&ctx, buf, n)) != 0)
             goto cleanup;
 
     if (ferror(f) != 0)
         ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
     else
-        ret = md_info->finish_func(ctx.md_ctx, output);
+        ret = mbedtls_md_finish(&ctx, output);
 
 cleanup:
     mbedtls_platform_zeroize(buf, sizeof(buf));
@@ -301,7 +671,7 @@ cleanup:
 #endif /* MBEDTLS_FS_IO */
 
 int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char sum[MBEDTLS_MD_MAX_SIZE];
     unsigned char *ipad, *opad;
     size_t i;
@@ -310,11 +680,11 @@ int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key,
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
     if (keylen > (size_t) ctx->md_info->block_size) {
-        if ((ret = ctx->md_info->starts_func(ctx->md_ctx)) != 0)
+        if ((ret = mbedtls_md_starts(ctx)) != 0)
             goto cleanup;
-        if ((ret = ctx->md_info->update_func(ctx->md_ctx, key, keylen)) != 0)
+        if ((ret = mbedtls_md_update(ctx, key, keylen)) != 0)
             goto cleanup;
-        if ((ret = ctx->md_info->finish_func(ctx->md_ctx, sum)) != 0)
+        if ((ret = mbedtls_md_finish(ctx, sum)) != 0)
             goto cleanup;
 
         keylen = ctx->md_info->size;
@@ -332,10 +702,10 @@ int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key,
         opad[i] = (unsigned char)(opad[i] ^ key[i]);
     }
 
-    if ((ret = ctx->md_info->starts_func(ctx->md_ctx)) != 0)
+    if ((ret = mbedtls_md_starts(ctx)) != 0)
         goto cleanup;
-    if ((ret = ctx->md_info->update_func(ctx->md_ctx, ipad,
-                                         ctx->md_info->block_size)) != 0)
+    if ((ret = mbedtls_md_update(ctx, ipad,
+                                 ctx->md_info->block_size)) != 0)
         goto cleanup;
 
 cleanup:
@@ -348,11 +718,11 @@ int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input
     if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    return (ctx->md_info->update_func(ctx->md_ctx, input, ilen));
+    return (mbedtls_md_update(ctx, input, ilen));
 }
 
 int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
     unsigned char *opad;
 
@@ -361,21 +731,21 @@ int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output) {
 
     opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
 
-    if ((ret = ctx->md_info->finish_func(ctx->md_ctx, tmp)) != 0)
+    if ((ret = mbedtls_md_finish(ctx, tmp)) != 0)
         return (ret);
-    if ((ret = ctx->md_info->starts_func(ctx->md_ctx)) != 0)
+    if ((ret = mbedtls_md_starts(ctx)) != 0)
         return (ret);
-    if ((ret = ctx->md_info->update_func(ctx->md_ctx, opad,
-                                         ctx->md_info->block_size)) != 0)
+    if ((ret = mbedtls_md_update(ctx, opad,
+                                 ctx->md_info->block_size)) != 0)
         return (ret);
-    if ((ret = ctx->md_info->update_func(ctx->md_ctx, tmp,
-                                         ctx->md_info->size)) != 0)
+    if ((ret = mbedtls_md_update(ctx, tmp,
+                                 ctx->md_info->size)) != 0)
         return (ret);
-    return (ctx->md_info->finish_func(ctx->md_ctx, output));
+    return (mbedtls_md_finish(ctx, output));
 }
 
 int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *ipad;
 
     if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL)
@@ -383,10 +753,9 @@ int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx) {
 
     ipad = (unsigned char *) ctx->hmac_ctx;
 
-    if ((ret = ctx->md_info->starts_func(ctx->md_ctx)) != 0)
+    if ((ret = mbedtls_md_starts(ctx)) != 0)
         return (ret);
-    return (ctx->md_info->update_func(ctx->md_ctx, ipad,
-                                      ctx->md_info->block_size));
+    return (mbedtls_md_update(ctx, ipad, ctx->md_info->block_size));
 }
 
 int mbedtls_md_hmac(const mbedtls_md_info_t *md_info,
@@ -394,7 +763,7 @@ int mbedtls_md_hmac(const mbedtls_md_info_t *md_info,
                     const unsigned char *input, size_t ilen,
                     unsigned char *output) {
     mbedtls_md_context_t ctx;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (md_info == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
@@ -421,7 +790,42 @@ int mbedtls_md_process(mbedtls_md_context_t *ctx, const unsigned char *data) {
     if (ctx == NULL || ctx->md_info == NULL)
         return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
 
-    return (ctx->md_info->process_func(ctx->md_ctx, data));
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return (mbedtls_internal_md2_process(ctx->md_ctx));
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return (mbedtls_internal_md4_process(ctx->md_ctx, data));
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (mbedtls_internal_md5_process(ctx->md_ctx, data));
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return (mbedtls_internal_ripemd160_process(ctx->md_ctx, data));
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (mbedtls_internal_sha1_process(ctx->md_ctx, data));
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+        case MBEDTLS_MD_SHA256:
+            return (mbedtls_internal_sha256_process(ctx->md_ctx, data));
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+        case MBEDTLS_MD_SHA384:
+#endif
+        case MBEDTLS_MD_SHA512:
+            return (mbedtls_internal_sha512_process(ctx->md_ctx, data));
+#endif
+        default:
+            return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+    }
 }
 
 unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info) {
diff --git a/common/mbedtls/md.h b/common/mbedtls/md.h
index a127160f3..e543fc63a 100644
--- a/common/mbedtls/md.h
+++ b/common/mbedtls/md.h
@@ -6,24 +6,20 @@
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_MD_H
@@ -32,7 +28,7 @@
 #include <stddef.h>
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -41,6 +37,8 @@
 #define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
 #define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
+
+/* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */
 
 #ifdef __cplusplus
@@ -74,6 +72,12 @@ typedef enum {
 #define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 or less */
 #endif
 
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         128
+#else
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         64
+#endif
+
 /**
  * Opaque struct defined in md_internal.h.
  */
@@ -97,6 +101,8 @@ typedef struct mbedtls_md_context_t {
  * \brief           This function returns the list of digests supported by the
  *                  generic digest module.
  *
+ * \note            The list starts with the strongest available hashes.
+ *
  * \return          A statically allocated array of digests. Each element
  *                  in the returned list is an integer belonging to the
  *                  message-digest enumeration #mbedtls_md_type_t.
diff --git a/common/mbedtls/md2.c b/common/mbedtls/md2.c
new file mode 100644
index 000000000..f3fd2d482
--- /dev/null
+++ b/common/mbedtls/md2.c
@@ -0,0 +1,348 @@
+/*
+ *  RFC 1115/1319 compliant MD2 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The MD2 algorithm was designed by Ron Rivest in 1989.
+ *
+ *  http://www.ietf.org/rfc/rfc1115.txt
+ *  http://www.ietf.org/rfc/rfc1319.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MD2_C)
+
+#include "mbedtls/md2.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD2_ALT)
+
+static const unsigned char PI_SUBST[256] = {
+    0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36,
+    0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13, 0x62, 0xA7, 0x05, 0xF3,
+    0xC0, 0xC7, 0x73, 0x8C, 0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C,
+    0x82, 0xCA, 0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16,
+    0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12, 0xBE, 0x4E,
+    0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49, 0xA0, 0xFB, 0xF5, 0x8E,
+    0xBB, 0x2F, 0xEE, 0x7A, 0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2,
+    0x07, 0x3F, 0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
+    0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27, 0x35, 0x3E,
+    0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03, 0xFF, 0x19, 0x30, 0xB3,
+    0x48, 0xA5, 0xB5, 0xD1, 0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56,
+    0xAA, 0xC6, 0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6,
+    0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1, 0x45, 0x9D,
+    0x70, 0x59, 0x64, 0x71, 0x87, 0x20, 0x86, 0x5B, 0xCF, 0x65,
+    0xE6, 0x2D, 0xA8, 0x02, 0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0,
+    0xB9, 0xF6, 0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F,
+    0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A, 0xC3, 0x5C,
+    0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26, 0x2C, 0x53, 0x0D, 0x6E,
+    0x85, 0x28, 0x84, 0x09, 0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81,
+    0x4D, 0x52, 0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA,
+    0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A, 0x78, 0x88,
+    0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D, 0xE9, 0xCB, 0xD5, 0xFE,
+    0x3B, 0x00, 0x1D, 0x39, 0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58,
+    0xD0, 0xE4, 0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A,
+    0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A, 0xDB, 0x99,
+    0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14
+};
+
+void mbedtls_md2_init(mbedtls_md2_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_md2_context));
+}
+
+void mbedtls_md2_free(mbedtls_md2_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md2_context));
+}
+
+void mbedtls_md2_clone(mbedtls_md2_context *dst,
+                       const mbedtls_md2_context *src) {
+    *dst = *src;
+}
+
+/*
+ * MD2 context setup
+ */
+int mbedtls_md2_starts_ret(mbedtls_md2_context *ctx) {
+    memset(ctx->cksum, 0, 16);
+    memset(ctx->state, 0, 46);
+    memset(ctx->buffer, 0, 16);
+    ctx->left = 0;
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_starts(mbedtls_md2_context *ctx) {
+    mbedtls_md2_starts_ret(ctx);
+}
+#endif
+
+#if !defined(MBEDTLS_MD2_PROCESS_ALT)
+int mbedtls_internal_md2_process(mbedtls_md2_context *ctx) {
+    int i, j;
+    unsigned char t = 0;
+
+    for (i = 0; i < 16; i++) {
+        ctx->state[i + 16] = ctx->buffer[i];
+        ctx->state[i + 32] =
+            (unsigned char)(ctx->buffer[i] ^ ctx->state[i]);
+    }
+
+    for (i = 0; i < 18; i++) {
+        for (j = 0; j < 48; j++) {
+            ctx->state[j] = (unsigned char)
+                            (ctx->state[j] ^ PI_SUBST[t]);
+            t  = ctx->state[j];
+        }
+
+        t = (unsigned char)(t + i);
+    }
+
+    t = ctx->cksum[15];
+
+    for (i = 0; i < 16; i++) {
+        ctx->cksum[i] = (unsigned char)
+                        (ctx->cksum[i] ^ PI_SUBST[ctx->buffer[i] ^ t]);
+        t  = ctx->cksum[i];
+    }
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&t, sizeof(t));
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_process(mbedtls_md2_context *ctx) {
+    mbedtls_internal_md2_process(ctx);
+}
+#endif
+#endif /* !MBEDTLS_MD2_PROCESS_ALT */
+
+/*
+ * MD2 process buffer
+ */
+int mbedtls_md2_update_ret(mbedtls_md2_context *ctx,
+                           const unsigned char *input,
+                           size_t ilen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+
+    while (ilen > 0) {
+        if (ilen > 16 - ctx->left)
+            fill = 16 - ctx->left;
+        else
+            fill = ilen;
+
+        memcpy(ctx->buffer + ctx->left, input, fill);
+
+        ctx->left += fill;
+        input += fill;
+        ilen  -= fill;
+
+        if (ctx->left == 16) {
+            ctx->left = 0;
+            if ((ret = mbedtls_internal_md2_process(ctx)) != 0)
+                return (ret);
+        }
+    }
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_update(mbedtls_md2_context *ctx,
+                        const unsigned char *input,
+                        size_t ilen) {
+    mbedtls_md2_update_ret(ctx, input, ilen);
+}
+#endif
+
+/*
+ * MD2 final digest
+ */
+int mbedtls_md2_finish_ret(mbedtls_md2_context *ctx,
+                           unsigned char output[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    unsigned char x;
+
+    x = (unsigned char)(16 - ctx->left);
+
+    for (i = ctx->left; i < 16; i++)
+        ctx->buffer[i] = x;
+
+    if ((ret = mbedtls_internal_md2_process(ctx)) != 0)
+        return (ret);
+
+    memcpy(ctx->buffer, ctx->cksum, 16);
+    if ((ret = mbedtls_internal_md2_process(ctx)) != 0)
+        return (ret);
+
+    memcpy(output, ctx->state, 16);
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_finish(mbedtls_md2_context *ctx,
+                        unsigned char output[16]) {
+    mbedtls_md2_finish_ret(ctx, output);
+}
+#endif
+
+#endif /* !MBEDTLS_MD2_ALT */
+
+/*
+ * output = MD2( input buffer )
+ */
+int mbedtls_md2_ret(const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md2_context ctx;
+
+    mbedtls_md2_init(&ctx);
+
+    if ((ret = mbedtls_md2_starts_ret(&ctx)) != 0)
+        goto exit;
+
+    if ((ret = mbedtls_md2_update_ret(&ctx, input, ilen)) != 0)
+        goto exit;
+
+    if ((ret = mbedtls_md2_finish_ret(&ctx, output)) != 0)
+        goto exit;
+
+exit:
+    mbedtls_md2_free(&ctx);
+
+    return (ret);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2(const unsigned char *input,
+                 size_t ilen,
+                 unsigned char output[16]) {
+    mbedtls_md2_ret(input, ilen, output);
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1319 test vectors
+ */
+static const unsigned char md2_test_str[7][81] = {
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
+};
+
+static const size_t md2_test_strlen[7] = {
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md2_test_sum[7][16] = {
+    {
+        0x83, 0x50, 0xE5, 0xA3, 0xE2, 0x4C, 0x15, 0x3D,
+        0xF2, 0x27, 0x5C, 0x9F, 0x80, 0x69, 0x27, 0x73
+    },
+    {
+        0x32, 0xEC, 0x01, 0xEC, 0x4A, 0x6D, 0xAC, 0x72,
+        0xC0, 0xAB, 0x96, 0xFB, 0x34, 0xC0, 0xB5, 0xD1
+    },
+    {
+        0xDA, 0x85, 0x3B, 0x0D, 0x3F, 0x88, 0xD9, 0x9B,
+        0x30, 0x28, 0x3A, 0x69, 0xE6, 0xDE, 0xD6, 0xBB
+    },
+    {
+        0xAB, 0x4F, 0x49, 0x6B, 0xFB, 0x2A, 0x53, 0x0B,
+        0x21, 0x9F, 0xF3, 0x30, 0x31, 0xFE, 0x06, 0xB0
+    },
+    {
+        0x4E, 0x8D, 0xDF, 0xF3, 0x65, 0x02, 0x92, 0xAB,
+        0x5A, 0x41, 0x08, 0xC3, 0xAA, 0x47, 0x94, 0x0B
+    },
+    {
+        0xDA, 0x33, 0xDE, 0xF2, 0xA4, 0x2D, 0xF1, 0x39,
+        0x75, 0x35, 0x28, 0x46, 0xC3, 0x03, 0x38, 0xCD
+    },
+    {
+        0xD5, 0x97, 0x6F, 0x79, 0xD8, 0x3D, 0x3A, 0x0D,
+        0xC9, 0x80, 0x6C, 0x3C, 0x66, 0xF3, 0xEF, 0xD8
+    }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md2_self_test(int verbose) {
+    int i, ret = 0;
+    unsigned char md2sum[16];
+
+    for (i = 0; i < 7; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  MD2 test #%d: ", i + 1);
+
+        ret = mbedtls_md2_ret(md2_test_str[i], md2_test_strlen[i], md2sum);
+        if (ret != 0)
+            goto fail;
+
+        if (memcmp(md2sum, md2_test_sum[i], 16) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+
+fail:
+    if (verbose != 0)
+        mbedtls_printf("failed\n");
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD2_C */
diff --git a/common/mbedtls/md2.h b/common/mbedtls/md2.h
new file mode 100644
index 000000000..878e89196
--- /dev/null
+++ b/common/mbedtls/md2.h
@@ -0,0 +1,303 @@
+/**
+ * \file md2.h
+ *
+ * \brief MD2 message digest algorithm (hash function)
+ *
+ * \warning MD2 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+#ifndef MBEDTLS_MD2_H
+#define MBEDTLS_MD2_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD2_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD2 context structure
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md2_context {
+    unsigned char cksum[16];    /*!< checksum of the data block */
+    unsigned char state[48];    /*!< intermediate digest state  */
+    unsigned char buffer[16];   /*!< data block being processed */
+    size_t left;                /*!< amount of data in buffer   */
+}
+mbedtls_md2_context;
+
+#else  /* MBEDTLS_MD2_ALT */
+#include "md2_alt.h"
+#endif /* MBEDTLS_MD2_ALT */
+
+/**
+ * \brief          Initialize MD2 context
+ *
+ * \param ctx      MD2 context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_init(mbedtls_md2_context *ctx);
+
+/**
+ * \brief          Clear MD2 context
+ *
+ * \param ctx      MD2 context to be cleared
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_free(mbedtls_md2_context *ctx);
+
+/**
+ * \brief          Clone (the state of) an MD2 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_clone(mbedtls_md2_context *dst,
+                       const mbedtls_md2_context *src);
+
+/**
+ * \brief          MD2 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_starts_ret(mbedtls_md2_context *ctx);
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_update_ret(mbedtls_md2_context *ctx,
+                           const unsigned char *input,
+                           size_t ilen);
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_finish_ret(mbedtls_md2_context *ctx,
+                           unsigned char output[16]);
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \param ctx      MD2 context
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md2_process(mbedtls_md2_context *ctx);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD2 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md2_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_starts(mbedtls_md2_context *ctx);
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md2_update_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_update(mbedtls_md2_context *ctx,
+                                           const unsigned char *input,
+                                           size_t ilen);
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md2_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_finish(mbedtls_md2_context *ctx,
+                                           unsigned char output[16]);
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md2_process() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_process(mbedtls_md2_context *ctx);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_ret(const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[16]);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md2_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2(const unsigned char *input,
+                                    size_t ilen,
+                                    unsigned char output[16]);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md2.h */
diff --git a/common/mbedtls/md4.c b/common/mbedtls/md4.c
new file mode 100644
index 000000000..297c2fe1d
--- /dev/null
+++ b/common/mbedtls/md4.c
@@ -0,0 +1,474 @@
+/*
+ *  RFC 1186/1320 compliant MD4 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The MD4 algorithm was designed by Ron Rivest in 1990.
+ *
+ *  http://www.ietf.org/rfc/rfc1186.txt
+ *  http://www.ietf.org/rfc/rfc1320.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MD4_C)
+
+#include "mbedtls/md4.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD4_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md4_init(mbedtls_md4_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_md4_context));
+}
+
+void mbedtls_md4_free(mbedtls_md4_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md4_context));
+}
+
+void mbedtls_md4_clone(mbedtls_md4_context *dst,
+                       const mbedtls_md4_context *src) {
+    *dst = *src;
+}
+
+/*
+ * MD4 context setup
+ */
+int mbedtls_md4_starts_ret(mbedtls_md4_context *ctx) {
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_starts(mbedtls_md4_context *ctx) {
+    mbedtls_md4_starts_ret(ctx);
+}
+#endif
+
+#if !defined(MBEDTLS_MD4_PROCESS_ALT)
+int mbedtls_internal_md4_process(mbedtls_md4_context *ctx,
+                                 const unsigned char data[64]) {
+    struct {
+        uint32_t X[16], A, B, C, D;
+    } local;
+
+    GET_UINT32_LE(local.X[ 0], data,  0);
+    GET_UINT32_LE(local.X[ 1], data,  4);
+    GET_UINT32_LE(local.X[ 2], data,  8);
+    GET_UINT32_LE(local.X[ 3], data, 12);
+    GET_UINT32_LE(local.X[ 4], data, 16);
+    GET_UINT32_LE(local.X[ 5], data, 20);
+    GET_UINT32_LE(local.X[ 6], data, 24);
+    GET_UINT32_LE(local.X[ 7], data, 28);
+    GET_UINT32_LE(local.X[ 8], data, 32);
+    GET_UINT32_LE(local.X[ 9], data, 36);
+    GET_UINT32_LE(local.X[10], data, 40);
+    GET_UINT32_LE(local.X[11], data, 44);
+    GET_UINT32_LE(local.X[12], data, 48);
+    GET_UINT32_LE(local.X[13], data, 52);
+    GET_UINT32_LE(local.X[14], data, 56);
+    GET_UINT32_LE(local.X[15], data, 60);
+
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+
+#define F(x, y, z) (((x) & (y)) | ((~(x)) & (z)))
+#define P(a,b,c,d,x,s)                           \
+    do                                           \
+    {                                            \
+        (a) += F((b),(c),(d)) + (x);             \
+        (a) = S((a),(s));                        \
+    } while( 0 )
+
+
+    P(local.A, local.B, local.C, local.D, local.X[ 0],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 1],  7);
+    P(local.C, local.D, local.A, local.B, local.X[ 2], 11);
+    P(local.B, local.C, local.D, local.A, local.X[ 3], 19);
+    P(local.A, local.B, local.C, local.D, local.X[ 4],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 5],  7);
+    P(local.C, local.D, local.A, local.B, local.X[ 6], 11);
+    P(local.B, local.C, local.D, local.A, local.X[ 7], 19);
+    P(local.A, local.B, local.C, local.D, local.X[ 8],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 9],  7);
+    P(local.C, local.D, local.A, local.B, local.X[10], 11);
+    P(local.B, local.C, local.D, local.A, local.X[11], 19);
+    P(local.A, local.B, local.C, local.D, local.X[12],  3);
+    P(local.D, local.A, local.B, local.C, local.X[13],  7);
+    P(local.C, local.D, local.A, local.B, local.X[14], 11);
+    P(local.B, local.C, local.D, local.A, local.X[15], 19);
+
+#undef P
+#undef F
+
+#define F(x,y,z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define P(a,b,c,d,x,s)                          \
+    do                                          \
+    {                                           \
+        (a) += F((b),(c),(d)) + (x) + 0x5A827999;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
+
+    P(local.A, local.B, local.C, local.D, local.X[ 0],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 4],  5);
+    P(local.C, local.D, local.A, local.B, local.X[ 8],  9);
+    P(local.B, local.C, local.D, local.A, local.X[12], 13);
+    P(local.A, local.B, local.C, local.D, local.X[ 1],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 5],  5);
+    P(local.C, local.D, local.A, local.B, local.X[ 9],  9);
+    P(local.B, local.C, local.D, local.A, local.X[13], 13);
+    P(local.A, local.B, local.C, local.D, local.X[ 2],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 6],  5);
+    P(local.C, local.D, local.A, local.B, local.X[10],  9);
+    P(local.B, local.C, local.D, local.A, local.X[14], 13);
+    P(local.A, local.B, local.C, local.D, local.X[ 3],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 7],  5);
+    P(local.C, local.D, local.A, local.B, local.X[11],  9);
+    P(local.B, local.C, local.D, local.A, local.X[15], 13);
+
+#undef P
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define P(a,b,c,d,x,s)                                  \
+    do                                                  \
+    {                                                   \
+        (a) += F((b),(c),(d)) + (x) + 0x6ED9EBA1;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
+
+    P(local.A, local.B, local.C, local.D, local.X[ 0],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 8],  9);
+    P(local.C, local.D, local.A, local.B, local.X[ 4], 11);
+    P(local.B, local.C, local.D, local.A, local.X[12], 15);
+    P(local.A, local.B, local.C, local.D, local.X[ 2],  3);
+    P(local.D, local.A, local.B, local.C, local.X[10],  9);
+    P(local.C, local.D, local.A, local.B, local.X[ 6], 11);
+    P(local.B, local.C, local.D, local.A, local.X[14], 15);
+    P(local.A, local.B, local.C, local.D, local.X[ 1],  3);
+    P(local.D, local.A, local.B, local.C, local.X[ 9],  9);
+    P(local.C, local.D, local.A, local.B, local.X[ 5], 11);
+    P(local.B, local.C, local.D, local.A, local.X[13], 15);
+    P(local.A, local.B, local.C, local.D, local.X[ 3],  3);
+    P(local.D, local.A, local.B, local.C, local.X[11],  9);
+    P(local.C, local.D, local.A, local.B, local.X[ 7], 11);
+    P(local.B, local.C, local.D, local.A, local.X[15], 15);
+
+#undef F
+#undef P
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_process(mbedtls_md4_context *ctx,
+                         const unsigned char data[64]) {
+    mbedtls_internal_md4_process(ctx, data);
+}
+#endif
+#endif /* !MBEDTLS_MD4_PROCESS_ALT */
+
+/*
+ * MD4 process buffer
+ */
+int mbedtls_md4_update_ret(mbedtls_md4_context *ctx,
+                           const unsigned char *input,
+                           size_t ilen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    uint32_t left;
+
+    if (ilen == 0)
+        return (0);
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < (uint32_t) ilen)
+        ctx->total[1]++;
+
+    if (left && ilen >= fill) {
+        memcpy((void *)(ctx->buffer + left),
+               (void *) input, fill);
+
+        if ((ret = mbedtls_internal_md4_process(ctx, ctx->buffer)) != 0)
+            return (ret);
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= 64) {
+        if ((ret = mbedtls_internal_md4_process(ctx, input)) != 0)
+            return (ret);
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *)(ctx->buffer + left),
+               (void *) input, ilen);
+    }
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_update(mbedtls_md4_context *ctx,
+                        const unsigned char *input,
+                        size_t ilen) {
+    mbedtls_md4_update_ret(ctx, input, ilen);
+}
+#endif
+
+static const unsigned char md4_padding[64] = {
+    0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * MD4 final digest
+ */
+int mbedtls_md4_finish_ret(mbedtls_md4_context *ctx,
+                           unsigned char output[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = (ctx->total[0] >> 29)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    PUT_UINT32_LE(low,  msglen, 0);
+    PUT_UINT32_LE(high, msglen, 4);
+
+    last = ctx->total[0] & 0x3F;
+    padn = (last < 56) ? (56 - last) : (120 - last);
+
+    ret = mbedtls_md4_update_ret(ctx, (unsigned char *)md4_padding, padn);
+    if (ret != 0)
+        return (ret);
+
+    if ((ret = mbedtls_md4_update_ret(ctx, msglen, 8)) != 0)
+        return (ret);
+
+
+    PUT_UINT32_LE(ctx->state[0], output,  0);
+    PUT_UINT32_LE(ctx->state[1], output,  4);
+    PUT_UINT32_LE(ctx->state[2], output,  8);
+    PUT_UINT32_LE(ctx->state[3], output, 12);
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_finish(mbedtls_md4_context *ctx,
+                        unsigned char output[16]) {
+    mbedtls_md4_finish_ret(ctx, output);
+}
+#endif
+
+#endif /* !MBEDTLS_MD4_ALT */
+
+/*
+ * output = MD4( input buffer )
+ */
+int mbedtls_md4_ret(const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[16]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md4_context ctx;
+
+    mbedtls_md4_init(&ctx);
+
+    if ((ret = mbedtls_md4_starts_ret(&ctx)) != 0)
+        goto exit;
+
+    if ((ret = mbedtls_md4_update_ret(&ctx, input, ilen)) != 0)
+        goto exit;
+
+    if ((ret = mbedtls_md4_finish_ret(&ctx, output)) != 0)
+        goto exit;
+
+exit:
+    mbedtls_md4_free(&ctx);
+
+    return (ret);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4(const unsigned char *input,
+                 size_t ilen,
+                 unsigned char output[16]) {
+    mbedtls_md4_ret(input, ilen, output);
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1320 test vectors
+ */
+static const unsigned char md4_test_str[7][81] = {
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
+};
+
+static const size_t md4_test_strlen[7] = {
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md4_test_sum[7][16] = {
+    {
+        0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31,
+        0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0
+    },
+    {
+        0xBD, 0xE5, 0x2C, 0xB3, 0x1D, 0xE3, 0x3E, 0x46,
+        0x24, 0x5E, 0x05, 0xFB, 0xDB, 0xD6, 0xFB, 0x24
+    },
+    {
+        0xA4, 0x48, 0x01, 0x7A, 0xAF, 0x21, 0xD8, 0x52,
+        0x5F, 0xC1, 0x0A, 0xE8, 0x7A, 0xA6, 0x72, 0x9D
+    },
+    {
+        0xD9, 0x13, 0x0A, 0x81, 0x64, 0x54, 0x9F, 0xE8,
+        0x18, 0x87, 0x48, 0x06, 0xE1, 0xC7, 0x01, 0x4B
+    },
+    {
+        0xD7, 0x9E, 0x1C, 0x30, 0x8A, 0xA5, 0xBB, 0xCD,
+        0xEE, 0xA8, 0xED, 0x63, 0xDF, 0x41, 0x2D, 0xA9
+    },
+    {
+        0x04, 0x3F, 0x85, 0x82, 0xF2, 0x41, 0xDB, 0x35,
+        0x1C, 0xE6, 0x27, 0xE1, 0x53, 0xE7, 0xF0, 0xE4
+    },
+    {
+        0xE3, 0x3B, 0x4D, 0xDC, 0x9C, 0x38, 0xF2, 0x19,
+        0x9C, 0x3E, 0x7B, 0x16, 0x4F, 0xCC, 0x05, 0x36
+    }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md4_self_test(int verbose) {
+    int i, ret = 0;
+    unsigned char md4sum[16];
+
+    for (i = 0; i < 7; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  MD4 test #%d: ", i + 1);
+
+        ret = mbedtls_md4_ret(md4_test_str[i], md4_test_strlen[i], md4sum);
+        if (ret != 0)
+            goto fail;
+
+        if (memcmp(md4sum, md4_test_sum[i], 16) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+
+fail:
+    if (verbose != 0)
+        mbedtls_printf("failed\n");
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD4_C */
diff --git a/common/mbedtls/md4.h b/common/mbedtls/md4.h
new file mode 100644
index 000000000..63eaf0828
--- /dev/null
+++ b/common/mbedtls/md4.h
@@ -0,0 +1,308 @@
+/**
+ * \file md4.h
+ *
+ * \brief MD4 message digest algorithm (hash function)
+ *
+ * \warning MD4 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+#ifndef MBEDTLS_MD4_H
+#define MBEDTLS_MD4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD4_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD4 context structure
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md4_context {
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md4_context;
+
+#else  /* MBEDTLS_MD4_ALT */
+#include "md4_alt.h"
+#endif /* MBEDTLS_MD4_ALT */
+
+/**
+ * \brief          Initialize MD4 context
+ *
+ * \param ctx      MD4 context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_init(mbedtls_md4_context *ctx);
+
+/**
+ * \brief          Clear MD4 context
+ *
+ * \param ctx      MD4 context to be cleared
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_free(mbedtls_md4_context *ctx);
+
+/**
+ * \brief          Clone (the state of) an MD4 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_clone(mbedtls_md4_context *dst,
+                       const mbedtls_md4_context *src);
+
+/**
+ * \brief          MD4 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ */
+int mbedtls_md4_starts_ret(mbedtls_md4_context *ctx);
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_update_ret(mbedtls_md4_context *ctx,
+                           const unsigned char *input,
+                           size_t ilen);
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_finish_ret(mbedtls_md4_context *ctx,
+                           unsigned char output[16]);
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md4_process(mbedtls_md4_context *ctx,
+                                 const unsigned char data[64]);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD4 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md4_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_starts(mbedtls_md4_context *ctx);
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md4_update_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_update(mbedtls_md4_context *ctx,
+                                           const unsigned char *input,
+                                           size_t ilen);
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md4_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_finish(mbedtls_md4_context *ctx,
+                                           unsigned char output[16]);
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md4_process() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_process(mbedtls_md4_context *ctx,
+                                            const unsigned char data[64]);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_ret(const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[16]);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md4_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4(const unsigned char *input,
+                                    size_t ilen,
+                                    unsigned char output[16]);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md4.h */
diff --git a/common/mbedtls/md5.c b/common/mbedtls/md5.c
index 5466ddbc8..c6d8a8f52 100644
--- a/common/mbedtls/md5.c
+++ b/common/mbedtls/md5.c
@@ -1,24 +1,20 @@
 /*
  *  RFC 1321 compliant MD5 implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The MD5 algorithm was designed by Ron Rivest in 1991.
@@ -26,16 +22,13 @@
  *  http://www.ietf.org/rfc/rfc1321.txt
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_MD5_C)
 
 #include "mbedtls/md5.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -55,22 +48,22 @@
  */
 #ifndef GET_UINT32_LE
 #define GET_UINT32_LE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint32_t) (b)[(i)    ]       )             \
-              | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 2] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 3] << 24 );            \
-    }
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
 #endif
 
 #ifndef PUT_UINT32_LE
 #define PUT_UINT32_LE(n,b,i)                                    \
-    {                                                               \
-        (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
-        (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
-        (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
-        (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
-    }
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
 #endif
 
 void mbedtls_md5_init(mbedtls_md5_context *ctx) {
@@ -113,125 +106,133 @@ void mbedtls_md5_starts(mbedtls_md5_context *ctx) {
 #if !defined(MBEDTLS_MD5_PROCESS_ALT)
 int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
                                  const unsigned char data[64]) {
-    uint32_t X[16], A, B, C, D;
+    struct {
+        uint32_t X[16], A, B, C, D;
+    } local;
 
-    GET_UINT32_LE(X[ 0], data,  0);
-    GET_UINT32_LE(X[ 1], data,  4);
-    GET_UINT32_LE(X[ 2], data,  8);
-    GET_UINT32_LE(X[ 3], data, 12);
-    GET_UINT32_LE(X[ 4], data, 16);
-    GET_UINT32_LE(X[ 5], data, 20);
-    GET_UINT32_LE(X[ 6], data, 24);
-    GET_UINT32_LE(X[ 7], data, 28);
-    GET_UINT32_LE(X[ 8], data, 32);
-    GET_UINT32_LE(X[ 9], data, 36);
-    GET_UINT32_LE(X[10], data, 40);
-    GET_UINT32_LE(X[11], data, 44);
-    GET_UINT32_LE(X[12], data, 48);
-    GET_UINT32_LE(X[13], data, 52);
-    GET_UINT32_LE(X[14], data, 56);
-    GET_UINT32_LE(X[15], data, 60);
+    GET_UINT32_LE(local.X[ 0], data,  0);
+    GET_UINT32_LE(local.X[ 1], data,  4);
+    GET_UINT32_LE(local.X[ 2], data,  8);
+    GET_UINT32_LE(local.X[ 3], data, 12);
+    GET_UINT32_LE(local.X[ 4], data, 16);
+    GET_UINT32_LE(local.X[ 5], data, 20);
+    GET_UINT32_LE(local.X[ 6], data, 24);
+    GET_UINT32_LE(local.X[ 7], data, 28);
+    GET_UINT32_LE(local.X[ 8], data, 32);
+    GET_UINT32_LE(local.X[ 9], data, 36);
+    GET_UINT32_LE(local.X[10], data, 40);
+    GET_UINT32_LE(local.X[11], data, 44);
+    GET_UINT32_LE(local.X[12], data, 48);
+    GET_UINT32_LE(local.X[13], data, 52);
+    GET_UINT32_LE(local.X[14], data, 56);
+    GET_UINT32_LE(local.X[15], data, 60);
 
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+#define S(x,n)                                                          \
+    ( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
 
-#define P(a,b,c,d,k,s,t)                                \
-    {                                                       \
-        a += F(b,c,d) + X[k] + t; a = S(a,s) + b;           \
-    }
+#define P(a,b,c,d,k,s,t)                                                \
+    do                                                                  \
+    {                                                                   \
+        (a) += F((b),(c),(d)) + local.X[(k)] + (t);                     \
+        (a) = S((a),(s)) + (b);                                         \
+    } while( 0 )
 
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
 
-#define F(x,y,z) (z ^ (x & (y ^ z)))
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 
-    P(A, B, C, D,  0,  7, 0xD76AA478);
-    P(D, A, B, C,  1, 12, 0xE8C7B756);
-    P(C, D, A, B,  2, 17, 0x242070DB);
-    P(B, C, D, A,  3, 22, 0xC1BDCEEE);
-    P(A, B, C, D,  4,  7, 0xF57C0FAF);
-    P(D, A, B, C,  5, 12, 0x4787C62A);
-    P(C, D, A, B,  6, 17, 0xA8304613);
-    P(B, C, D, A,  7, 22, 0xFD469501);
-    P(A, B, C, D,  8,  7, 0x698098D8);
-    P(D, A, B, C,  9, 12, 0x8B44F7AF);
-    P(C, D, A, B, 10, 17, 0xFFFF5BB1);
-    P(B, C, D, A, 11, 22, 0x895CD7BE);
-    P(A, B, C, D, 12,  7, 0x6B901122);
-    P(D, A, B, C, 13, 12, 0xFD987193);
-    P(C, D, A, B, 14, 17, 0xA679438E);
-    P(B, C, D, A, 15, 22, 0x49B40821);
+    P(local.A, local.B, local.C, local.D,  0,  7, 0xD76AA478);
+    P(local.D, local.A, local.B, local.C,  1, 12, 0xE8C7B756);
+    P(local.C, local.D, local.A, local.B,  2, 17, 0x242070DB);
+    P(local.B, local.C, local.D, local.A,  3, 22, 0xC1BDCEEE);
+    P(local.A, local.B, local.C, local.D,  4,  7, 0xF57C0FAF);
+    P(local.D, local.A, local.B, local.C,  5, 12, 0x4787C62A);
+    P(local.C, local.D, local.A, local.B,  6, 17, 0xA8304613);
+    P(local.B, local.C, local.D, local.A,  7, 22, 0xFD469501);
+    P(local.A, local.B, local.C, local.D,  8,  7, 0x698098D8);
+    P(local.D, local.A, local.B, local.C,  9, 12, 0x8B44F7AF);
+    P(local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1);
+    P(local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE);
+    P(local.A, local.B, local.C, local.D, 12,  7, 0x6B901122);
+    P(local.D, local.A, local.B, local.C, 13, 12, 0xFD987193);
+    P(local.C, local.D, local.A, local.B, 14, 17, 0xA679438E);
+    P(local.B, local.C, local.D, local.A, 15, 22, 0x49B40821);
 
 #undef F
 
-#define F(x,y,z) (y ^ (z & (x ^ y)))
+#define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y))))
 
-    P(A, B, C, D,  1,  5, 0xF61E2562);
-    P(D, A, B, C,  6,  9, 0xC040B340);
-    P(C, D, A, B, 11, 14, 0x265E5A51);
-    P(B, C, D, A,  0, 20, 0xE9B6C7AA);
-    P(A, B, C, D,  5,  5, 0xD62F105D);
-    P(D, A, B, C, 10,  9, 0x02441453);
-    P(C, D, A, B, 15, 14, 0xD8A1E681);
-    P(B, C, D, A,  4, 20, 0xE7D3FBC8);
-    P(A, B, C, D,  9,  5, 0x21E1CDE6);
-    P(D, A, B, C, 14,  9, 0xC33707D6);
-    P(C, D, A, B,  3, 14, 0xF4D50D87);
-    P(B, C, D, A,  8, 20, 0x455A14ED);
-    P(A, B, C, D, 13,  5, 0xA9E3E905);
-    P(D, A, B, C,  2,  9, 0xFCEFA3F8);
-    P(C, D, A, B,  7, 14, 0x676F02D9);
-    P(B, C, D, A, 12, 20, 0x8D2A4C8A);
+    P(local.A, local.B, local.C, local.D,  1,  5, 0xF61E2562);
+    P(local.D, local.A, local.B, local.C,  6,  9, 0xC040B340);
+    P(local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51);
+    P(local.B, local.C, local.D, local.A,  0, 20, 0xE9B6C7AA);
+    P(local.A, local.B, local.C, local.D,  5,  5, 0xD62F105D);
+    P(local.D, local.A, local.B, local.C, 10,  9, 0x02441453);
+    P(local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681);
+    P(local.B, local.C, local.D, local.A,  4, 20, 0xE7D3FBC8);
+    P(local.A, local.B, local.C, local.D,  9,  5, 0x21E1CDE6);
+    P(local.D, local.A, local.B, local.C, 14,  9, 0xC33707D6);
+    P(local.C, local.D, local.A, local.B,  3, 14, 0xF4D50D87);
+    P(local.B, local.C, local.D, local.A,  8, 20, 0x455A14ED);
+    P(local.A, local.B, local.C, local.D, 13,  5, 0xA9E3E905);
+    P(local.D, local.A, local.B, local.C,  2,  9, 0xFCEFA3F8);
+    P(local.C, local.D, local.A, local.B,  7, 14, 0x676F02D9);
+    P(local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A);
 
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
+#define F(x,y,z) ((x) ^ (y) ^ (z))
 
-    P(A, B, C, D,  5,  4, 0xFFFA3942);
-    P(D, A, B, C,  8, 11, 0x8771F681);
-    P(C, D, A, B, 11, 16, 0x6D9D6122);
-    P(B, C, D, A, 14, 23, 0xFDE5380C);
-    P(A, B, C, D,  1,  4, 0xA4BEEA44);
-    P(D, A, B, C,  4, 11, 0x4BDECFA9);
-    P(C, D, A, B,  7, 16, 0xF6BB4B60);
-    P(B, C, D, A, 10, 23, 0xBEBFBC70);
-    P(A, B, C, D, 13,  4, 0x289B7EC6);
-    P(D, A, B, C,  0, 11, 0xEAA127FA);
-    P(C, D, A, B,  3, 16, 0xD4EF3085);
-    P(B, C, D, A,  6, 23, 0x04881D05);
-    P(A, B, C, D,  9,  4, 0xD9D4D039);
-    P(D, A, B, C, 12, 11, 0xE6DB99E5);
-    P(C, D, A, B, 15, 16, 0x1FA27CF8);
-    P(B, C, D, A,  2, 23, 0xC4AC5665);
+    P(local.A, local.B, local.C, local.D,  5,  4, 0xFFFA3942);
+    P(local.D, local.A, local.B, local.C,  8, 11, 0x8771F681);
+    P(local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122);
+    P(local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C);
+    P(local.A, local.B, local.C, local.D,  1,  4, 0xA4BEEA44);
+    P(local.D, local.A, local.B, local.C,  4, 11, 0x4BDECFA9);
+    P(local.C, local.D, local.A, local.B,  7, 16, 0xF6BB4B60);
+    P(local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70);
+    P(local.A, local.B, local.C, local.D, 13,  4, 0x289B7EC6);
+    P(local.D, local.A, local.B, local.C,  0, 11, 0xEAA127FA);
+    P(local.C, local.D, local.A, local.B,  3, 16, 0xD4EF3085);
+    P(local.B, local.C, local.D, local.A,  6, 23, 0x04881D05);
+    P(local.A, local.B, local.C, local.D,  9,  4, 0xD9D4D039);
+    P(local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5);
+    P(local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8);
+    P(local.B, local.C, local.D, local.A,  2, 23, 0xC4AC5665);
 
 #undef F
 
-#define F(x,y,z) (y ^ (x | ~z))
+#define F(x,y,z) ((y) ^ ((x) | ~(z)))
 
-    P(A, B, C, D,  0,  6, 0xF4292244);
-    P(D, A, B, C,  7, 10, 0x432AFF97);
-    P(C, D, A, B, 14, 15, 0xAB9423A7);
-    P(B, C, D, A,  5, 21, 0xFC93A039);
-    P(A, B, C, D, 12,  6, 0x655B59C3);
-    P(D, A, B, C,  3, 10, 0x8F0CCC92);
-    P(C, D, A, B, 10, 15, 0xFFEFF47D);
-    P(B, C, D, A,  1, 21, 0x85845DD1);
-    P(A, B, C, D,  8,  6, 0x6FA87E4F);
-    P(D, A, B, C, 15, 10, 0xFE2CE6E0);
-    P(C, D, A, B,  6, 15, 0xA3014314);
-    P(B, C, D, A, 13, 21, 0x4E0811A1);
-    P(A, B, C, D,  4,  6, 0xF7537E82);
-    P(D, A, B, C, 11, 10, 0xBD3AF235);
-    P(C, D, A, B,  2, 15, 0x2AD7D2BB);
-    P(B, C, D, A,  9, 21, 0xEB86D391);
+    P(local.A, local.B, local.C, local.D,  0,  6, 0xF4292244);
+    P(local.D, local.A, local.B, local.C,  7, 10, 0x432AFF97);
+    P(local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7);
+    P(local.B, local.C, local.D, local.A,  5, 21, 0xFC93A039);
+    P(local.A, local.B, local.C, local.D, 12,  6, 0x655B59C3);
+    P(local.D, local.A, local.B, local.C,  3, 10, 0x8F0CCC92);
+    P(local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D);
+    P(local.B, local.C, local.D, local.A,  1, 21, 0x85845DD1);
+    P(local.A, local.B, local.C, local.D,  8,  6, 0x6FA87E4F);
+    P(local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0);
+    P(local.C, local.D, local.A, local.B,  6, 15, 0xA3014314);
+    P(local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1);
+    P(local.A, local.B, local.C, local.D,  4,  6, 0xF7537E82);
+    P(local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235);
+    P(local.C, local.D, local.A, local.B,  2, 15, 0x2AD7D2BB);
+    P(local.B, local.C, local.D, local.A,  9, 21, 0xEB86D391);
 
 #undef F
 
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
 
     return (0);
 }
@@ -250,7 +251,7 @@ void mbedtls_md5_process(mbedtls_md5_context *ctx,
 int mbedtls_md5_update_ret(mbedtls_md5_context *ctx,
                            const unsigned char *input,
                            size_t ilen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t fill;
     uint32_t left;
 
@@ -304,7 +305,7 @@ void mbedtls_md5_update(mbedtls_md5_context *ctx,
  */
 int mbedtls_md5_finish_ret(mbedtls_md5_context *ctx,
                            unsigned char output[16]) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     uint32_t used;
     uint32_t high, low;
 
@@ -367,7 +368,7 @@ void mbedtls_md5_finish(mbedtls_md5_context *ctx,
 int mbedtls_md5_ret(const unsigned char *input,
                     size_t ilen,
                     unsigned char output[16]) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_md5_context ctx;
 
     mbedtls_md5_init(&ctx);
@@ -406,10 +407,7 @@ static const unsigned char md5_test_buf[7][81] = {
     { "message digest" },
     { "abcdefghijklmnopqrstuvwxyz" },
     { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
-    {
-        "12345678901234567890123456789012345678901234567890123456789012"
-        "345678901234567890"
-    }
+    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
 };
 
 static const size_t md5_test_buflen[7] = {
diff --git a/common/mbedtls/md5.h b/common/mbedtls/md5.h
index 1e12fc3cb..b27f3d192 100644
--- a/common/mbedtls/md5.h
+++ b/common/mbedtls/md5.h
@@ -8,30 +8,26 @@
  *            digests instead.
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_MD5_H
 #define MBEDTLS_MD5_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -39,6 +35,7 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
 
 #ifdef __cplusplus
@@ -288,6 +285,8 @@ MBEDTLS_DEPRECATED void mbedtls_md5(const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -300,6 +299,8 @@ MBEDTLS_DEPRECATED void mbedtls_md5(const unsigned char *input,
  */
 int mbedtls_md5_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/md_internal.h b/common/mbedtls/md_internal.h
index c30a0067c..9e10f2409 100644
--- a/common/mbedtls/md_internal.h
+++ b/common/mbedtls/md_internal.h
@@ -8,35 +8,31 @@
  * \author Adriaan de Jong <dejong@fox-it.com>
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_MD_WRAP_H
 #define MBEDTLS_MD_WRAP_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "md.h"
+#include "mbedtls/md.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -47,42 +43,17 @@ extern "C" {
  * Allows message digest functions to be called in a generic way.
  */
 struct mbedtls_md_info_t {
-    /** Digest identifier */
-    mbedtls_md_type_t type;
-
     /** Name of the message digest */
     const char *name;
 
+    /** Digest identifier */
+    mbedtls_md_type_t type;
+
     /** Output length of the digest function in bytes */
-    int size;
+    unsigned char size;
 
     /** Block length of the digest function in bytes */
-    int block_size;
-
-    /** Digest initialisation function */
-    int (*starts_func)(void *ctx);
-
-    /** Digest update function */
-    int (*update_func)(void *ctx, const unsigned char *input, size_t ilen);
-
-    /** Digest finalisation function */
-    int (*finish_func)(void *ctx, unsigned char *output);
-
-    /** Generic digest function */
-    int (*digest_func)(const unsigned char *input, size_t ilen,
-                       unsigned char *output);
-
-    /** Allocate a new context */
-    void *(*ctx_alloc_func)(void);
-
-    /** Free the given context */
-    void (*ctx_free_func)(void *ctx);
-
-    /** Clone state from a context */
-    void (*clone_func)(void *dst, const void *src);
-
-    /** Internal use only */
-    int (*process_func)(void *ctx, const unsigned char *input);
+    unsigned char block_size;
 };
 
 #if defined(MBEDTLS_MD2_C)
@@ -105,7 +76,9 @@ extern const mbedtls_md_info_t mbedtls_sha224_info;
 extern const mbedtls_md_info_t mbedtls_sha256_info;
 #endif
 #if defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
 extern const mbedtls_md_info_t mbedtls_sha384_info;
+#endif
 extern const mbedtls_md_info_t mbedtls_sha512_info;
 #endif
 
diff --git a/common/mbedtls/md_wrap.c b/common/mbedtls/md_wrap.c
deleted file mode 100644
index 9b844ae46..000000000
--- a/common/mbedtls/md_wrap.c
+++ /dev/null
@@ -1,533 +0,0 @@
-/**
- * \file md_wrap.c
- *
- * \brief Generic message digest wrapper for mbed TLS
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if defined(MBEDTLS_MD_C)
-
-#include "mbedtls/md_internal.h"
-
-#if defined(MBEDTLS_MD2_C)
-#include "mbedtls/md2.h"
-#endif
-
-#if defined(MBEDTLS_MD4_C)
-#include "mbedtls/md4.h"
-#endif
-
-#if defined(MBEDTLS_MD5_C)
-#include "mbedtls/md5.h"
-#endif
-
-#if defined(MBEDTLS_RIPEMD160_C)
-#include "mbedtls/ripemd160.h"
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-#include "mbedtls/sha1.h"
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-#include "mbedtls/sha256.h"
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-#include "mbedtls/sha512.h"
-#endif
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc    calloc
-#define mbedtls_free       free
-#endif
-
-#if defined(MBEDTLS_MD2_C)
-
-static int md2_starts_wrap(void *ctx) {
-    return (mbedtls_md2_starts_ret((mbedtls_md2_context *) ctx));
-}
-
-static int md2_update_wrap(void *ctx, const unsigned char *input,
-                           size_t ilen) {
-    return (mbedtls_md2_update_ret((mbedtls_md2_context *) ctx, input, ilen));
-}
-
-static int md2_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_md2_finish_ret((mbedtls_md2_context *) ctx, output));
-}
-
-static void *md2_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_md2_context));
-
-    if (ctx != NULL)
-        mbedtls_md2_init((mbedtls_md2_context *) ctx);
-
-    return (ctx);
-}
-
-static void md2_ctx_free(void *ctx) {
-    mbedtls_md2_free((mbedtls_md2_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void md2_clone_wrap(void *dst, const void *src) {
-    mbedtls_md2_clone((mbedtls_md2_context *) dst,
-                      (const mbedtls_md2_context *) src);
-}
-
-static int md2_process_wrap(void *ctx, const unsigned char *data) {
-    ((void) data);
-
-    return (mbedtls_internal_md2_process((mbedtls_md2_context *) ctx));
-}
-
-const mbedtls_md_info_t mbedtls_md2_info = {
-    MBEDTLS_MD_MD2,
-    "MD2",
-    16,
-    16,
-    md2_starts_wrap,
-    md2_update_wrap,
-    md2_finish_wrap,
-    mbedtls_md2_ret,
-    md2_ctx_alloc,
-    md2_ctx_free,
-    md2_clone_wrap,
-    md2_process_wrap,
-};
-
-#endif /* MBEDTLS_MD2_C */
-
-#if defined(MBEDTLS_MD4_C)
-
-static int md4_starts_wrap(void *ctx) {
-    return (mbedtls_md4_starts_ret((mbedtls_md4_context *) ctx));
-}
-
-static int md4_update_wrap(void *ctx, const unsigned char *input,
-                           size_t ilen) {
-    return (mbedtls_md4_update_ret((mbedtls_md4_context *) ctx, input, ilen));
-}
-
-static int md4_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_md4_finish_ret((mbedtls_md4_context *) ctx, output));
-}
-
-static void *md4_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_md4_context));
-
-    if (ctx != NULL)
-        mbedtls_md4_init((mbedtls_md4_context *) ctx);
-
-    return (ctx);
-}
-
-static void md4_ctx_free(void *ctx) {
-    mbedtls_md4_free((mbedtls_md4_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void md4_clone_wrap(void *dst, const void *src) {
-    mbedtls_md4_clone((mbedtls_md4_context *) dst,
-                      (const mbedtls_md4_context *) src);
-}
-
-static int md4_process_wrap(void *ctx, const unsigned char *data) {
-    return (mbedtls_internal_md4_process((mbedtls_md4_context *) ctx, data));
-}
-
-const mbedtls_md_info_t mbedtls_md4_info = {
-    MBEDTLS_MD_MD4,
-    "MD4",
-    16,
-    64,
-    md4_starts_wrap,
-    md4_update_wrap,
-    md4_finish_wrap,
-    mbedtls_md4_ret,
-    md4_ctx_alloc,
-    md4_ctx_free,
-    md4_clone_wrap,
-    md4_process_wrap,
-};
-
-#endif /* MBEDTLS_MD4_C */
-
-#if defined(MBEDTLS_MD5_C)
-
-static int md5_starts_wrap(void *ctx) {
-    return (mbedtls_md5_starts_ret((mbedtls_md5_context *) ctx));
-}
-
-static int md5_update_wrap(void *ctx, const unsigned char *input,
-                           size_t ilen) {
-    return (mbedtls_md5_update_ret((mbedtls_md5_context *) ctx, input, ilen));
-}
-
-static int md5_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_md5_finish_ret((mbedtls_md5_context *) ctx, output));
-}
-
-static void *md5_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_md5_context));
-
-    if (ctx != NULL)
-        mbedtls_md5_init((mbedtls_md5_context *) ctx);
-
-    return (ctx);
-}
-
-static void md5_ctx_free(void *ctx) {
-    mbedtls_md5_free((mbedtls_md5_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void md5_clone_wrap(void *dst, const void *src) {
-    mbedtls_md5_clone((mbedtls_md5_context *) dst,
-                      (const mbedtls_md5_context *) src);
-}
-
-static int md5_process_wrap(void *ctx, const unsigned char *data) {
-    return (mbedtls_internal_md5_process((mbedtls_md5_context *) ctx, data));
-}
-
-const mbedtls_md_info_t mbedtls_md5_info = {
-    MBEDTLS_MD_MD5,
-    "MD5",
-    16,
-    64,
-    md5_starts_wrap,
-    md5_update_wrap,
-    md5_finish_wrap,
-    mbedtls_md5_ret,
-    md5_ctx_alloc,
-    md5_ctx_free,
-    md5_clone_wrap,
-    md5_process_wrap,
-};
-
-#endif /* MBEDTLS_MD5_C */
-
-#if defined(MBEDTLS_RIPEMD160_C)
-
-static int ripemd160_starts_wrap(void *ctx) {
-    return (mbedtls_ripemd160_starts_ret((mbedtls_ripemd160_context *) ctx));
-}
-
-static int ripemd160_update_wrap(void *ctx, const unsigned char *input,
-                                 size_t ilen) {
-    return (mbedtls_ripemd160_update_ret((mbedtls_ripemd160_context *) ctx,
-                                         input, ilen));
-}
-
-static int ripemd160_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_ripemd160_finish_ret((mbedtls_ripemd160_context *) ctx,
-                                         output));
-}
-
-static void *ripemd160_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ripemd160_context));
-
-    if (ctx != NULL)
-        mbedtls_ripemd160_init((mbedtls_ripemd160_context *) ctx);
-
-    return (ctx);
-}
-
-static void ripemd160_ctx_free(void *ctx) {
-    mbedtls_ripemd160_free((mbedtls_ripemd160_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void ripemd160_clone_wrap(void *dst, const void *src) {
-    mbedtls_ripemd160_clone((mbedtls_ripemd160_context *) dst,
-                            (const mbedtls_ripemd160_context *) src);
-}
-
-static int ripemd160_process_wrap(void *ctx, const unsigned char *data) {
-    return (mbedtls_internal_ripemd160_process(
-                (mbedtls_ripemd160_context *) ctx, data));
-}
-
-const mbedtls_md_info_t mbedtls_ripemd160_info = {
-    MBEDTLS_MD_RIPEMD160,
-    "RIPEMD160",
-    20,
-    64,
-    ripemd160_starts_wrap,
-    ripemd160_update_wrap,
-    ripemd160_finish_wrap,
-    mbedtls_ripemd160_ret,
-    ripemd160_ctx_alloc,
-    ripemd160_ctx_free,
-    ripemd160_clone_wrap,
-    ripemd160_process_wrap,
-};
-
-#endif /* MBEDTLS_RIPEMD160_C */
-
-#if defined(MBEDTLS_SHA1_C)
-
-static int sha1_starts_wrap(void *ctx) {
-    return (mbedtls_sha1_starts_ret((mbedtls_sha1_context *) ctx));
-}
-
-static int sha1_update_wrap(void *ctx, const unsigned char *input,
-                            size_t ilen) {
-    return (mbedtls_sha1_update_ret((mbedtls_sha1_context *) ctx,
-                                    input, ilen));
-}
-
-static int sha1_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_sha1_finish_ret((mbedtls_sha1_context *) ctx, output));
-}
-
-static void *sha1_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_sha1_context));
-
-    if (ctx != NULL)
-        mbedtls_sha1_init((mbedtls_sha1_context *) ctx);
-
-    return (ctx);
-}
-
-static void sha1_clone_wrap(void *dst, const void *src) {
-    mbedtls_sha1_clone((mbedtls_sha1_context *) dst,
-                       (const mbedtls_sha1_context *) src);
-}
-
-static void sha1_ctx_free(void *ctx) {
-    mbedtls_sha1_free((mbedtls_sha1_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static int sha1_process_wrap(void *ctx, const unsigned char *data) {
-    return (mbedtls_internal_sha1_process((mbedtls_sha1_context *) ctx,
-                                          data));
-}
-
-const mbedtls_md_info_t mbedtls_sha1_info = {
-    MBEDTLS_MD_SHA1,
-    "SHA1",
-    20,
-    64,
-    sha1_starts_wrap,
-    sha1_update_wrap,
-    sha1_finish_wrap,
-    mbedtls_sha1_ret,
-    sha1_ctx_alloc,
-    sha1_ctx_free,
-    sha1_clone_wrap,
-    sha1_process_wrap,
-};
-
-#endif /* MBEDTLS_SHA1_C */
-
-/*
- * Wrappers for generic message digests
- */
-#if defined(MBEDTLS_SHA256_C)
-
-static int sha224_starts_wrap(void *ctx) {
-    return (mbedtls_sha256_starts_ret((mbedtls_sha256_context *) ctx, 1));
-}
-
-static int sha224_update_wrap(void *ctx, const unsigned char *input,
-                              size_t ilen) {
-    return (mbedtls_sha256_update_ret((mbedtls_sha256_context *) ctx,
-                                      input, ilen));
-}
-
-static int sha224_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_sha256_finish_ret((mbedtls_sha256_context *) ctx,
-                                      output));
-}
-
-static int sha224_wrap(const unsigned char *input, size_t ilen,
-                       unsigned char *output) {
-    return (mbedtls_sha256_ret(input, ilen, output, 1));
-}
-
-static void *sha224_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_sha256_context));
-
-    if (ctx != NULL)
-        mbedtls_sha256_init((mbedtls_sha256_context *) ctx);
-
-    return (ctx);
-}
-
-static void sha224_ctx_free(void *ctx) {
-    mbedtls_sha256_free((mbedtls_sha256_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void sha224_clone_wrap(void *dst, const void *src) {
-    mbedtls_sha256_clone((mbedtls_sha256_context *) dst,
-                         (const mbedtls_sha256_context *) src);
-}
-
-static int sha224_process_wrap(void *ctx, const unsigned char *data) {
-    return (mbedtls_internal_sha256_process((mbedtls_sha256_context *) ctx,
-                                            data));
-}
-
-const mbedtls_md_info_t mbedtls_sha224_info = {
-    MBEDTLS_MD_SHA224,
-    "SHA224",
-    28,
-    64,
-    sha224_starts_wrap,
-    sha224_update_wrap,
-    sha224_finish_wrap,
-    sha224_wrap,
-    sha224_ctx_alloc,
-    sha224_ctx_free,
-    sha224_clone_wrap,
-    sha224_process_wrap,
-};
-
-static int sha256_starts_wrap(void *ctx) {
-    return (mbedtls_sha256_starts_ret((mbedtls_sha256_context *) ctx, 0));
-}
-
-static int sha256_wrap(const unsigned char *input, size_t ilen,
-                       unsigned char *output) {
-    return (mbedtls_sha256_ret(input, ilen, output, 0));
-}
-
-const mbedtls_md_info_t mbedtls_sha256_info = {
-    MBEDTLS_MD_SHA256,
-    "SHA256",
-    32,
-    64,
-    sha256_starts_wrap,
-    sha224_update_wrap,
-    sha224_finish_wrap,
-    sha256_wrap,
-    sha224_ctx_alloc,
-    sha224_ctx_free,
-    sha224_clone_wrap,
-    sha224_process_wrap,
-};
-
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA512_C)
-
-static int sha384_starts_wrap(void *ctx) {
-    return (mbedtls_sha512_starts_ret((mbedtls_sha512_context *) ctx, 1));
-}
-
-static int sha384_update_wrap(void *ctx, const unsigned char *input,
-                              size_t ilen) {
-    return (mbedtls_sha512_update_ret((mbedtls_sha512_context *) ctx,
-                                      input, ilen));
-}
-
-static int sha384_finish_wrap(void *ctx, unsigned char *output) {
-    return (mbedtls_sha512_finish_ret((mbedtls_sha512_context *) ctx,
-                                      output));
-}
-
-static int sha384_wrap(const unsigned char *input, size_t ilen,
-                       unsigned char *output) {
-    return (mbedtls_sha512_ret(input, ilen, output, 1));
-}
-
-static void *sha384_ctx_alloc(void) {
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_sha512_context));
-
-    if (ctx != NULL)
-        mbedtls_sha512_init((mbedtls_sha512_context *) ctx);
-
-    return (ctx);
-}
-
-static void sha384_ctx_free(void *ctx) {
-    mbedtls_sha512_free((mbedtls_sha512_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void sha384_clone_wrap(void *dst, const void *src) {
-    mbedtls_sha512_clone((mbedtls_sha512_context *) dst,
-                         (const mbedtls_sha512_context *) src);
-}
-
-static int sha384_process_wrap(void *ctx, const unsigned char *data) {
-    return (mbedtls_internal_sha512_process((mbedtls_sha512_context *) ctx,
-                                            data));
-}
-
-const mbedtls_md_info_t mbedtls_sha384_info = {
-    MBEDTLS_MD_SHA384,
-    "SHA384",
-    48,
-    128,
-    sha384_starts_wrap,
-    sha384_update_wrap,
-    sha384_finish_wrap,
-    sha384_wrap,
-    sha384_ctx_alloc,
-    sha384_ctx_free,
-    sha384_clone_wrap,
-    sha384_process_wrap,
-};
-
-static int sha512_starts_wrap(void *ctx) {
-    return (mbedtls_sha512_starts_ret((mbedtls_sha512_context *) ctx, 0));
-}
-
-static int sha512_wrap(const unsigned char *input, size_t ilen,
-                       unsigned char *output) {
-    return (mbedtls_sha512_ret(input, ilen, output, 0));
-}
-
-const mbedtls_md_info_t mbedtls_sha512_info = {
-    MBEDTLS_MD_SHA512,
-    "SHA512",
-    64,
-    128,
-    sha512_starts_wrap,
-    sha384_update_wrap,
-    sha384_finish_wrap,
-    sha512_wrap,
-    sha384_ctx_alloc,
-    sha384_ctx_free,
-    sha384_clone_wrap,
-    sha384_process_wrap,
-};
-
-#endif /* MBEDTLS_SHA512_C */
-
-#endif /* MBEDTLS_MD_C */
diff --git a/common/mbedtls/memory_buffer_alloc.c b/common/mbedtls/memory_buffer_alloc.c
new file mode 100644
index 000000000..a1e9accda
--- /dev/null
+++ b/common/mbedtls/memory_buffer_alloc.c
@@ -0,0 +1,696 @@
+/*
+ *  Buffer-based memory allocator
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+
+/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
+   is dependent upon MBEDTLS_PLATFORM_C */
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+#include <execinfo.h>
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#define MAGIC1       0xFF00AA55
+#define MAGIC2       0xEE119966
+#define MAX_BT 20
+
+typedef struct _memory_header memory_header;
+struct _memory_header {
+    size_t          magic1;
+    size_t          size;
+    size_t          alloc;
+    memory_header   *prev;
+    memory_header   *next;
+    memory_header   *prev_free;
+    memory_header   *next_free;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    char            **trace;
+    size_t          trace_count;
+#endif
+    size_t          magic2;
+};
+
+typedef struct {
+    unsigned char   *buf;
+    size_t          len;
+    memory_header   *first;
+    memory_header   *first_free;
+    int             verify;
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    size_t          alloc_count;
+    size_t          free_count;
+    size_t          total_used;
+    size_t          maximum_used;
+    size_t          header_count;
+    size_t          maximum_header_count;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t   mutex;
+#endif
+}
+buffer_alloc_ctx;
+
+static buffer_alloc_ctx heap;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+static void debug_header(memory_header *hdr) {
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    size_t i;
+#endif
+
+    mbedtls_fprintf(stderr, "HDR:  PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
+                    "ALLOC(%zu), SIZE(%10zu)\n",
+                    (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
+                    hdr->alloc, hdr->size);
+    mbedtls_fprintf(stderr, "      FPREV(%10zu), FNEXT(%10zu)\n",
+                    (size_t) hdr->prev_free, (size_t) hdr->next_free);
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    mbedtls_fprintf(stderr, "TRACE: \n");
+    for (i = 0; i < hdr->trace_count; i++)
+        mbedtls_fprintf(stderr, "%s\n", hdr->trace[i]);
+    mbedtls_fprintf(stderr, "\n");
+#endif
+}
+
+static void debug_chain(void) {
+    memory_header *cur = heap.first;
+
+    mbedtls_fprintf(stderr, "\nBlock list\n");
+    while (cur != NULL) {
+        debug_header(cur);
+        cur = cur->next;
+    }
+
+    mbedtls_fprintf(stderr, "Free list\n");
+    cur = heap.first_free;
+
+    while (cur != NULL) {
+        debug_header(cur);
+        cur = cur->next_free;
+    }
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+static int verify_header(memory_header *hdr) {
+    if (hdr->magic1 != MAGIC1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: MAGIC1 mismatch\n");
+#endif
+        return (1);
+    }
+
+    if (hdr->magic2 != MAGIC2) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: MAGIC2 mismatch\n");
+#endif
+        return (1);
+    }
+
+    if (hdr->alloc > 1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: alloc has illegal value\n");
+#endif
+        return (1);
+    }
+
+    if (hdr->prev != NULL && hdr->prev == hdr->next) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: prev == next\n");
+#endif
+        return (1);
+    }
+
+    if (hdr->prev_free != NULL && hdr->prev_free == hdr->next_free) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: prev_free == next_free\n");
+#endif
+        return (1);
+    }
+
+    return (0);
+}
+
+static int verify_chain(void) {
+    memory_header *prv = heap.first, *cur;
+
+    if (prv == NULL || verify_header(prv) != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: verification of first header "
+                        "failed\n");
+#endif
+        return (1);
+    }
+
+    if (heap.first->prev != NULL) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: verification failed: "
+                        "first->prev != NULL\n");
+#endif
+        return (1);
+    }
+
+    cur = heap.first->next;
+
+    while (cur != NULL) {
+        if (verify_header(cur) != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf(stderr, "FATAL: verification of header "
+                            "failed\n");
+#endif
+            return (1);
+        }
+
+        if (cur->prev != prv) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf(stderr, "FATAL: verification failed: "
+                            "cur->prev != prv\n");
+#endif
+            return (1);
+        }
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    return (0);
+}
+
+static void *buffer_alloc_calloc(size_t n, size_t size) {
+    memory_header *new, *cur = heap.first_free;
+    unsigned char *p;
+    void *ret;
+    size_t original_len, len;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    void *trace_buffer[MAX_BT];
+    size_t trace_cnt;
+#endif
+
+    if (heap.buf == NULL || heap.first == NULL)
+        return (NULL);
+
+    original_len = len = n * size;
+
+    if (n == 0 || size == 0 || len / n != size)
+        return (NULL);
+    else if (len > (size_t) - MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+        return (NULL);
+
+    if (len % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    // Find block that fits
+    //
+    while (cur != NULL) {
+        if (cur->size >= len)
+            break;
+
+        cur = cur->next_free;
+    }
+
+    if (cur == NULL)
+        return (NULL);
+
+    if (cur->alloc != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: block in free_list but allocated "
+                        "data\n");
+#endif
+        mbedtls_exit(1);
+    }
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.alloc_count++;
+#endif
+
+    // Found location, split block if > memory_header + 4 room left
+    //
+    if (cur->size - len < sizeof(memory_header) +
+            MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        cur->alloc = 1;
+
+        // Remove from free_list
+        //
+        if (cur->prev_free != NULL)
+            cur->prev_free->next_free = cur->next_free;
+        else
+            heap.first_free = cur->next_free;
+
+        if (cur->next_free != NULL)
+            cur->next_free->prev_free = cur->prev_free;
+
+        cur->prev_free = NULL;
+        cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used += cur->size;
+        if (heap.total_used > heap.maximum_used)
+            heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+        trace_cnt = backtrace(trace_buffer, MAX_BT);
+        cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
+        cur->trace_count = trace_cnt;
+#endif
+
+        if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0)
+            mbedtls_exit(1);
+
+        ret = (unsigned char *) cur + sizeof(memory_header);
+        memset(ret, 0, original_len);
+
+        return (ret);
+    }
+
+    p = ((unsigned char *) cur) + sizeof(memory_header) + len;
+    new = (memory_header *) p;
+
+    new->size = cur->size - len - sizeof(memory_header);
+    new->alloc = 0;
+    new->prev = cur;
+    new->next = cur->next;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    new->trace = NULL;
+    new->trace_count = 0;
+#endif
+    new->magic1 = MAGIC1;
+    new->magic2 = MAGIC2;
+
+    if (new->next != NULL)
+        new->next->prev = new;
+
+    // Replace cur with new in free_list
+    //
+    new->prev_free = cur->prev_free;
+    new->next_free = cur->next_free;
+    if (new->prev_free != NULL)
+        new->prev_free->next_free = new;
+    else
+        heap.first_free = new;
+
+    if (new->next_free != NULL)
+        new->next_free->prev_free = new;
+
+    cur->alloc = 1;
+    cur->size = len;
+    cur->next = new;
+    cur->prev_free = NULL;
+    cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.header_count++;
+    if (heap.header_count > heap.maximum_header_count)
+        heap.maximum_header_count = heap.header_count;
+    heap.total_used += cur->size;
+    if (heap.total_used > heap.maximum_used)
+        heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    trace_cnt = backtrace(trace_buffer, MAX_BT);
+    cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
+    cur->trace_count = trace_cnt;
+#endif
+
+    if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0)
+        mbedtls_exit(1);
+
+    ret = (unsigned char *) cur + sizeof(memory_header);
+    memset(ret, 0, original_len);
+
+    return (ret);
+}
+
+static void buffer_alloc_free(void *ptr) {
+    memory_header *hdr, *old = NULL;
+    unsigned char *p = (unsigned char *) ptr;
+
+    if (ptr == NULL || heap.buf == NULL || heap.first == NULL)
+        return;
+
+    if (p < heap.buf || p >= heap.buf + heap.len) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: mbedtls_free() outside of managed "
+                        "space\n");
+#endif
+        mbedtls_exit(1);
+    }
+
+    p -= sizeof(memory_header);
+    hdr = (memory_header *) p;
+
+    if (verify_header(hdr) != 0)
+        mbedtls_exit(1);
+
+    if (hdr->alloc != 1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: mbedtls_free() on unallocated "
+                        "data\n");
+#endif
+        mbedtls_exit(1);
+    }
+
+    hdr->alloc = 0;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.free_count++;
+    heap.total_used -= hdr->size;
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    free(hdr->trace);
+    hdr->trace = NULL;
+    hdr->trace_count = 0;
+#endif
+
+    // Regroup with block before
+    //
+    if (hdr->prev != NULL && hdr->prev->alloc == 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->prev->size += sizeof(memory_header) + hdr->size;
+        hdr->prev->next = hdr->next;
+        old = hdr;
+        hdr = hdr->prev;
+
+        if (hdr->next != NULL)
+            hdr->next->prev = hdr;
+
+        memset(old, 0, sizeof(memory_header));
+    }
+
+    // Regroup with block after
+    //
+    if (hdr->next != NULL && hdr->next->alloc == 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->size += sizeof(memory_header) + hdr->next->size;
+        old = hdr->next;
+        hdr->next = hdr->next->next;
+
+        if (hdr->prev_free != NULL || hdr->next_free != NULL) {
+            if (hdr->prev_free != NULL)
+                hdr->prev_free->next_free = hdr->next_free;
+            else
+                heap.first_free = hdr->next_free;
+
+            if (hdr->next_free != NULL)
+                hdr->next_free->prev_free = hdr->prev_free;
+        }
+
+        hdr->prev_free = old->prev_free;
+        hdr->next_free = old->next_free;
+
+        if (hdr->prev_free != NULL)
+            hdr->prev_free->next_free = hdr;
+        else
+            heap.first_free = hdr;
+
+        if (hdr->next_free != NULL)
+            hdr->next_free->prev_free = hdr;
+
+        if (hdr->next != NULL)
+            hdr->next->prev = hdr;
+
+        memset(old, 0, sizeof(memory_header));
+    }
+
+    // Prepend to free_list if we have not merged
+    // (Does not have to stay in same order as prev / next list)
+    //
+    if (old == NULL) {
+        hdr->next_free = heap.first_free;
+        if (heap.first_free != NULL)
+            heap.first_free->prev_free = hdr;
+        heap.first_free = hdr;
+    }
+
+    if ((heap.verify & MBEDTLS_MEMORY_VERIFY_FREE) && verify_chain() != 0)
+        mbedtls_exit(1);
+}
+
+void mbedtls_memory_buffer_set_verify(int verify) {
+    heap.verify = verify;
+}
+
+int mbedtls_memory_buffer_alloc_verify(void) {
+    return verify_chain();
+}
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+void mbedtls_memory_buffer_alloc_status(void) {
+    mbedtls_fprintf(stderr,
+                    "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
+                    "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
+                    heap.header_count, heap.total_used,
+                    heap.maximum_header_count, heap.maximum_used,
+                    heap.maximum_header_count * sizeof(memory_header)
+                    + heap.maximum_used,
+                    heap.alloc_count, heap.free_count);
+
+    if (heap.first->next == NULL) {
+        mbedtls_fprintf(stderr, "All memory de-allocated in stack buffer\n");
+    } else {
+        mbedtls_fprintf(stderr, "Memory currently allocated:\n");
+        debug_chain();
+    }
+}
+
+void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks) {
+    *max_used   = heap.maximum_used;
+    *max_blocks = heap.maximum_header_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_reset(void) {
+    heap.maximum_used = 0;
+    heap.maximum_header_count = 0;
+}
+
+void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks) {
+    *cur_used   = heap.total_used;
+    *cur_blocks = heap.header_count;
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_THREADING_C)
+static void *buffer_alloc_calloc_mutexed(size_t n, size_t size) {
+    void *buf;
+    if (mbedtls_mutex_lock(&heap.mutex) != 0)
+        return (NULL);
+    buf = buffer_alloc_calloc(n, size);
+    if (mbedtls_mutex_unlock(&heap.mutex))
+        return (NULL);
+    return (buf);
+}
+
+static void buffer_alloc_free_mutexed(void *ptr) {
+    /* We have to good option here, but corrupting the heap seems
+     * worse than loosing memory. */
+    if (mbedtls_mutex_lock(&heap.mutex))
+        return;
+    buffer_alloc_free(ptr);
+    (void) mbedtls_mutex_unlock(&heap.mutex);
+}
+#endif /* MBEDTLS_THREADING_C */
+
+void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len) {
+    memset(&heap, 0, sizeof(buffer_alloc_ctx));
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&heap.mutex);
+    mbedtls_platform_set_calloc_free(buffer_alloc_calloc_mutexed,
+                                     buffer_alloc_free_mutexed);
+#else
+    mbedtls_platform_set_calloc_free(buffer_alloc_calloc, buffer_alloc_free);
+#endif
+
+    if (len < sizeof(memory_header) + MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+        return;
+    else if ((size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        /* Adjust len first since buf is used in the computation */
+        len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
+               - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
+               - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    memset(buf, 0, len);
+
+    heap.buf = buf;
+    heap.len = len;
+
+    heap.first = (memory_header *)buf;
+    heap.first->size = len - sizeof(memory_header);
+    heap.first->magic1 = MAGIC1;
+    heap.first->magic2 = MAGIC2;
+    heap.first_free = heap.first;
+}
+
+void mbedtls_memory_buffer_alloc_free(void) {
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free(&heap.mutex);
+#endif
+    mbedtls_platform_zeroize(&heap, sizeof(buffer_alloc_ctx));
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+static int check_pointer(void *p) {
+    if (p == NULL)
+        return (-1);
+
+    if ((size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0)
+        return (-1);
+
+    return (0);
+}
+
+static int check_all_free(void) {
+    if (
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used != 0 ||
+#endif
+        heap.first != heap.first_free ||
+        (void *) heap.first != (void *) heap.buf) {
+        return (-1);
+    }
+
+    return (0);
+}
+
+#define TEST_ASSERT( condition )            \
+    if( ! (condition) )                     \
+    {                                       \
+        if( verbose != 0 )                  \
+            mbedtls_printf( "failed\n" );  \
+                                            \
+        ret = 1;                            \
+        goto cleanup;                       \
+    }
+
+int mbedtls_memory_buffer_alloc_self_test(int verbose) {
+    unsigned char buf[1024];
+    unsigned char *p, *q, *r, *end;
+    int ret = 0;
+
+    if (verbose != 0)
+        mbedtls_printf("  MBA test #1 (basic alloc-free cycle): ");
+
+    mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
+
+    p = mbedtls_calloc(1, 1);
+    q = mbedtls_calloc(1, 128);
+    r = mbedtls_calloc(1, 16);
+
+    TEST_ASSERT(check_pointer(p) == 0 &&
+                check_pointer(q) == 0 &&
+                check_pointer(r) == 0);
+
+    mbedtls_free(r);
+    mbedtls_free(q);
+    mbedtls_free(p);
+
+    TEST_ASSERT(check_all_free() == 0);
+
+    /* Memorize end to compare with the next test */
+    end = heap.buf + heap.len;
+
+    mbedtls_memory_buffer_alloc_free();
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+    if (verbose != 0)
+        mbedtls_printf("  MBA test #2 (buf not aligned): ");
+
+    mbedtls_memory_buffer_alloc_init(buf + 1, sizeof(buf) - 1);
+
+    TEST_ASSERT(heap.buf + heap.len == end);
+
+    p = mbedtls_calloc(1, 1);
+    q = mbedtls_calloc(1, 128);
+    r = mbedtls_calloc(1, 16);
+
+    TEST_ASSERT(check_pointer(p) == 0 &&
+                check_pointer(q) == 0 &&
+                check_pointer(r) == 0);
+
+    mbedtls_free(r);
+    mbedtls_free(q);
+    mbedtls_free(p);
+
+    TEST_ASSERT(check_all_free() == 0);
+
+    mbedtls_memory_buffer_alloc_free();
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+    if (verbose != 0)
+        mbedtls_printf("  MBA test #3 (full): ");
+
+    mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
+
+    p = mbedtls_calloc(1, sizeof(buf) - sizeof(memory_header));
+
+    TEST_ASSERT(check_pointer(p) == 0);
+    TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
+
+    mbedtls_free(p);
+
+    p = mbedtls_calloc(1, sizeof(buf) - 2 * sizeof(memory_header) - 16);
+    q = mbedtls_calloc(1, 16);
+
+    TEST_ASSERT(check_pointer(p) == 0 && check_pointer(q) == 0);
+    TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
+
+    mbedtls_free(q);
+
+    TEST_ASSERT(mbedtls_calloc(1, 17) == NULL);
+
+    mbedtls_free(p);
+
+    TEST_ASSERT(check_all_free() == 0);
+
+    mbedtls_memory_buffer_alloc_free();
+
+    if (verbose != 0)
+        mbedtls_printf("passed\n");
+
+cleanup:
+    mbedtls_memory_buffer_alloc_free();
+
+    return (ret);
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/common/mbedtls/memory_buffer_alloc.h b/common/mbedtls/memory_buffer_alloc.h
new file mode 100644
index 000000000..16aabce60
--- /dev/null
+++ b/common/mbedtls/memory_buffer_alloc.h
@@ -0,0 +1,149 @@
+/**
+ * \file memory_buffer_alloc.h
+ *
+ * \brief Buffer-based memory allocator
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE       4 /**< Align on multiples of this value */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_MEMORY_VERIFY_NONE         0
+#define MBEDTLS_MEMORY_VERIFY_ALLOC        (1 << 0)
+#define MBEDTLS_MEMORY_VERIFY_FREE         (1 << 1)
+#define MBEDTLS_MEMORY_VERIFY_ALWAYS       (MBEDTLS_MEMORY_VERIFY_ALLOC | MBEDTLS_MEMORY_VERIFY_FREE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Initialize use of stack-based memory allocator.
+ *          The stack-based allocator does memory management inside the
+ *          presented buffer and does not call calloc() and free().
+ *          It sets the global mbedtls_calloc() and mbedtls_free() pointers
+ *          to its own functions.
+ *          (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if
+ *           MBEDTLS_THREADING_C is defined)
+ *
+ * \note    This code is not optimized and provides a straight-forward
+ *          implementation of a stack-based memory allocator.
+ *
+ * \param buf   buffer to use as heap
+ * \param len   size of the buffer
+ */
+void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len);
+
+/**
+ * \brief   Free the mutex for thread-safety and clear remaining memory
+ */
+void mbedtls_memory_buffer_alloc_free(void);
+
+/**
+ * \brief   Determine when the allocator should automatically verify the state
+ *          of the entire chain of headers / meta-data.
+ *          (Default: MBEDTLS_MEMORY_VERIFY_NONE)
+ *
+ * \param verify    One of MBEDTLS_MEMORY_VERIFY_NONE, MBEDTLS_MEMORY_VERIFY_ALLOC,
+ *                  MBEDTLS_MEMORY_VERIFY_FREE or MBEDTLS_MEMORY_VERIFY_ALWAYS
+ */
+void mbedtls_memory_buffer_set_verify(int verify);
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+/**
+ * \brief   Print out the status of the allocated memory (primarily for use
+ *          after a program should have de-allocated all memory)
+ *          Prints out a list of 'still allocated' blocks and their stack
+ *          trace if MBEDTLS_MEMORY_BACKTRACE is defined.
+ */
+void mbedtls_memory_buffer_alloc_status(void);
+
+/**
+ * \brief   Get the peak heap usage so far
+ *
+ * \param max_used      Peak number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param max_blocks    Peak number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks);
+
+/**
+ * \brief   Reset peak statistics
+ */
+void mbedtls_memory_buffer_alloc_max_reset(void);
+
+/**
+ * \brief   Get the current heap usage
+ *
+ * \param cur_used      Current number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param cur_blocks    Current number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks);
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+/**
+ * \brief   Verifies that all headers in the memory buffer are correct
+ *          and contain sane values. Helps debug buffer-overflow errors.
+ *
+ *          Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined.
+ *          Prints out full header information if MBEDTLS_MEMORY_DEBUG
+ *          is defined. (Includes stack trace information for each block if
+ *          MBEDTLS_MEMORY_BACKTRACE is defined as well).
+ *
+ * \return             0 if verified, 1 otherwise
+ */
+int mbedtls_memory_buffer_alloc_verify(void);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_memory_buffer_alloc_self_test(int verbose);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* memory_buffer_alloc.h */
diff --git a/common/mbedtls/net.h b/common/mbedtls/net.h
new file mode 100644
index 000000000..66921887d
--- /dev/null
+++ b/common/mbedtls/net.h
@@ -0,0 +1,35 @@
+/**
+ * \file net.h
+ *
+ * \brief Deprecated header file that includes net_sockets.h
+ *
+ * \deprecated Superseded by mbedtls/net_sockets.h
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#include "mbedtls/net_sockets.h"
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
diff --git a/common/mbedtls/net_sockets.c b/common/mbedtls/net_sockets.c
new file mode 100644
index 000000000..f990f73ca
--- /dev/null
+++ b/common/mbedtls/net_sockets.c
@@ -0,0 +1,646 @@
+/*
+ *  TCP/IP or UDP/IP networking functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+#define _XOPEN_SOURCE 600 /* sockaddr_storage */
+
+#include "common.h"
+
+#if defined(MBEDTLS_NET_C)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__) && !defined(__midipix__)
+#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+    !defined(EFI32)
+
+#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
+
+#if !defined(_WIN32_WINNT)
+/* Enables getaddrinfo() & Co */
+#define _WIN32_WINNT 0x0501
+#endif
+
+#include <ws2tcpip.h>
+
+#include <winsock2.h>
+#include <windows.h>
+#if (_WIN32_WINNT < 0x0501)
+#include <wspiapi.h>
+#endif
+
+#if defined(_MSC_VER)
+#if defined(_WIN32_WCE)
+#pragma comment( lib, "ws2.lib" )
+#else
+#pragma comment( lib, "ws2_32.lib" )
+#endif
+#endif /* _MSC_VER */
+
+#define read(fd,buf,len)        recv( fd, (char*)( buf ), (int)( len ), 0 )
+#define write(fd,buf,len)       send( fd, (char*)( buf ), (int)( len ), 0 )
+#define close(fd)               closesocket(fd)
+
+static int wsa_init_done = 0;
+
+#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <errno.h>
+
+#define IS_EINTR( ret ) ( ( ret ) == EINTR )
+
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/* Some MS functions want int and MSVC warns if we pass size_t,
+ * but the standard functions use socklen_t, so cast only for MSVC */
+#if defined(_MSC_VER)
+#define MSVC_INT_CAST   (int)
+#else
+#define MSVC_INT_CAST
+#endif
+
+#include <stdio.h>
+
+#include <time.h>
+
+#include <stdint.h>
+
+/*
+ * Prepare for using the sockets interface
+ */
+static int net_prepare(void) {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    WSADATA wsaData;
+
+    if (wsa_init_done == 0) {
+        if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0)
+            return (MBEDTLS_ERR_NET_SOCKET_FAILED);
+
+        wsa_init_done = 1;
+    }
+#else
+#if !defined(EFIX64) && !defined(EFI32)
+    signal(SIGPIPE, SIG_IGN);
+#endif
+#endif
+    return (0);
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_net_init(mbedtls_net_context *ctx) {
+    ctx->fd = -1;
+}
+
+/*
+ * Initiate a TCP connection with host:port and the given protocol
+ */
+int mbedtls_net_connect(mbedtls_net_context *ctx, const char *host,
+                        const char *port, int proto) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if ((ret = net_prepare()) != 0)
+        return (ret);
+
+    /* Do name resolution with both IPv6 and IPv4 */
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+
+    if (getaddrinfo(host, port, &hints, &addr_list) != 0)
+        return (MBEDTLS_ERR_NET_UNKNOWN_HOST);
+
+    /* Try the sockaddrs until a connection succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for (cur = addr_list; cur != NULL; cur = cur->ai_next) {
+        ctx->fd = (int) socket(cur->ai_family, cur->ai_socktype,
+                               cur->ai_protocol);
+        if (ctx->fd < 0) {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if (connect(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) == 0) {
+            ret = 0;
+            break;
+        }
+
+        close(ctx->fd);
+        ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
+    }
+
+    freeaddrinfo(addr_list);
+
+    return (ret);
+}
+
+/*
+ * Create a listening socket on bind_ip:port
+ */
+int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto) {
+    int n, ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if ((ret = net_prepare()) != 0)
+        return (ret);
+
+    /* Bind to IPv6 and/or IPv4, but only in the desired protocol */
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+    if (bind_ip == NULL)
+        hints.ai_flags = AI_PASSIVE;
+
+    if (getaddrinfo(bind_ip, port, &hints, &addr_list) != 0)
+        return (MBEDTLS_ERR_NET_UNKNOWN_HOST);
+
+    /* Try the sockaddrs until a binding succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for (cur = addr_list; cur != NULL; cur = cur->ai_next) {
+        ctx->fd = (int) socket(cur->ai_family, cur->ai_socktype,
+                               cur->ai_protocol);
+        if (ctx->fd < 0) {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        n = 1;
+        if (setsockopt(ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                       (const char *) &n, sizeof(n)) != 0) {
+            close(ctx->fd);
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if (bind(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) != 0) {
+            close(ctx->fd);
+            ret = MBEDTLS_ERR_NET_BIND_FAILED;
+            continue;
+        }
+
+        /* Listen only makes sense for TCP */
+        if (proto == MBEDTLS_NET_PROTO_TCP) {
+            if (listen(ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG) != 0) {
+                close(ctx->fd);
+                ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
+                continue;
+            }
+        }
+
+        /* Bind was successful */
+        ret = 0;
+        break;
+    }
+
+    freeaddrinfo(addr_list);
+
+    return (ret);
+
+}
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ */
+static int net_would_block(const mbedtls_net_context *ctx) {
+    ((void) ctx);
+    return (WSAGetLastError() == WSAEWOULDBLOCK);
+}
+#else
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ *
+ * Note: on a blocking socket this function always returns 0!
+ */
+static int net_would_block(const mbedtls_net_context *ctx) {
+    int err = errno;
+
+    /*
+     * Never return 'WOULD BLOCK' on a blocking socket
+     */
+    if ((fcntl(ctx->fd, F_GETFL) & O_NONBLOCK) != O_NONBLOCK) {
+        errno = err;
+        return (0);
+    }
+
+    switch (errno = err) {
+#if defined EAGAIN
+        case EAGAIN:
+#endif
+#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
+        case EWOULDBLOCK:
+#endif
+            return (1);
+    }
+    return (0);
+}
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/*
+ * Accept a connection from a remote client
+ */
+int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
+                       mbedtls_net_context *client_ctx,
+                       void *client_ip, size_t buf_size, size_t *ip_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int type;
+
+    struct sockaddr_storage client_addr;
+
+#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) ||  \
+    defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t) || \
+    defined(socklen_t) || (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L)
+    socklen_t n = (socklen_t) sizeof(client_addr);
+    socklen_t type_len = (socklen_t) sizeof(type);
+#else
+    int n = (int) sizeof(client_addr);
+    int type_len = (int) sizeof(type);
+#endif
+
+    /* Is this a TCP or UDP socket? */
+    if (getsockopt(bind_ctx->fd, SOL_SOCKET, SO_TYPE,
+                   (void *) &type, &type_len) != 0 ||
+            (type != SOCK_STREAM && type != SOCK_DGRAM)) {
+        return (MBEDTLS_ERR_NET_ACCEPT_FAILED);
+    }
+
+    if (type == SOCK_STREAM) {
+        /* TCP: actual accept() */
+        ret = client_ctx->fd = (int) accept(bind_ctx->fd,
+                                            (struct sockaddr *) &client_addr, &n);
+    } else {
+        /* UDP: wait for a message, but keep it in the queue */
+        char buf[1] = { 0 };
+
+        ret = (int) recvfrom(bind_ctx->fd, buf, sizeof(buf), MSG_PEEK,
+                             (struct sockaddr *) &client_addr, &n);
+
+#if defined(_WIN32)
+        if (ret == SOCKET_ERROR &&
+                WSAGetLastError() == WSAEMSGSIZE) {
+            /* We know buf is too small, thanks, just peeking here */
+            ret = 0;
+        }
+#endif
+    }
+
+    if (ret < 0) {
+        if (net_would_block(bind_ctx) != 0)
+            return (MBEDTLS_ERR_SSL_WANT_READ);
+
+        return (MBEDTLS_ERR_NET_ACCEPT_FAILED);
+    }
+
+    /* UDP: hijack the listening socket to communicate with the client,
+     * then bind a new socket to accept new connections */
+    if (type != SOCK_STREAM) {
+        struct sockaddr_storage local_addr;
+        int one = 1;
+
+        if (connect(bind_ctx->fd, (struct sockaddr *) &client_addr, n) != 0)
+            return (MBEDTLS_ERR_NET_ACCEPT_FAILED);
+
+        client_ctx->fd = bind_ctx->fd;
+        bind_ctx->fd   = -1; /* In case we exit early */
+
+        n = sizeof(struct sockaddr_storage);
+        if (getsockname(client_ctx->fd,
+                        (struct sockaddr *) &local_addr, &n) != 0 ||
+                (bind_ctx->fd = (int) socket(local_addr.ss_family,
+                                             SOCK_DGRAM, IPPROTO_UDP)) < 0 ||
+                setsockopt(bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                           (const char *) &one, sizeof(one)) != 0) {
+            return (MBEDTLS_ERR_NET_SOCKET_FAILED);
+        }
+
+        if (bind(bind_ctx->fd, (struct sockaddr *) &local_addr, n) != 0) {
+            return (MBEDTLS_ERR_NET_BIND_FAILED);
+        }
+    }
+
+    if (client_ip != NULL) {
+        if (client_addr.ss_family == AF_INET) {
+            struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
+            *ip_len = sizeof(addr4->sin_addr.s_addr);
+
+            if (buf_size < *ip_len)
+                return (MBEDTLS_ERR_NET_BUFFER_TOO_SMALL);
+
+            memcpy(client_ip, &addr4->sin_addr.s_addr, *ip_len);
+        } else {
+            struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
+            *ip_len = sizeof(addr6->sin6_addr.s6_addr);
+
+            if (buf_size < *ip_len)
+                return (MBEDTLS_ERR_NET_BUFFER_TOO_SMALL);
+
+            memcpy(client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
+        }
+    }
+
+    return (0);
+}
+
+/*
+ * Set the socket blocking or non-blocking
+ */
+int mbedtls_net_set_block(mbedtls_net_context *ctx) {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 0;
+    return (ioctlsocket(ctx->fd, FIONBIO, &n));
+#else
+    return (fcntl(ctx->fd, F_SETFL, fcntl(ctx->fd, F_GETFL) & ~O_NONBLOCK));
+#endif
+}
+
+int mbedtls_net_set_nonblock(mbedtls_net_context *ctx) {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 1;
+    return (ioctlsocket(ctx->fd, FIONBIO, &n));
+#else
+    return (fcntl(ctx->fd, F_SETFL, fcntl(ctx->fd, F_GETFL) | O_NONBLOCK));
+#endif
+}
+
+/*
+ * Check if data is available on the socket
+ */
+
+int mbedtls_net_poll(mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    struct timeval tv;
+
+    fd_set read_fds;
+    fd_set write_fds;
+
+    int fd = ctx->fd;
+
+    if (fd < 0)
+        return (MBEDTLS_ERR_NET_INVALID_CONTEXT);
+
+    /* A limitation of select() is that it only works with file descriptors
+     * that are strictly less than FD_SETSIZE. This is a limitation of the
+     * fd_set type. Error out early, because attempting to call FD_SET on a
+     * large file descriptor is a buffer overflow on typical platforms. */
+    if (fd >= FD_SETSIZE)
+        return (MBEDTLS_ERR_NET_POLL_FAILED);
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    /* Ensure that memory sanitizers consider read_fds and write_fds as
+     * initialized even on platforms such as Glibc/x86_64 where FD_ZERO
+     * is implemented in assembly. */
+    memset(&read_fds, 0, sizeof(read_fds));
+    memset(&write_fds, 0, sizeof(write_fds));
+#endif
+#endif
+
+    FD_ZERO(&read_fds);
+    if (rw & MBEDTLS_NET_POLL_READ) {
+        rw &= ~MBEDTLS_NET_POLL_READ;
+        FD_SET(fd, &read_fds);
+    }
+
+    FD_ZERO(&write_fds);
+    if (rw & MBEDTLS_NET_POLL_WRITE) {
+        rw &= ~MBEDTLS_NET_POLL_WRITE;
+        FD_SET(fd, &write_fds);
+    }
+
+    if (rw != 0)
+        return (MBEDTLS_ERR_NET_BAD_INPUT_DATA);
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = (timeout % 1000) * 1000;
+
+    do {
+        ret = select(fd + 1, &read_fds, &write_fds, NULL,
+                     timeout == (uint32_t) -1 ? NULL : &tv);
+    } while (IS_EINTR(ret));
+
+    if (ret < 0)
+        return (MBEDTLS_ERR_NET_POLL_FAILED);
+
+    ret = 0;
+    if (FD_ISSET(fd, &read_fds))
+        ret |= MBEDTLS_NET_POLL_READ;
+    if (FD_ISSET(fd, &write_fds))
+        ret |= MBEDTLS_NET_POLL_WRITE;
+
+    return (ret);
+}
+
+/*
+ * Portable usleep helper
+ */
+void mbedtls_net_usleep(unsigned long usec) {
+#if defined(_WIN32)
+    Sleep((usec + 999) / 1000);
+#else
+    struct timeval tv;
+    tv.tv_sec  = usec / 1000000;
+#if defined(__unix__) || defined(__unix) || \
+    ( defined(__APPLE__) && defined(__MACH__) )
+    tv.tv_usec = (suseconds_t) usec % 1000000;
+#else
+    tv.tv_usec = usec % 1000000;
+#endif
+    select(0, NULL, NULL, NULL, &tv);
+#endif
+}
+
+/*
+ * Read at most 'len' characters
+ */
+int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if (fd < 0)
+        return (MBEDTLS_ERR_NET_INVALID_CONTEXT);
+
+    ret = (int) read(fd, buf, len);
+
+    if (ret < 0) {
+        if (net_would_block(ctx) != 0)
+            return (MBEDTLS_ERR_SSL_WANT_READ);
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if (WSAGetLastError() == WSAECONNRESET)
+            return (MBEDTLS_ERR_NET_CONN_RESET);
+#else
+        if (errno == EPIPE || errno == ECONNRESET)
+            return (MBEDTLS_ERR_NET_CONN_RESET);
+
+        if (errno == EINTR)
+            return (MBEDTLS_ERR_SSL_WANT_READ);
+#endif
+
+        return (MBEDTLS_ERR_NET_RECV_FAILED);
+    }
+
+    return (ret);
+}
+
+/*
+ * Read at most 'len' characters, blocking for at most 'timeout' ms
+ */
+int mbedtls_net_recv_timeout(void *ctx, unsigned char *buf,
+                             size_t len, uint32_t timeout) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    struct timeval tv;
+    fd_set read_fds;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if (fd < 0)
+        return (MBEDTLS_ERR_NET_INVALID_CONTEXT);
+
+    /* A limitation of select() is that it only works with file descriptors
+     * that are strictly less than FD_SETSIZE. This is a limitation of the
+     * fd_set type. Error out early, because attempting to call FD_SET on a
+     * large file descriptor is a buffer overflow on typical platforms. */
+    if (fd >= FD_SETSIZE)
+        return (MBEDTLS_ERR_NET_POLL_FAILED);
+
+    FD_ZERO(&read_fds);
+    FD_SET(fd, &read_fds);
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = (timeout % 1000) * 1000;
+
+    ret = select(fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv);
+
+    /* Zero fds ready means we timed out */
+    if (ret == 0)
+        return (MBEDTLS_ERR_SSL_TIMEOUT);
+
+    if (ret < 0) {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if (WSAGetLastError() == WSAEINTR)
+            return (MBEDTLS_ERR_SSL_WANT_READ);
+#else
+        if (errno == EINTR)
+            return (MBEDTLS_ERR_SSL_WANT_READ);
+#endif
+
+        return (MBEDTLS_ERR_NET_RECV_FAILED);
+    }
+
+    /* This call will not block */
+    return (mbedtls_net_recv(ctx, buf, len));
+}
+
+/*
+ * Write at most 'len' characters
+ */
+int mbedtls_net_send(void *ctx, const unsigned char *buf, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if (fd < 0)
+        return (MBEDTLS_ERR_NET_INVALID_CONTEXT);
+
+    ret = (int) write(fd, buf, len);
+
+    if (ret < 0) {
+        if (net_would_block(ctx) != 0)
+            return (MBEDTLS_ERR_SSL_WANT_WRITE);
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if (WSAGetLastError() == WSAECONNRESET)
+            return (MBEDTLS_ERR_NET_CONN_RESET);
+#else
+        if (errno == EPIPE || errno == ECONNRESET)
+            return (MBEDTLS_ERR_NET_CONN_RESET);
+
+        if (errno == EINTR)
+            return (MBEDTLS_ERR_SSL_WANT_WRITE);
+#endif
+
+        return (MBEDTLS_ERR_NET_SEND_FAILED);
+    }
+
+    return (ret);
+}
+
+/*
+ * Close the connection
+ */
+void mbedtls_net_close(mbedtls_net_context *ctx) {
+    if (ctx->fd == -1)
+        return;
+
+    close(ctx->fd);
+
+    ctx->fd = -1;
+}
+
+/*
+ * Gracefully close the connection
+ */
+void mbedtls_net_free(mbedtls_net_context *ctx) {
+    if (ctx->fd == -1)
+        return;
+
+    shutdown(ctx->fd, 2);
+    close(ctx->fd);
+
+    ctx->fd = -1;
+}
+
+#endif /* MBEDTLS_NET_C */
diff --git a/common/mbedtls/net_sockets.h b/common/mbedtls/net_sockets.h
new file mode 100644
index 000000000..14beecd02
--- /dev/null
+++ b/common/mbedtls/net_sockets.h
@@ -0,0 +1,287 @@
+/**
+ * \file net_sockets.h
+ *
+ * \brief   Network sockets abstraction layer to integrate Mbed TLS into a
+ *          BSD-style sockets API.
+ *
+ *          The network sockets module provides an example integration of the
+ *          Mbed TLS library into a BSD sockets implementation. The module is
+ *          intended to be an example of how Mbed TLS can be integrated into a
+ *          networking stack, as well as to be Mbed TLS's network integration
+ *          for its supported platforms.
+ *
+ *          The module is intended only to be used with the Mbed TLS library and
+ *          is not intended to be used by third party application software
+ *          directly.
+ *
+ *          The supported platforms are as follows:
+ *              * Microsoft Windows and Windows CE
+ *              * POSIX/Unix platforms including Linux, OS X
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_NET_SOCKETS_H
+#define MBEDTLS_NET_SOCKETS_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
+#define MBEDTLS_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
+#define MBEDTLS_ERR_NET_BIND_FAILED                       -0x0046  /**< Binding of the socket failed. */
+#define MBEDTLS_ERR_NET_LISTEN_FAILED                     -0x0048  /**< Could not listen on the socket. */
+#define MBEDTLS_ERR_NET_ACCEPT_FAILED                     -0x004A  /**< Could not accept the incoming connection. */
+#define MBEDTLS_ERR_NET_RECV_FAILED                       -0x004C  /**< Reading information from the socket failed. */
+#define MBEDTLS_ERR_NET_SEND_FAILED                       -0x004E  /**< Sending information through the socket failed. */
+#define MBEDTLS_ERR_NET_CONN_RESET                        -0x0050  /**< Connection was reset by peer. */
+#define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
+#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
+#define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
+#define MBEDTLS_ERR_NET_POLL_FAILED                       -0x0047  /**< Polling the net context failed. */
+#define MBEDTLS_ERR_NET_BAD_INPUT_DATA                    -0x0049  /**< Input invalid. */
+
+#define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
+
+#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
+#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
+
+#define MBEDTLS_NET_POLL_READ  1 /**< Used in \c mbedtls_net_poll to check for pending data  */
+#define MBEDTLS_NET_POLL_WRITE 2 /**< Used in \c mbedtls_net_poll to check if write possible */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Wrapper type for sockets.
+ *
+ * Currently backed by just a file descriptor, but might be more in the future
+ * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
+ * structures for hand-made UDP demultiplexing).
+ */
+typedef struct mbedtls_net_context {
+    int fd;             /**< The underlying file descriptor                 */
+}
+mbedtls_net_context;
+
+/**
+ * \brief          Initialize a context
+ *                 Just makes the context ready to be used or freed safely.
+ *
+ * \param ctx      Context to initialize
+ */
+void mbedtls_net_init(mbedtls_net_context *ctx);
+
+/**
+ * \brief          Initiate a connection with host:port in the given protocol
+ *
+ * \param ctx      Socket to use
+ * \param host     Host to connect to
+ * \param port     Port to connect to
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_CONNECT_FAILED
+ *
+ * \note           Sets the socket in connected mode even with UDP.
+ */
+int mbedtls_net_connect(mbedtls_net_context *ctx, const char *host, const char *port, int proto);
+
+/**
+ * \brief          Create a receiving socket on bind_ip:port in the chosen
+ *                 protocol. If bind_ip == NULL, all interfaces are bound.
+ *
+ * \param ctx      Socket to use
+ * \param bind_ip  IP to bind to, can be NULL
+ * \param port     Port number to use
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_BIND_FAILED,
+ *                      MBEDTLS_ERR_NET_LISTEN_FAILED
+ *
+ * \note           Regardless of the protocol, opens the sockets and binds it.
+ *                 In addition, make the socket listening if protocol is TCP.
+ */
+int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto);
+
+/**
+ * \brief           Accept a connection from a remote client
+ *
+ * \param bind_ctx  Relevant socket
+ * \param client_ctx Will contain the connected client socket
+ * \param client_ip Will contain the client IP address, can be NULL
+ * \param buf_size  Size of the client_ip buffer
+ * \param ip_len    Will receive the size of the client IP written,
+ *                  can be NULL if client_ip is null
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                  MBEDTLS_ERR_NET_BIND_FAILED,
+ *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
+ *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
+ *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
+ *                  non-blocking and accept() would block.
+ */
+int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
+                       mbedtls_net_context *client_ctx,
+                       void *client_ip, size_t buf_size, size_t *ip_len);
+
+/**
+ * \brief          Check and wait for the context to be ready for read/write
+ *
+ * \note           The current implementation of this function uses
+ *                 select() and returns an error if the file descriptor
+ *                 is \c FD_SETSIZE or greater.
+ *
+ * \param ctx      Socket to check
+ * \param rw       Bitflag composed of MBEDTLS_NET_POLL_READ and
+ *                 MBEDTLS_NET_POLL_WRITE specifying the events
+ *                 to wait for:
+ *                 - If MBEDTLS_NET_POLL_READ is set, the function
+ *                   will return as soon as the net context is available
+ *                   for reading.
+ *                 - If MBEDTLS_NET_POLL_WRITE is set, the function
+ *                   will return as soon as the net context is available
+ *                   for writing.
+ * \param timeout  Maximal amount of time to wait before returning,
+ *                 in milliseconds. If \c timeout is zero, the
+ *                 function returns immediately. If \c timeout is
+ *                 -1u, the function blocks potentially indefinitely.
+ *
+ * \return         Bitmask composed of MBEDTLS_NET_POLL_READ/WRITE
+ *                 on success or timeout, or a negative return code otherwise.
+ */
+int mbedtls_net_poll(mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout);
+
+/**
+ * \brief          Set the socket blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_block(mbedtls_net_context *ctx);
+
+/**
+ * \brief          Set the socket non-blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_nonblock(mbedtls_net_context *ctx);
+
+/**
+ * \brief          Portable usleep helper
+ *
+ * \param usec     Amount of microseconds to sleep
+ *
+ * \note           Real amount of time slept will not be less than
+ *                 select()'s timeout granularity (typically, 10ms).
+ */
+void mbedtls_net_usleep(unsigned long usec);
+
+/**
+ * \brief          Read at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_READ indicates read() would block.
+ */
+int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len);
+
+/**
+ * \brief          Write at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to read from
+ * \param len      The length of the buffer
+ *
+ * \return         the number of bytes sent,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would block.
+ */
+int mbedtls_net_send(void *ctx, const unsigned char *buf, size_t len);
+
+/**
+ * \brief          Read at most 'len' characters, blocking for at most
+ *                 'timeout' seconds. If no error occurs, the actual amount
+ *                 read is returned.
+ *
+ * \note           The current implementation of this function uses
+ *                 select() and returns an error if the file descriptor
+ *                 is \c FD_SETSIZE or greater.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ * \param timeout  Maximum number of milliseconds to wait for data
+ *                 0 means no timeout (wait forever)
+ *
+ * \return         The number of bytes received if successful.
+ *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out.
+ *                 MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *                 Another negative error code (MBEDTLS_ERR_NET_xxx)
+ *                 for other failures.
+ *
+ * \note           This function will block (until data becomes available or
+ *                 timeout is reached) even if the socket is set to
+ *                 non-blocking. Handling timeouts with non-blocking reads
+ *                 requires a different strategy.
+ */
+int mbedtls_net_recv_timeout(void *ctx, unsigned char *buf, size_t len,
+                             uint32_t timeout);
+
+/**
+ * \brief          Closes down the connection and free associated data
+ *
+ * \param ctx      The context to close
+ */
+void mbedtls_net_close(mbedtls_net_context *ctx);
+
+/**
+ * \brief          Gracefully shutdown the connection and free associated data
+ *
+ * \param ctx      The context to free
+ */
+void mbedtls_net_free(mbedtls_net_context *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* net_sockets.h */
diff --git a/common/mbedtls/nist_kw.c b/common/mbedtls/nist_kw.c
new file mode 100644
index 000000000..3bb2ede69
--- /dev/null
+++ b/common/mbedtls/nist_kw.c
@@ -0,0 +1,728 @@
+/*
+ *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ *  only
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH    8
+#define MIN_SEMIBLOCKS_COUNT   3
+
+/* constant-time buffer comparison */
+static inline unsigned char mbedtls_nist_kw_safer_memcmp(const void *a, const void *b, size_t n) {
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for (i = 0; i < n; i++) {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return (diff);
+}
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const  unsigned char NIST_KW_ICV2[] = {0xA6, 0x59, 0x59, 0xA6};
+
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_nist_kw_context));
+}
+
+int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
+                           mbedtls_cipher_id_t cipher,
+                           const unsigned char *key,
+                           unsigned int keybits,
+                           const int is_wrap) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values(cipher,
+                                                  keybits,
+                                                  MBEDTLS_MODE_ECB);
+    if (cipher_info == NULL)
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+    if (cipher_info->block_size != 16)
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+
+    /*
+     * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+     * "For KW and KWP, the underlying block cipher shall be approved, and the
+     *  block size shall be 128 bits. Currently, the AES block cipher, with key
+     *  lengths of 128, 192, or 256 bits, is the only block cipher that fits
+     *  this profile."
+     *  Currently we don't support other 128 bit block ciphers for key wrapping,
+     *  such as Camellia and Aria.
+     */
+    if (cipher != MBEDTLS_CIPHER_ID_AES)
+        return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0)
+        return (ret);
+
+    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+                                     is_wrap ? MBEDTLS_ENCRYPT :
+                                     MBEDTLS_DECRYPT)
+        ) != 0) {
+        return (ret);
+    }
+
+    return (0);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx) {
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_nist_kw_context));
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t(unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t) {
+    size_t i = 0;
+    for (i = 0; i < sizeof(t); i++) {
+        A[i] ^= (t >> ((sizeof(t) - 1 - i) * 8)) & 0xff;
+    }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx,
+                         mbedtls_nist_kw_mode_t mode,
+                         const unsigned char *input, size_t in_len,
+                         unsigned char *output, size_t *out_len, size_t out_size) {
+    int ret = 0;
+    size_t semiblocks = 0;
+    size_t s;
+    size_t olen, padlen = 0;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+    unsigned char *A = output;
+
+    *out_len = 0;
+    /*
+     * Generate the String to work on
+     */
+    if (mode == MBEDTLS_KW_MODE_KW) {
+        if (out_size < in_len + KW_SEMIBLOCK_LENGTH) {
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KW
+         * must be between 2 to 2^54-1 semiblocks inclusive.
+         */
+        if (in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+                in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+                in_len % KW_SEMIBLOCK_LENGTH != 0) {
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+        }
+
+        memcpy(output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH);
+        memmove(output + KW_SEMIBLOCK_LENGTH, input, in_len);
+    } else {
+        if (in_len % 8 != 0) {
+            padlen = (8 - (in_len % 8));
+        }
+
+        if (out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen) {
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KWP
+         * must be between 1 and 2^32-1 octets inclusive.
+         */
+        if (in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+                || in_len > 0xFFFFFFFF
+#endif
+           ) {
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+        }
+
+        memcpy(output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2);
+        PUT_UINT32_BE((in_len & 0xffffffff), output,
+                      KW_SEMIBLOCK_LENGTH / 2);
+
+        memcpy(output + KW_SEMIBLOCK_LENGTH, input, in_len);
+        memset(output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen);
+    }
+    semiblocks = ((in_len + padlen) / KW_SEMIBLOCK_LENGTH) + 1;
+
+    s = 6 * (semiblocks - 1);
+
+    if (mode == MBEDTLS_KW_MODE_KWP
+            && in_len <= KW_SEMIBLOCK_LENGTH) {
+        memcpy(inbuff, output, 16);
+        ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                    inbuff, 16, output, &olen);
+        if (ret != 0)
+            goto cleanup;
+    } else {
+        /*
+         * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+         */
+        if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
+            ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        /* Calculate intermediate values */
+        for (t = 1; t <= s; t++) {
+            memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
+            memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH);
+
+            ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                        inbuff, 16, outbuff, &olen);
+            if (ret != 0)
+                goto cleanup;
+
+            memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+            calc_a_xor_t(A, t);
+
+            memcpy(R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+            R2 += KW_SEMIBLOCK_LENGTH;
+            if (R2 >= output + (semiblocks * KW_SEMIBLOCK_LENGTH))
+                R2 = output + KW_SEMIBLOCK_LENGTH;
+        }
+    }
+
+    *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+    if (ret != 0) {
+        memset(output, 0, semiblocks * KW_SEMIBLOCK_LENGTH);
+    }
+    mbedtls_platform_zeroize(inbuff, KW_SEMIBLOCK_LENGTH * 2);
+    mbedtls_platform_zeroize(outbuff, KW_SEMIBLOCK_LENGTH * 2);
+
+    return (ret);
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap(mbedtls_nist_kw_context *ctx,
+                  const unsigned char *input, size_t semiblocks,
+                  unsigned char A[KW_SEMIBLOCK_LENGTH],
+                  unsigned char *output, size_t *out_len) {
+    int ret = 0;
+    const size_t s = 6 * (semiblocks - 1);
+    size_t olen;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
+    *out_len = 0;
+
+    if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+    }
+
+    memcpy(A, input, KW_SEMIBLOCK_LENGTH);
+    memmove(output, input + KW_SEMIBLOCK_LENGTH, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
+
+    /* Calculate intermediate values */
+    for (t = s; t >= 1; t--) {
+        calc_a_xor_t(A, t);
+
+        memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
+        memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH);
+
+        ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                    inbuff, 16, outbuff, &olen);
+        if (ret != 0)
+            goto cleanup;
+
+        memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+
+        /* Set R as LSB64 of outbuff */
+        memcpy(R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+
+        if (R == output)
+            R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
+        else
+            R -= KW_SEMIBLOCK_LENGTH;
+    }
+
+    *out_len = (semiblocks - 1) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+    if (ret != 0)
+        memset(output, 0, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
+    mbedtls_platform_zeroize(inbuff, sizeof(inbuff));
+    mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
+
+    return (ret);
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
+                           mbedtls_nist_kw_mode_t mode,
+                           const unsigned char *input, size_t in_len,
+                           unsigned char *output, size_t *out_len, size_t out_size) {
+    int ret = 0;
+    size_t i, olen;
+    unsigned char A[KW_SEMIBLOCK_LENGTH];
+    unsigned char diff, bad_padding = 0;
+
+    *out_len = 0;
+    if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
+        return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+    }
+
+    if (mode == MBEDTLS_KW_MODE_KW) {
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KW
+         * must be between 3 to 2^54 semiblocks inclusive.
+         */
+        if (in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+                in_len > 0x200000000000000 ||
+#endif
+                in_len % KW_SEMIBLOCK_LENGTH != 0) {
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+        }
+
+        ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                     A, output, out_len);
+        if (ret != 0)
+            goto cleanup;
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp(NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH);
+
+        if (diff != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto cleanup;
+        }
+
+    } else if (mode == MBEDTLS_KW_MODE_KWP) {
+        size_t padlen = 0;
+        uint32_t Plen;
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KWP
+         * must be between 2 to 2^29 semiblocks inclusive.
+         */
+        if (in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+                in_len > 0x100000000 ||
+#endif
+                in_len % KW_SEMIBLOCK_LENGTH != 0) {
+            return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
+        }
+
+        if (in_len == KW_SEMIBLOCK_LENGTH * 2) {
+            unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+            ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                        input, 16, outbuff, &olen);
+            if (ret != 0)
+                goto cleanup;
+
+            memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+            memcpy(output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+            mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
+            *out_len = KW_SEMIBLOCK_LENGTH;
+        } else {
+            /* in_len >=  KW_SEMIBLOCK_LENGTH * 3 */
+            ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                         A, output, out_len);
+            if (ret != 0)
+                goto cleanup;
+        }
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp(NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2);
+
+        if (diff != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        GET_UINT32_BE(Plen, A, KW_SEMIBLOCK_LENGTH / 2);
+
+        /*
+         * Plen is the length of the plaintext, when the input is valid.
+         * If Plen is larger than the plaintext and padding, padlen will be
+         * larger than 8, because of the type wrap around.
+         */
+        padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+        if (padlen > 7) {
+            padlen &= 7;
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        /* Check padding in "constant-time" */
+        for (diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++) {
+            if (i >= KW_SEMIBLOCK_LENGTH - padlen)
+                diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+            else
+                bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+        }
+
+        if (diff != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        if (ret != 0) {
+            goto cleanup;
+        }
+        memset(output + Plen, 0, padlen);
+        *out_len = Plen;
+    } else {
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+cleanup:
+    if (ret != 0) {
+        memset(output, 0, *out_len);
+        *out_len = 0;
+    }
+
+    mbedtls_platform_zeroize(&bad_padding, sizeof(bad_padding));
+    mbedtls_platform_zeroize(&diff, sizeof(diff));
+    mbedtls_platform_zeroize(A, sizeof(A));
+
+    return (ret);
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+#define KW_TESTS 3
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[KW_TESTS] = { 16, 24, 32 };
+
+static const unsigned char kw_key[KW_TESTS][32] = {
+    {
+        0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+        0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6
+    },
+    {
+        0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+        0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+        0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3
+    },
+    {
+        0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+        0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+        0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+        0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88
+    }
+};
+
+static const unsigned char kw_msg[KW_TESTS][40] = {
+    {
+        0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+        0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f
+    },
+    {
+        0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+        0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+        0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+        0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+        0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c
+    },
+    {
+        0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+        0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+        0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1
+    }
+};
+
+static const size_t kw_msg_len[KW_TESTS] = { 16, 40, 24 };
+static const size_t kw_out_len[KW_TESTS] = { 24, 48, 32 };
+static const unsigned char kw_res[KW_TESTS][48] = {
+    {
+        0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+        0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+        0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb
+    },
+    {
+        0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+        0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+        0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+        0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+        0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+        0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d
+    },
+    {
+        0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+        0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+        0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+        0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12
+    }
+};
+
+static const unsigned char kwp_key[KW_TESTS][32] = {
+    {
+        0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+        0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4
+    },
+    {
+        0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+        0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+        0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58
+    },
+    {
+        0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+        0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+        0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+        0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a
+    }
+};
+
+static const unsigned char kwp_msg[KW_TESTS][31] = {
+    {
+        0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+        0x96
+    },
+    {
+        0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+        0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+        0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+        0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f
+    },
+    { 0xd1 }
+};
+static const size_t kwp_msg_len[KW_TESTS] = { 9, 31, 1 };
+
+static const unsigned char kwp_res[KW_TESTS][48] = {
+    {
+        0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+        0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+        0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00
+    },
+    {
+        0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+        0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+        0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+        0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+        0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26
+    },
+    {
+        0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+        0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4
+    }
+};
+static const size_t kwp_out_len[KW_TESTS] = { 24, 40, 16 };
+
+int mbedtls_nist_kw_self_test(int verbose) {
+    mbedtls_nist_kw_context ctx;
+    unsigned char out[48];
+    size_t olen;
+    int i;
+    int ret = 0;
+    mbedtls_nist_kw_init(&ctx);
+
+    for (i = 0; i < KW_TESTS; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  KW-AES-%u ", (unsigned int) key_len[i] * 8);
+
+        ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+                                     kw_key[i], key_len[i] * 8, 1);
+        if (ret != 0) {
+            if (verbose != 0)
+                mbedtls_printf("  KW: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+                                   kw_msg_len[i], out, &olen, sizeof(out));
+        if (ret != 0 || kw_out_len[i] != olen ||
+                memcmp(out, kw_res[i], kw_out_len[i]) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+                                          kw_key[i], key_len[i] * 8, 0))
+                != 0) {
+            if (verbose != 0)
+                mbedtls_printf("  KW: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW,
+                                     out, olen, out, &olen, sizeof(out));
+
+        if (ret != 0 || olen != kw_msg_len[i] ||
+                memcmp(out, kw_msg[i], kw_msg_len[i]) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed\n");
+
+            ret = 1;
+            goto end;
+        }
+
+        if (verbose != 0)
+            mbedtls_printf(" passed\n");
+    }
+
+    for (i = 0; i < KW_TESTS; i++) {
+        olen = sizeof(out);
+        if (verbose != 0)
+            mbedtls_printf("  KWP-AES-%u ", (unsigned int) key_len[i] * 8);
+
+        ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+                                     key_len[i] * 8, 1);
+        if (ret  != 0) {
+            if (verbose != 0)
+                mbedtls_printf("  KWP: setup failed ");
+
+            goto end;
+        }
+        ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+                                   kwp_msg_len[i], out, &olen, sizeof(out));
+
+        if (ret != 0 || kwp_out_len[i] != olen ||
+                memcmp(out, kwp_res[i], kwp_out_len[i]) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+                                          kwp_key[i], key_len[i] * 8, 0))
+                != 0) {
+            if (verbose != 0)
+                mbedtls_printf("  KWP: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KWP, out,
+                                     olen, out, &olen, sizeof(out));
+
+        if (ret != 0 || olen != kwp_msg_len[i] ||
+                memcmp(out, kwp_msg[i], kwp_msg_len[i]) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if (verbose != 0)
+            mbedtls_printf(" passed\n");
+    }
+end:
+    mbedtls_nist_kw_free(&ctx);
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/common/mbedtls/nist_kw.h b/common/mbedtls/nist_kw.h
new file mode 100644
index 000000000..8d3a4a53b
--- /dev/null
+++ b/common/mbedtls/nist_kw.h
@@ -0,0 +1,181 @@
+/**
+ * \file nist_kw.h
+ *
+ * \brief This file provides an API for key wrapping (KW) and key wrapping with
+ *        padding (KWP) as defined in NIST SP 800-38F.
+ *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *
+ *        Key wrapping specifies a deterministic authenticated-encryption mode
+ *        of operation, according to <em>NIST SP 800-38F: Recommendation for
+ *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
+ *        purpose is to protect cryptographic keys.
+ *
+ *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
+ *        https://tools.ietf.org/html/rfc3394
+ *        https://tools.ietf.org/html/rfc5649
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_NIST_KW_H
+#define MBEDTLS_NIST_KW_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    MBEDTLS_KW_MODE_KW = 0,
+    MBEDTLS_KW_MODE_KWP = 1
+} mbedtls_nist_kw_mode_t;
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The key wrapping context-type definition. The key wrapping context is passed
+ *           to the APIs called.
+ *
+ * \note     The definition of this type may change in future library versions.
+ *           Don't make any assumptions on this context!
+ */
+typedef struct {
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+} mbedtls_nist_kw_context;
+
+#else  /* MBEDTLS_NIST_key wrapping_ALT */
+#include "nist_kw_alt.h"
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+/**
+ * \brief           This function initializes the specified key wrapping context
+ *                  to make references valid and prepare the context
+ *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
+ *
+ * \param ctx       The key wrapping context to initialize.
+ *
+ */
+void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx);
+
+/**
+ * \brief           This function initializes the key wrapping context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The key wrapping context.
+ * \param cipher    The 128-bit block cipher to use. Only AES is supported.
+ * \param key       The Key Encryption Key (KEK).
+ * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
+ * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
+ * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
+ *                  which are not supported.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
+                           mbedtls_cipher_id_t cipher,
+                           const unsigned char *key,
+                           unsigned int keybits,
+                           const int is_wrap);
+
+/**
+ * \brief   This function releases and clears the specified key wrapping context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The key wrapping context to clear.
+ */
+void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx);
+
+/**
+ * \brief           This function encrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for encryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
+ *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
+ *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
+ *                  8 bytes for KWP (15 bytes at most).</li></ul>
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                         const unsigned char *input, size_t in_len,
+                         unsigned char *output, size_t *out_len, size_t out_size);
+
+/**
+ * \brief           This function decrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for decryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  The input must be a multiple of semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
+ *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
+ *                  depending on how much padding was added to the data.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                           const unsigned char *input, size_t in_len,
+                           unsigned char *output, size_t *out_len, size_t out_size);
+
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The key wrapping checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_nist_kw_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_NIST_KW_H */
diff --git a/common/mbedtls/oid.c b/common/mbedtls/oid.c
index 3c2dc61d2..c3723c0f1 100644
--- a/common/mbedtls/oid.c
+++ b/common/mbedtls/oid.c
@@ -3,36 +3,29 @@
  *
  * \brief Object Identifier (OID) database
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_OID_C)
 
 #include "mbedtls/oid.h"
 #include "mbedtls/rsa.h"
+#include "mbedtls/error.h"
 
 #include <stdio.h>
 #include <string.h>
@@ -43,10 +36,6 @@
 #define mbedtls_snprintf snprintf
 #endif
 
-#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
-#include "mbedtls/x509.h"
-#endif
-
 /*
  * Macro to automatically add the size of #define'd OIDs
  */
@@ -56,21 +45,23 @@
  * Macro to generate an internal function for oid_XXX_from_asn1() (used by
  * the other functions)
  */
-#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                        \
-    static const TYPE_T * oid_ ## NAME ## _from_asn1( const mbedtls_asn1_buf *oid )     \
-    {                                                                           \
-        const TYPE_T *p = LIST;                                                 \
-        const mbedtls_oid_descriptor_t *cur = (const mbedtls_oid_descriptor_t *) p;             \
-        if( p == NULL || oid == NULL ) return( NULL );                          \
-        while( cur->asn1 != NULL ) {                                            \
-            if( cur->asn1_len == oid->len &&                                    \
-                    memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {                  \
-                return( p );                                                    \
-            }                                                                   \
-            p++;                                                                \
-            cur = (const mbedtls_oid_descriptor_t *) p;                                 \
-        }                                                                       \
-        return( NULL );                                                         \
+#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                    \
+    static const TYPE_T * oid_ ## NAME ## _from_asn1(                   \
+                                      const mbedtls_asn1_buf *oid )     \
+    {                                                                   \
+        const TYPE_T *p = (LIST);                                       \
+        const mbedtls_oid_descriptor_t *cur =                           \
+            (const mbedtls_oid_descriptor_t *) p;                       \
+        if( p == NULL || oid == NULL ) return( NULL );                  \
+        while( cur->asn1 != NULL ) {                                    \
+            if( cur->asn1_len == oid->len &&                            \
+                memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {          \
+                return( p );                                            \
+            }                                                           \
+            p++;                                                        \
+            cur = (const mbedtls_oid_descriptor_t *) p;                 \
+        }                                                               \
+        return( NULL );                                                 \
     }
 
 /*
@@ -78,26 +69,26 @@
  * descriptor of an mbedtls_oid_descriptor_t wrapper.
  */
 #define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
-    int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
-    {                                                                       \
-        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
-        if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
-        *ATTR1 = data->descriptor.ATTR1;                                    \
-        return( 0 );                                                        \
-    }
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->descriptor.ATTR1;                                    \
+    return( 0 );                                                        \
+}
 
 /*
  * Macro to generate a function for retrieving a single attribute from an
  * mbedtls_oid_descriptor_t wrapper.
  */
 #define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
-    int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
-    {                                                                       \
-        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
-        if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
-        *ATTR1 = data->ATTR1;                                               \
-        return( 0 );                                                        \
-    }
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->ATTR1;                                               \
+    return( 0 );                                                        \
+}
 
 /*
  * Macro to generate a function for retrieving two attributes from an
@@ -105,12 +96,13 @@
  */
 #define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
                          ATTR2_TYPE, ATTR2)                                 \
-int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, ATTR2_TYPE * ATTR2 )  \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1,               \
+                                          ATTR2_TYPE * ATTR2 )              \
 {                                                                           \
     const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );            \
-    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                \
-    *ATTR1 = data->ATTR1;                                                   \
-    *ATTR2 = data->ATTR2;                                                   \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                 \
+    *(ATTR1) = data->ATTR1;                                                 \
+    *(ATTR2) = data->ATTR2;                                                 \
     return( 0 );                                                            \
 }
 
@@ -119,19 +111,19 @@ int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, ATTR2_TYPE * ATTR2
  * attribute from a mbedtls_oid_descriptor_t wrapper.
  */
 #define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
-    int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
-    {                                                                           \
-        const TYPE_T *cur = LIST;                                               \
-        while( cur->descriptor.asn1 != NULL ) {                                 \
-            if( cur->ATTR1 == ATTR1 ) {                                         \
-                *oid = cur->descriptor.asn1;                                    \
-                *olen = cur->descriptor.asn1_len;                               \
-                return( 0 );                                                    \
-            }                                                                   \
-            cur++;                                                              \
-        }                                                                       \
-        return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
-    }
+int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
+{                                                                           \
+    const TYPE_T *cur = (LIST);                                             \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == (ATTR1) ) {                                       \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                    \
+}
 
 /*
  * Macro to generate a function for retrieving the OID based on two
@@ -142,9 +134,9 @@ int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, ATTR2_TYPE * ATTR2
 int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid ,         \
              size_t *olen )                                                 \
 {                                                                           \
-    const TYPE_T *cur = LIST;                                               \
+    const TYPE_T *cur = (LIST);                                             \
     while( cur->descriptor.asn1 != NULL ) {                                 \
-        if( cur->ATTR1 == ATTR1 && cur->ATTR2 == ATTR2 ) {                  \
+        if( cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2) ) {              \
             *oid = cur->descriptor.asn1;                                    \
             *olen = cur->descriptor.asn1_len;                               \
             return( 0 );                                                    \
@@ -154,7 +146,6 @@ int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid ,         \
     return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
 }
 
-#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
 /*
  * For X520 attribute types
  */
@@ -259,24 +250,28 @@ typedef struct {
 
 static const oid_x509_ext_t oid_x509_ext[] = {
     {
-        { ADD_LEN(MBEDTLS_OID_BASIC_CONSTRAINTS),    "id-ce-basicConstraints",   "Basic Constraints" },
-        MBEDTLS_X509_EXT_BASIC_CONSTRAINTS,
+        { ADD_LEN(MBEDTLS_OID_BASIC_CONSTRAINTS),    "id-ce-basicConstraints",    "Basic Constraints" },
+        MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS,
     },
     {
-        { ADD_LEN(MBEDTLS_OID_KEY_USAGE),            "id-ce-keyUsage",           "Key Usage" },
-        MBEDTLS_X509_EXT_KEY_USAGE,
+        { ADD_LEN(MBEDTLS_OID_KEY_USAGE),            "id-ce-keyUsage",            "Key Usage" },
+        MBEDTLS_OID_X509_EXT_KEY_USAGE,
     },
     {
-        { ADD_LEN(MBEDTLS_OID_EXTENDED_KEY_USAGE),   "id-ce-extKeyUsage",        "Extended Key Usage" },
-        MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE,
+        { ADD_LEN(MBEDTLS_OID_EXTENDED_KEY_USAGE),   "id-ce-extKeyUsage",         "Extended Key Usage" },
+        MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE,
     },
     {
-        { ADD_LEN(MBEDTLS_OID_SUBJECT_ALT_NAME),     "id-ce-subjectAltName",     "Subject Alt Name" },
-        MBEDTLS_X509_EXT_SUBJECT_ALT_NAME,
+        { ADD_LEN(MBEDTLS_OID_SUBJECT_ALT_NAME),     "id-ce-subjectAltName",      "Subject Alt Name" },
+        MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME,
     },
     {
-        { ADD_LEN(MBEDTLS_OID_NS_CERT_TYPE),         "id-netscape-certtype",     "Netscape Certificate Type" },
-        MBEDTLS_X509_EXT_NS_CERT_TYPE,
+        { ADD_LEN(MBEDTLS_OID_NS_CERT_TYPE),         "id-netscape-certtype",      "Netscape Certificate Type" },
+        MBEDTLS_OID_X509_EXT_NS_CERT_TYPE,
+    },
+    {
+        { ADD_LEN(MBEDTLS_OID_CERTIFICATE_POLICIES), "id-ce-certificatePolicies", "Certificate Policies" },
+        MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
     },
     {
         { NULL, 0, NULL, NULL },
@@ -288,18 +283,26 @@ FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
 FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
 
 static const mbedtls_oid_descriptor_t oid_ext_key_usage[] = {
-    { ADD_LEN(MBEDTLS_OID_SERVER_AUTH),      "id-kp-serverAuth",      "TLS Web Server Authentication" },
-    { ADD_LEN(MBEDTLS_OID_CLIENT_AUTH),      "id-kp-clientAuth",      "TLS Web Client Authentication" },
-    { ADD_LEN(MBEDTLS_OID_CODE_SIGNING),     "id-kp-codeSigning",     "Code Signing" },
-    { ADD_LEN(MBEDTLS_OID_EMAIL_PROTECTION), "id-kp-emailProtection", "E-mail Protection" },
-    { ADD_LEN(MBEDTLS_OID_TIME_STAMPING),    "id-kp-timeStamping",    "Time Stamping" },
-    { ADD_LEN(MBEDTLS_OID_OCSP_SIGNING),     "id-kp-OCSPSigning",     "OCSP Signing" },
+    { ADD_LEN(MBEDTLS_OID_SERVER_AUTH),      "id-kp-serverAuth",       "TLS Web Server Authentication" },
+    { ADD_LEN(MBEDTLS_OID_CLIENT_AUTH),      "id-kp-clientAuth",       "TLS Web Client Authentication" },
+    { ADD_LEN(MBEDTLS_OID_CODE_SIGNING),     "id-kp-codeSigning",      "Code Signing" },
+    { ADD_LEN(MBEDTLS_OID_EMAIL_PROTECTION), "id-kp-emailProtection",  "E-mail Protection" },
+    { ADD_LEN(MBEDTLS_OID_TIME_STAMPING),    "id-kp-timeStamping",     "Time Stamping" },
+    { ADD_LEN(MBEDTLS_OID_OCSP_SIGNING),     "id-kp-OCSPSigning",      "OCSP Signing" },
+    { ADD_LEN(MBEDTLS_OID_WISUN_FAN),        "id-kp-wisun-fan-device", "Wi-SUN Alliance Field Area Network (FAN)" },
     { NULL, 0, NULL, NULL },
 };
 
 FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
 FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage, mbedtls_oid_descriptor_t, ext_key_usage, const char *, description)
-#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+
+static const mbedtls_oid_descriptor_t oid_certificate_policies[] = {
+    { ADD_LEN(MBEDTLS_OID_ANY_POLICY),      "anyPolicy",       "Any Policy" },
+    { NULL, 0, NULL, NULL },
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, certificate_policies, oid_certificate_policies)
+FN_OID_GET_ATTR1(mbedtls_oid_get_certificate_policies, mbedtls_oid_descriptor_t, certificate_policies, const char *, description)
 
 #if defined(MBEDTLS_MD_C)
 /*
@@ -610,6 +613,12 @@ static const oid_md_alg_t oid_md_alg[] = {
         MBEDTLS_MD_SHA512,
     },
 #endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_RIPEMD160_C)
+    {
+        { ADD_LEN(MBEDTLS_OID_DIGEST_ALG_RIPEMD160),       "id-ripemd160",       "RIPEMD-160" },
+        MBEDTLS_MD_RIPEMD160,
+    },
+#endif /* MBEDTLS_RIPEMD160_C */
     {
         { NULL, 0, NULL, NULL },
         MBEDTLS_MD_NONE,
@@ -698,7 +707,7 @@ FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pb
     do {                                                \
         if( ret < 0 || (size_t) ret >= n )              \
             return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );    \
-        \
+                                                        \
         n -= (size_t) ret;                              \
         p += (size_t) ret;                              \
     } while( 0 )
@@ -706,7 +715,7 @@ FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pb
 /* Return the x.y.z.... style numeric string for the given OID */
 int mbedtls_oid_get_numeric_string(char *buf, size_t size,
                                    const mbedtls_asn1_buf *oid) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, n;
     unsigned int value;
     char *p;
@@ -731,7 +740,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size,
 
         if (!(oid->p[i] & 0x80)) {
             /* Last byte */
-            ret = mbedtls_snprintf(p, n, ".%d", value);
+            ret = mbedtls_snprintf(p, n, ".%u", value);
             OID_SAFE_SNPRINTF;
             value = 0;
         }
diff --git a/common/mbedtls/oid.h b/common/mbedtls/oid.h
index f29ba4acd..20833221e 100644
--- a/common/mbedtls/oid.h
+++ b/common/mbedtls/oid.h
@@ -4,54 +4,68 @@
  * \brief Object Identifier (OID) database
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_OID_H
 #define MBEDTLS_OID_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "asn1.h"
-#include "pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/pk.h"
 
 #include <stddef.h>
 
 #if defined(MBEDTLS_CIPHER_C)
-#include "cipher.h"
+#include "mbedtls/cipher.h"
 #endif
 
 #if defined(MBEDTLS_MD_C)
-#include "md.h"
-#endif
-
-#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
-#include "x509.h"
+#include "mbedtls/md.h"
 #endif
 
 #define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E  /**< OID is not found. */
 #define MBEDTLS_ERR_OID_BUF_TOO_SMALL                     -0x000B  /**< output buffer is too small */
 
+/* This is for the benefit of X.509, but defined here in order to avoid
+ * having a "backwards" include of x.509.h here */
+/*
+ * X.509 extension types (internal, arbitrary values for bitsets)
+ */
+#define MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
+#define MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
+#define MBEDTLS_OID_X509_EXT_KEY_USAGE                   (1 << 2)
+#define MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
+#define MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS             (1 << 4)
+#define MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)
+#define MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
+#define MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
+#define MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)
+#define MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
+#define MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
+#define MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
+#define MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
+#define MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
+#define MBEDTLS_OID_X509_EXT_FRESHEST_CRL                (1 << 14)
+#define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE                (1 << 16)
+
 /*
  * Top level OID tuples
  */
@@ -66,10 +80,10 @@
 #define MBEDTLS_OID_COUNTRY_US                  "\x86\x48"      /* {us(840)} */
 #define MBEDTLS_OID_ORG_RSA_DATA_SECURITY       "\x86\xf7\x0d"  /* {rsadsi(113549)} */
 #define MBEDTLS_OID_RSA_COMPANY                 MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
-    MBEDTLS_OID_ORG_RSA_DATA_SECURITY /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
+                                        MBEDTLS_OID_ORG_RSA_DATA_SECURITY /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
 #define MBEDTLS_OID_ORG_ANSI_X9_62              "\xce\x3d" /* ansi-X9-62(10045) */
 #define MBEDTLS_OID_ANSI_X9_62                  MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
-    MBEDTLS_OID_ORG_ANSI_X9_62
+                                        MBEDTLS_OID_ORG_ANSI_X9_62
 
 /*
  * ISO Identified organization OID parts
@@ -106,7 +120,8 @@
  * { iso(1) identified-organization(3) dod(6) internet(1)
  *                      security(5) mechanisms(5) pkix(7) }
  */
-#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01\x05\x05\x07"
+#define MBEDTLS_OID_INTERNET                    MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01"
+#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_INTERNET "\x05\x05\x07"
 
 /*
  * Arc for standard naming attributes
@@ -151,6 +166,11 @@
 #define MBEDTLS_OID_INIHIBIT_ANYPOLICY          MBEDTLS_OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
 #define MBEDTLS_OID_FRESHEST_CRL                MBEDTLS_OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
 
+/*
+ * Certificate policies
+ */
+#define MBEDTLS_OID_ANY_POLICY              MBEDTLS_OID_CERTIFICATE_POLICIES "\x00" /**< anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } */
+
 /*
  * Netscape certificate extensions
  */
@@ -185,6 +205,16 @@
 #define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
 #define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
 
+/**
+ * Wi-SUN Alliance Field Area Network
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *                      private(4) enterprise(1) WiSUN(45605) FieldAreaNetwork(1) }
+ */
+#define MBEDTLS_OID_WISUN_FAN                   MBEDTLS_OID_INTERNET "\x04\x01\x82\xe4\x25\x01"
+
+#define MBEDTLS_OID_ON                          MBEDTLS_OID_PKIX "\x08" /**< id-on OBJECT IDENTIFIER ::= { id-pkix 8 } */
+#define MBEDTLS_OID_ON_HW_MODULE_NAME           MBEDTLS_OID_ON "\x04" /**< id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on 4 } */
+
 /*
  * PKCS definition OIDs
  */
@@ -230,6 +260,8 @@
 
 #define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
 
+#define MBEDTLS_OID_DIGEST_ALG_RIPEMD160        MBEDTLS_OID_TELETRUST "\x03\x02\x01" /**< id-ripemd160 OBJECT IDENTIFIER :: { iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } */
+
 #define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
 
 #define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
@@ -425,7 +457,6 @@ typedef struct mbedtls_oid_descriptor_t {
  */
 int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_buf *oid);
 
-#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
 /**
  * \brief          Translate an X.509 extension OID into local values
  *
@@ -435,7 +466,6 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_bu
  * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
  */
 int mbedtls_oid_get_x509_ext_type(const mbedtls_asn1_buf *oid, int *ext_type);
-#endif
 
 /**
  * \brief          Translate an X.509 attribute type OID into the short name
@@ -561,6 +591,16 @@ int mbedtls_oid_get_md_hmac(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_h
  */
 int mbedtls_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const char **desc);
 
+/**
+ * \brief          Translate certificate policies OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_certificate_policies(const mbedtls_asn1_buf *oid, const char **desc);
+
 /**
  * \brief          Translate md_type into hash algorithm OID
  *
diff --git a/common/mbedtls/padlock.c b/common/mbedtls/padlock.c
new file mode 100644
index 000000000..f45f36cb5
--- /dev/null
+++ b/common/mbedtls/padlock.c
@@ -0,0 +1,160 @@
+/*
+ *  VIA PadLock support functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  This implementation is based on the VIA PadLock Programming Guide:
+ *
+ *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
+ *  programming_guide.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PADLOCK_C)
+
+#include "mbedtls/padlock.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86)
+
+/*
+ * PadLock detection routine
+ */
+int mbedtls_padlock_has_support(int feature) {
+    static int flags = -1;
+    int ebx = 0, edx = 0;
+
+    if (flags == -1) {
+        asm("movl  %%ebx, %0           \n\t"
+            "movl  $0xC0000000, %%eax  \n\t"
+            "cpuid                     \n\t"
+            "cmpl  $0xC0000001, %%eax  \n\t"
+            "movl  $0, %%edx           \n\t"
+            "jb    1f                  \n\t"
+            "movl  $0xC0000001, %%eax  \n\t"
+            "cpuid                     \n\t"
+            "1:                        \n\t"
+            "movl  %%edx, %1           \n\t"
+            "movl  %2, %%ebx           \n\t"
+            : "=m"(ebx), "=m"(edx)
+            :  "m"(ebx)
+            : "eax", "ecx", "edx");
+
+        flags = edx;
+    }
+
+    return (flags & feature);
+}
+
+/*
+ * PadLock AES-ECB block en(de)cryption
+ */
+int mbedtls_padlock_xcryptecb(mbedtls_aes_context *ctx,
+                              int mode,
+                              const unsigned char input[16],
+                              unsigned char output[16]) {
+    int ebx = 0;
+    uint32_t *rk;
+    uint32_t *blk;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    rk  = ctx->rk;
+    blk = MBEDTLS_PADLOCK_ALIGN16(buf);
+    memcpy(blk, input, 16);
+
+    ctrl = blk + 4;
+    *ctrl = 0x80 | ctx->nr | ((ctx->nr + (mode ^ 1) - 10) << 9);
+
+    asm("pushfl                        \n\t"
+        "popfl                         \n\t"
+        "movl    %%ebx, %0             \n\t"
+        "movl    $1, %%ecx             \n\t"
+        "movl    %2, %%edx             \n\t"
+        "movl    %3, %%ebx             \n\t"
+        "movl    %4, %%esi             \n\t"
+        "movl    %4, %%edi             \n\t"
+        ".byte  0xf3,0x0f,0xa7,0xc8    \n\t"
+        "movl    %1, %%ebx             \n\t"
+        : "=m"(ebx)
+        :  "m"(ebx), "m"(ctrl), "m"(rk), "m"(blk)
+        : "memory", "ecx", "edx", "esi", "edi");
+
+    memcpy(output, blk, 16);
+
+    return (0);
+}
+
+/*
+ * PadLock AES-CBC buffer en(de)cryption
+ */
+int mbedtls_padlock_xcryptcbc(mbedtls_aes_context *ctx,
+                              int mode,
+                              size_t length,
+                              unsigned char iv[16],
+                              const unsigned char *input,
+                              unsigned char *output) {
+    int ebx = 0;
+    size_t count;
+    uint32_t *rk;
+    uint32_t *iw;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    if (((long) input  & 15) != 0 ||
+            ((long) output & 15) != 0)
+        return (MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED);
+
+    rk = ctx->rk;
+    iw = MBEDTLS_PADLOCK_ALIGN16(buf);
+    memcpy(iw, iv, 16);
+
+    ctrl = iw + 4;
+    *ctrl = 0x80 | ctx->nr | ((ctx->nr + (mode ^ 1) - 10) << 9);
+
+    count = (length + 15) >> 4;
+
+    asm("pushfl                        \n\t"
+        "popfl                         \n\t"
+        "movl    %%ebx, %0             \n\t"
+        "movl    %2, %%ecx             \n\t"
+        "movl    %3, %%edx             \n\t"
+        "movl    %4, %%ebx             \n\t"
+        "movl    %5, %%esi             \n\t"
+        "movl    %6, %%edi             \n\t"
+        "movl    %7, %%eax             \n\t"
+        ".byte  0xf3,0x0f,0xa7,0xd0    \n\t"
+        "movl    %1, %%ebx             \n\t"
+        : "=m"(ebx)
+        :  "m"(ebx), "m"(count), "m"(ctrl),
+        "m"(rk), "m"(input), "m"(output), "m"(iw)
+        : "memory", "eax", "ecx", "edx", "esi", "edi");
+
+    memcpy(iv, iw, 16);
+
+    return (0);
+}
+
+#endif /* MBEDTLS_HAVE_X86 */
+
+#endif /* MBEDTLS_PADLOCK_C */
diff --git a/common/mbedtls/padlock.h b/common/mbedtls/padlock.h
new file mode 100644
index 000000000..751980e79
--- /dev/null
+++ b/common/mbedtls/padlock.h
@@ -0,0 +1,124 @@
+/**
+ * \file padlock.h
+ *
+ * \brief VIA PadLock ACE for HW encryption/decryption supported by some
+ *        processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_PADLOCK_H
+#define MBEDTLS_PADLOCK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/aes.h"
+
+#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define MBEDTLS_HAVE_ASAN
+#endif
+#endif
+
+/* Some versions of ASan result in errors about not enough registers */
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \
+    !defined(MBEDTLS_HAVE_ASAN)
+
+#ifndef MBEDTLS_HAVE_X86
+#define MBEDTLS_HAVE_X86
+#endif
+
+#include <stdint.h>
+
+#define MBEDTLS_PADLOCK_RNG 0x000C
+#define MBEDTLS_PADLOCK_ACE 0x00C0
+#define MBEDTLS_PADLOCK_PHE 0x0C00
+#define MBEDTLS_PADLOCK_PMM 0x3000
+
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal PadLock detection routine
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param feature  The feature to detect
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_padlock_has_support(int feature);
+
+/**
+ * \brief          Internal PadLock AES-ECB block en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptecb(mbedtls_aes_context *ctx,
+                              int mode,
+                              const unsigned char input[16],
+                              unsigned char output[16]);
+
+/**
+ * \brief          Internal PadLock AES-CBC buffer en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptcbc(mbedtls_aes_context *ctx,
+                              int mode,
+                              size_t length,
+                              unsigned char iv[16],
+                              const unsigned char *input,
+                              unsigned char *output);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HAVE_X86  */
+
+#endif /* padlock.h */
diff --git a/common/mbedtls/pem.c b/common/mbedtls/pem.c
index 5c0f1d1e5..8d90beee7 100644
--- a/common/mbedtls/pem.c
+++ b/common/mbedtls/pem.c
@@ -1,31 +1,23 @@
 /*
  *  Privacy Enhanced Mail (PEM) decoding
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
 
@@ -36,6 +28,7 @@
 #include "mbedtls/md5.h"
 #include "mbedtls/cipher.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -84,7 +77,7 @@ static int pem_pbkdf1(unsigned char *key, size_t keylen,
     mbedtls_md5_context md5_ctx;
     unsigned char md5sum[16];
     size_t use_len;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     mbedtls_md5_init(&md5_ctx);
 
@@ -143,7 +136,7 @@ static int pem_des_decrypt(unsigned char des_iv[8],
                            const unsigned char *pwd, size_t pwdlen) {
     mbedtls_des_context des_ctx;
     unsigned char des_key[8];
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     mbedtls_des_init(&des_ctx);
 
@@ -170,7 +163,7 @@ static int pem_des3_decrypt(unsigned char des3_iv[8],
                             const unsigned char *pwd, size_t pwdlen) {
     mbedtls_des3_context des3_ctx;
     unsigned char des3_key[24];
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     mbedtls_des3_init(&des3_ctx);
 
@@ -199,7 +192,7 @@ static int pem_aes_decrypt(unsigned char aes_iv[16], unsigned int keylen,
                            const unsigned char *pwd, size_t pwdlen) {
     mbedtls_aes_context aes_ctx;
     unsigned char aes_key[32];
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     mbedtls_aes_init(&aes_ctx);
 
@@ -406,9 +399,10 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
 }
 
 void mbedtls_pem_free(mbedtls_pem_context *ctx) {
-    if (ctx->buf != NULL)
+    if (ctx->buf != NULL) {
         mbedtls_platform_zeroize(ctx->buf, ctx->buflen);
-    mbedtls_free(ctx->buf);
+        mbedtls_free(ctx->buf);
+    }
     mbedtls_free(ctx->info);
 
     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pem_context));
@@ -419,7 +413,7 @@ void mbedtls_pem_free(mbedtls_pem_context *ctx) {
 int mbedtls_pem_write_buffer(const char *header, const char *footer,
                              const unsigned char *der_data, size_t der_len,
                              unsigned char *buf, size_t buf_len, size_t *olen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *encode_buf = NULL, *c, *p = buf;
     size_t len = 0, use_len, add_len = 0;
 
@@ -460,8 +454,12 @@ int mbedtls_pem_write_buffer(const char *header, const char *footer,
     *p++ = '\0';
     *olen = p - buf;
 
+    /* Clean any remaining data previously written to the buffer */
+    memset(buf + *olen, 0, buf_len - *olen);
+
     mbedtls_free(encode_buf);
     return (0);
 }
 #endif /* MBEDTLS_PEM_WRITE_C */
 #endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
diff --git a/common/mbedtls/pem.h b/common/mbedtls/pem.h
index 14ffefa31..f8024fdd1 100644
--- a/common/mbedtls/pem.h
+++ b/common/mbedtls/pem.h
@@ -4,28 +4,30 @@
  * \brief Privacy Enhanced Mail (PEM) decoding
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_PEM_H
 #define MBEDTLS_PEM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 /**
@@ -107,17 +109,27 @@ void mbedtls_pem_free(mbedtls_pem_context *ctx);
  * \brief           Write a buffer of PEM information from a DER encoded
  *                  buffer.
  *
- * \param header    header string to write
- * \param footer    footer string to write
- * \param der_data  DER data to write
- * \param der_len   length of the DER data
- * \param buf       buffer to write to
- * \param buf_len   length of output buffer
- * \param olen      total length written / required (if buf_len is not enough)
+ * \param header    The header string to write.
+ * \param footer    The footer string to write.
+ * \param der_data  The DER data to encode.
+ * \param der_len   The length of the DER data \p der_data in Bytes.
+ * \param buf       The buffer to write to.
+ * \param buf_len   The length of the output buffer \p buf in Bytes.
+ * \param olen      The address at which to store the total length written
+ *                  or required (if \p buf_len is not enough).
  *
- * \return          0 on success, or a specific PEM or BASE64 error code. On
- *                  MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required
- *                  size.
+ * \note            You may pass \c NULL for \p buf and \c 0 for \p buf_len
+ *                  to request the length of the resulting PEM buffer in
+ *                  `*olen`.
+ *
+ * \note            This function may be called with overlapping \p der_data
+ *                  and \p buf buffers.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if \p buf isn't large
+ *                  enough to hold the PEM buffer. In  this case, `*olen` holds
+ *                  the required minimum size of \p buf.
+ * \return          Another PEM or BASE64 error code on other kinds of failure.
  */
 int mbedtls_pem_write_buffer(const char *header, const char *footer,
                              const unsigned char *der_data, size_t der_len,
diff --git a/common/mbedtls/pk.c b/common/mbedtls/pk.c
index 09ff8d193..7c89572ba 100644
--- a/common/mbedtls/pk.c
+++ b/common/mbedtls/pk.c
@@ -1,37 +1,30 @@
 /*
  *  Public Key abstraction layer
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PK_C)
 #include "mbedtls/pk.h"
 #include "mbedtls/pk_internal.h"
 
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #if defined(MBEDTLS_RSA_C)
 #include "mbedtls/rsa.h"
@@ -43,15 +36,24 @@
 #include "mbedtls/ecdsa.h"
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#endif
+
 #include <limits.h>
 #include <stdint.h>
 
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 /*
  * Initialise a mbedtls_pk_context
  */
 void mbedtls_pk_init(mbedtls_pk_context *ctx) {
-    if (ctx == NULL)
-        return;
+    PK_VALIDATE(ctx != NULL);
 
     ctx->pk_info = NULL;
     ctx->pk_ctx = NULL;
@@ -61,14 +63,41 @@ void mbedtls_pk_init(mbedtls_pk_context *ctx) {
  * Free (the components of) a mbedtls_pk_context
  */
 void mbedtls_pk_free(mbedtls_pk_context *ctx) {
-    if (ctx == NULL || ctx->pk_info == NULL)
+    if (ctx == NULL)
         return;
 
-    ctx->pk_info->ctx_free_func(ctx->pk_ctx);
+    if (ctx->pk_info != NULL)
+        ctx->pk_info->ctx_free_func(ctx->pk_ctx);
 
     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
 }
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx) {
+    PK_VALIDATE(ctx != NULL);
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx) {
+    if (ctx == NULL || ctx->pk_info == NULL ||
+            ctx->pk_info->rs_free_func == NULL) {
+        return;
+    }
+
+    ctx->pk_info->rs_free_func(ctx->rs_ctx);
+
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 /*
  * Get pk_info structure from type
  */
@@ -98,7 +127,8 @@ const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type) {
  * Initialise context
  */
 int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info) {
-    if (ctx == NULL || info == NULL || ctx->pk_info != NULL)
+    PK_VALIDATE_RET(ctx != NULL);
+    if (info == NULL || ctx->pk_info != NULL)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)
@@ -109,6 +139,41 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info) {
     return (0);
 }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Initialise a PSA-wrapping context
+ */
+int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
+                            const psa_key_id_t key) {
+    const mbedtls_pk_info_t *const info = &mbedtls_pk_opaque_info;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t *pk_ctx;
+    psa_key_type_t type;
+
+    if (ctx == NULL || ctx->pk_info != NULL)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    if (PSA_SUCCESS != psa_get_key_attributes(key, &attributes))
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    type = psa_get_key_type(&attributes);
+    psa_reset_key_attributes(&attributes);
+
+    /* Current implementation of can_do() relies on this. */
+    if (! PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type))
+        return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) ;
+
+    if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)
+        return (MBEDTLS_ERR_PK_ALLOC_FAILED);
+
+    ctx->pk_info = info;
+
+    pk_ctx = (psa_key_id_t *) ctx->pk_ctx;
+    *pk_ctx = key;
+
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 /*
  * Initialize an RSA-alt context
@@ -120,7 +185,8 @@ int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
     mbedtls_rsa_alt_context *rsa_alt;
     const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
 
-    if (ctx == NULL || ctx->pk_info != NULL)
+    PK_VALIDATE_RET(ctx != NULL);
+    if (ctx->pk_info != NULL)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)
@@ -143,7 +209,9 @@ int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
  * Tell if a PK can do the operations of the given type
  */
 int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type) {
-    /* null or NONE context can't do anything */
+    /* A context with null pk_info is not set up yet and can't do anything.
+     * For backward compatibility, also accept NULL instead of a context
+     * pointer. */
     if (ctx == NULL || ctx->pk_info == NULL)
         return (0);
 
@@ -166,16 +234,68 @@ static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
     return (0);
 }
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
 /*
- * Verify a signature
+ * Helper to set up a restart context if needed
  */
-int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                      const unsigned char *hash, size_t hash_len,
-                      const unsigned char *sig, size_t sig_len) {
-    if (ctx == NULL || ctx->pk_info == NULL ||
+static int pk_restart_setup(mbedtls_pk_restart_ctx *ctx,
+                            const mbedtls_pk_info_t *info) {
+    /* Don't do anything if already set up or invalid */
+    if (ctx == NULL || ctx->pk_info != NULL)
+        return (0);
+
+    /* Should never happen when we're called */
+    if (info->rs_alloc_func == NULL || info->rs_free_func == NULL)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    if ((ctx->rs_ctx = info->rs_alloc_func()) == NULL)
+        return (MBEDTLS_ERR_PK_ALLOC_FAILED);
+
+    ctx->pk_info = info;
+
+    return (0);
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Verify a signature (restartable)
+ */
+int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hash_len,
+                                  const unsigned char *sig, size_t sig_len,
+                                  mbedtls_pk_restart_ctx *rs_ctx) {
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hash_len == 0) ||
+                    hash != NULL);
+    PK_VALIDATE_RET(sig != NULL);
+
+    if (ctx->pk_info == NULL ||
             pk_hashlen_helper(md_alg, &hash_len) != 0)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if (rs_ctx != NULL &&
+            mbedtls_ecp_restart_is_enabled() &&
+            ctx->pk_info->verify_rs_func != NULL) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0)
+            return (ret);
+
+        ret = ctx->pk_info->verify_rs_func(ctx->pk_ctx,
+                                           md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx);
+
+        if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS)
+            mbedtls_pk_restart_free(rs_ctx);
+
+        return (ret);
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     if (ctx->pk_info->verify_func == NULL)
         return (MBEDTLS_ERR_PK_TYPE_MISMATCH);
 
@@ -183,6 +303,16 @@ int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                                       sig, sig_len));
 }
 
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                      const unsigned char *hash, size_t hash_len,
+                      const unsigned char *sig, size_t sig_len) {
+    return (mbedtls_pk_verify_restartable(ctx, md_alg, hash, hash_len,
+                                          sig, sig_len, NULL));
+}
+
 /*
  * Verify a signature with options
  */
@@ -190,7 +320,12 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
                           mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                           const unsigned char *hash, size_t hash_len,
                           const unsigned char *sig, size_t sig_len) {
-    if (ctx == NULL || ctx->pk_info == NULL)
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hash_len == 0) ||
+                    hash != NULL);
+    PK_VALIDATE_RET(sig != NULL);
+
+    if (ctx->pk_info == NULL)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     if (! mbedtls_pk_can_do(ctx, type))
@@ -198,7 +333,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
 
     if (type == MBEDTLS_PK_RSASSA_PSS) {
 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
-        int ret;
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
         const mbedtls_pk_rsassa_pss_options *pss_opts;
 
 #if SIZE_MAX > UINT_MAX
@@ -240,16 +375,45 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
 }
 
 /*
- * Make a signature
+ * Make a signature (restartable)
  */
-int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                    const unsigned char *hash, size_t hash_len,
-                    unsigned char *sig, size_t *sig_len,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    if (ctx == NULL || ctx->pk_info == NULL ||
+int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
+                                mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                unsigned char *sig, size_t *sig_len,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_pk_restart_ctx *rs_ctx) {
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hash_len == 0) ||
+                    hash != NULL);
+    PK_VALIDATE_RET(sig != NULL);
+
+    if (ctx->pk_info == NULL ||
             pk_hashlen_helper(md_alg, &hash_len) != 0)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if (rs_ctx != NULL &&
+            mbedtls_ecp_restart_is_enabled() &&
+            ctx->pk_info->sign_rs_func != NULL) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0)
+            return (ret);
+
+        ret = ctx->pk_info->sign_rs_func(ctx->pk_ctx, md_alg,
+                                         hash, hash_len, sig, sig_len, f_rng, p_rng, rs_ctx->rs_ctx);
+
+        if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS)
+            mbedtls_pk_restart_free(rs_ctx);
+
+        return (ret);
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     if (ctx->pk_info->sign_func == NULL)
         return (MBEDTLS_ERR_PK_TYPE_MISMATCH);
 
@@ -257,6 +421,17 @@ int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                                     sig, sig_len, f_rng, p_rng));
 }
 
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                    const unsigned char *hash, size_t hash_len,
+                    unsigned char *sig, size_t *sig_len,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
+    return (mbedtls_pk_sign_restartable(ctx, md_alg, hash, hash_len,
+                                        sig, sig_len, f_rng, p_rng, NULL));
+}
+
 /*
  * Decrypt message
  */
@@ -264,7 +439,12 @@ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
                        const unsigned char *input, size_t ilen,
                        unsigned char *output, size_t *olen, size_t osize,
                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    if (ctx == NULL || ctx->pk_info == NULL)
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET(input != NULL || ilen == 0);
+    PK_VALIDATE_RET(output != NULL || osize == 0);
+    PK_VALIDATE_RET(olen != NULL);
+
+    if (ctx->pk_info == NULL)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     if (ctx->pk_info->decrypt_func == NULL)
@@ -281,7 +461,12 @@ int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
                        const unsigned char *input, size_t ilen,
                        unsigned char *output, size_t *olen, size_t osize,
                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    if (ctx == NULL || ctx->pk_info == NULL)
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET(input != NULL || ilen == 0);
+    PK_VALIDATE_RET(output != NULL || osize == 0);
+    PK_VALIDATE_RET(olen != NULL);
+
+    if (ctx->pk_info == NULL)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     if (ctx->pk_info->encrypt_func == NULL)
@@ -295,12 +480,17 @@ int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
  * Check public-private key pair
  */
 int mbedtls_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_context *prv) {
-    if (pub == NULL || pub->pk_info == NULL ||
-            prv == NULL || prv->pk_info == NULL ||
-            prv->pk_info->check_pair_func == NULL) {
+    PK_VALIDATE_RET(pub != NULL);
+    PK_VALIDATE_RET(prv != NULL);
+
+    if (pub->pk_info == NULL ||
+            prv->pk_info == NULL) {
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
     }
 
+    if (prv->pk_info->check_pair_func == NULL)
+        return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+
     if (prv->pk_info->type == MBEDTLS_PK_RSA_ALT) {
         if (pub->pk_info->type != MBEDTLS_PK_RSA)
             return (MBEDTLS_ERR_PK_TYPE_MISMATCH);
@@ -316,6 +506,8 @@ int mbedtls_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_contex
  * Get key size in bits
  */
 size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx) {
+    /* For backward compatibility, accept NULL or a context that
+     * isn't set up yet, and return a fake value that should be safe. */
     if (ctx == NULL || ctx->pk_info == NULL)
         return (0);
 
@@ -326,7 +518,8 @@ size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx) {
  * Export debug information
  */
 int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items) {
-    if (ctx == NULL || ctx->pk_info == NULL)
+    PK_VALIDATE_RET(ctx != NULL);
+    if (ctx->pk_info == NULL)
         return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     if (ctx->pk_info->debug_func == NULL)
@@ -356,4 +549,59 @@ mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx) {
     return (ctx->pk_info->type);
 }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Load the key to a PSA key slot,
+ * then turn the PK context into a wrapper for that key slot.
+ *
+ * Currently only works for EC private keys.
+ */
+int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
+                              psa_key_id_t *key,
+                              psa_algorithm_t hash_alg) {
+#if !defined(MBEDTLS_ECP_C)
+    ((void) pk);
+    ((void) key);
+    ((void) hash_alg);
+    return (MBEDTLS_ERR_PK_TYPE_MISMATCH);
+#else
+    const mbedtls_ecp_keypair *ec;
+    unsigned char d[MBEDTLS_ECP_MAX_BYTES];
+    size_t d_len;
+    psa_ecc_family_t curve_id;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_type_t key_type;
+    size_t bits;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* export the private key material in the format PSA wants */
+    if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECKEY)
+        return (MBEDTLS_ERR_PK_TYPE_MISMATCH);
+
+    ec = mbedtls_pk_ec(*pk);
+    d_len = (ec->grp.nbits + 7) / 8;
+    if ((ret = mbedtls_mpi_write_binary(&ec->d, d, d_len)) != 0)
+        return (ret);
+
+    curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
+    key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id);
+
+    /* prepare the key attributes */
+    psa_set_key_type(&attributes, key_type);
+    psa_set_key_bits(&attributes, bits);
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+    psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(hash_alg));
+
+    /* import private key into PSA */
+    if (PSA_SUCCESS != psa_import_key(&attributes, d, d_len, key))
+        return (MBEDTLS_ERR_PK_HW_ACCEL_FAILED);
+
+    /* make PK context wrap the key slot */
+    mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
+
+    return (mbedtls_pk_setup_opaque(pk, *key));
+#endif /* MBEDTLS_ECP_C */
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_PK_C */
diff --git a/common/mbedtls/pk.h b/common/mbedtls/pk.h
index afe0783ad..c00a5c10c 100644
--- a/common/mbedtls/pk.h
+++ b/common/mbedtls/pk.h
@@ -4,47 +4,47 @@
  * \brief Public Key abstraction layer
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_PK_H
 #define MBEDTLS_PK_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "md.h"
+#include "mbedtls/md.h"
 
 #if defined(MBEDTLS_RSA_C)
-#include "rsa.h"
+#include "mbedtls/rsa.h"
 #endif
 
 #if defined(MBEDTLS_ECP_C)
-#include "ecp.h"
+#include "mbedtls/ecp.h"
 #endif
 
 #if defined(MBEDTLS_ECDSA_C)
-#include "ecdsa.h"
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
 #endif
 
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
@@ -66,6 +66,8 @@
 #define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00  /**< Elliptic curve is unsupported (only NIST curves are supported). */
 #define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980  /**< Unavailable feature, e.g. RSA disabled for RSA key. */
 #define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880  /**< PK hardware accelerator failed. */
 
 #ifdef __cplusplus
@@ -83,6 +85,7 @@ typedef enum {
     MBEDTLS_PK_ECDSA,
     MBEDTLS_PK_RSA_ALT,
     MBEDTLS_PK_RSASSA_PSS,
+    MBEDTLS_PK_OPAQUE,
 } mbedtls_pk_type_t;
 
 /**
@@ -95,6 +98,58 @@ typedef struct mbedtls_pk_rsassa_pss_options {
 
 } mbedtls_pk_rsassa_pss_options;
 
+/**
+ * \brief           Maximum size of a signature made by mbedtls_pk_sign().
+ */
+/* We need to set MBEDTLS_PK_SIGNATURE_MAX_SIZE to the maximum signature
+ * size among the supported signature types. Do it by starting at 0,
+ * then incrementally increasing to be large enough for each supported
+ * signature mechanism.
+ *
+ * The resulting value can be 0, for example if MBEDTLS_ECDH_C is enabled
+ * (which allows the pk module to be included) but neither MBEDTLS_ECDSA_C
+ * nor MBEDTLS_RSA_C nor any opaque signature mechanism (PSA or RSA_ALT).
+ */
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE 0
+
+#if ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_RSA_ALT_SUPPORT) ) && \
+    MBEDTLS_MPI_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* For RSA, the signature can be as large as the bignum module allows.
+ * For RSA_ALT, the signature size is not necessarily tied to what the
+ * bignum module can do, but in the absence of any specific setting,
+ * we use that (rsa_alt_sign_wrap in pk_wrap will check). */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+#if defined(MBEDTLS_ECDSA_C) &&                                 \
+    MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* For ECDSA, the ecdsa module exports a constant for the maximum
+ * signature size. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if PSA_SIGNATURE_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* PSA_SIGNATURE_MAX_SIZE is the maximum size of a signature made
+ * through the PSA API in the PSA representation. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE PSA_SIGNATURE_MAX_SIZE
+#endif
+
+#if PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11 > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* The Mbed TLS representation is different for ECDSA signatures:
+ * PSA uses the raw concatenation of r and s,
+ * whereas Mbed TLS uses the ASN.1 representation (SEQUENCE of two INTEGERs).
+ * Add the overhead of ASN.1: up to (1+2) + 2 * (1+2+1) for the
+ * types, lengths (represented by up to 2 bytes), and potential leading
+ * zeros of the INTEGERs and the SEQUENCE. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE ( PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11 )
+#endif
+#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
+
 /**
  * \brief           Types for interfacing with the debug module
  */
@@ -125,10 +180,23 @@ typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
  * \brief           Public key container
  */
 typedef struct mbedtls_pk_context {
-    const mbedtls_pk_info_t    *pk_info; /**< Public key informations        */
+    const mbedtls_pk_info_t    *pk_info; /**< Public key information         */
     void                       *pk_ctx;  /**< Underlying public key context  */
 } mbedtls_pk_context;
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Context for resuming operations
+ */
+typedef struct {
+    const mbedtls_pk_info_t    *pk_info; /**< Public key information         */
+    void                       *rs_ctx;  /**< Underlying restart context     */
+} mbedtls_pk_restart_ctx;
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_pk_restart_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 #if defined(MBEDTLS_RSA_C)
 /**
  * Quick access to an RSA context inside a PK context.
@@ -177,20 +245,50 @@ typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)(void *ctx);
 const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type);
 
 /**
- * \brief           Initialize a mbedtls_pk_context (as NONE)
+ * \brief           Initialize a #mbedtls_pk_context (as NONE).
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
  */
 void mbedtls_pk_init(mbedtls_pk_context *ctx);
 
 /**
- * \brief           Free a mbedtls_pk_context
+ * \brief           Free the components of a #mbedtls_pk_context.
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ *
+ * \note            For contexts that have been set up with
+ *                  mbedtls_pk_setup_opaque(), this does not free the underlying
+ *                  PSA key and you still need to call psa_destroy_key()
+ *                  independently if you want to destroy that key.
  */
 void mbedtls_pk_free(mbedtls_pk_context *ctx);
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 /**
  * \brief           Initialize a PK context with the information given
  *                  and allocates the type-specific PK subcontext.
  *
- * \param ctx       Context to initialize. Must be empty (type NONE).
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
  * \param info      Information to use
  *
  * \return          0 on success,
@@ -202,11 +300,45 @@ void mbedtls_pk_free(mbedtls_pk_context *ctx);
  */
 int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief           Initialize a PK context to wrap a PSA key.
+ *
+ * \note            This function replaces mbedtls_pk_setup() for contexts
+ *                  that wrap a (possibly opaque) PSA key instead of
+ *                  storing and manipulating the key material directly.
+ *
+ * \param ctx       The context to initialize. It must be empty (type NONE).
+ * \param key       The PSA key to wrap, which must hold an ECC key pair
+ *                  (see notes below).
+ *
+ * \note            The wrapped key must remain valid as long as the
+ *                  wrapping PK context is in use, that is at least between
+ *                  the point this function is called and the point
+ *                  mbedtls_pk_free() is called on this context. The wrapped
+ *                  key might then be independently used or destroyed.
+ *
+ * \note            This function is currently only available for ECC key
+ *                  pairs (that is, ECC keys containing private key material).
+ *                  Support for other key types may be added later.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
+ *                  (context already used, invalid key identifier).
+ * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
+ *                  ECC key pair.
+ * \return          #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ */
+int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
+                            const psa_key_id_t key);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 /**
  * \brief           Initialize an RSA-alt context
  *
- * \param ctx       Context to initialize. Must be empty (type NONE).
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
  * \param key       RSA key pointer
  * \param decrypt_func  Decryption function
  * \param sign_func     Signing function
@@ -226,7 +358,7 @@ int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
 /**
  * \brief           Get the size in bits of the underlying key
  *
- * \param ctx       Context to use
+ * \param ctx       The context to query. It must have been initialized.
  *
  * \return          Key size in bits, or 0 on error
  */
@@ -234,7 +366,8 @@ size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx);
 
 /**
  * \brief           Get the length in bytes of the underlying key
- * \param ctx       Context to use
+ *
+ * \param ctx       The context to query. It must have been initialized.
  *
  * \return          Key length in bytes, or 0 on error
  */
@@ -245,18 +378,21 @@ static inline size_t mbedtls_pk_get_len(const mbedtls_pk_context *ctx) {
 /**
  * \brief           Tell if a context can do the operation given by type
  *
- * \param ctx       Context to test
- * \param type      Target type
+ * \param ctx       The context to query. It must have been initialized.
+ * \param type      The desired type.
  *
- * \return          0 if context can't do the operations,
- *                  1 otherwise.
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type. This is always the case for a context that has
+ *                  been initialized but not set up, or that has been
+ *                  cleared with mbedtls_pk_free().
  */
 int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type);
 
 /**
  * \brief           Verify signature (including padding if relevant).
  *
- * \param ctx       PK context to use
+ * \param ctx       The PK context to use. It must have been set up.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
  * \param hash_len  Hash length or 0 (see notes)
@@ -281,13 +417,39 @@ int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                       const unsigned char *hash, size_t hash_len,
                       const unsigned char *sig, size_t sig_len);
 
+/**
+ * \brief           Restartable version of \c mbedtls_pk_verify()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_verify(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_verify().
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_verify(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hash_len,
+                                  const unsigned char *sig, size_t sig_len,
+                                  mbedtls_pk_restart_ctx *rs_ctx);
+
 /**
  * \brief           Verify signature, with options.
  *                  (Includes verification of the padding depending on type.)
  *
  * \param type      Signature type (inc. possible padding type) to verify
  * \param options   Pointer to type-specific options, or NULL
- * \param ctx       PK context to use
+ * \param ctx       The PK context to use. It must have been set up.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
  * \param hash_len  Hash length or 0 (see notes)
@@ -318,12 +480,18 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
 /**
  * \brief           Make signature, including padding if relevant.
  *
- * \param ctx       PK context to use - must hold a private key
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
  * \param hash_len  Hash length or 0 (see notes)
- * \param sig       Place to write the signature
- * \param sig_len   Number of bytes written
+ * \param sig       Place to write the signature.
+ *                  It must have enough room for the signature.
+ *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
+ *                  You may use a smaller buffer if it is large enough
+ *                  given the key type.
+ * \param sig_len   On successful return,
+ *                  the number of bytes written to \p sig.
  * \param f_rng     RNG function
  * \param p_rng     RNG parameter
  *
@@ -344,10 +512,46 @@ int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                     unsigned char *sig, size_t *sig_len,
                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
 
+/**
+ * \brief           Restartable version of \c mbedtls_pk_sign()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_sign(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_sign().
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes for mbedtls_pk_sign())
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes for mbedtls_pk_sign())
+ * \param sig       Place to write the signature.
+ *                  It must have enough room for the signature.
+ *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
+ *                  You may use a smaller buffer if it is large enough
+ *                  given the key type.
+ * \param sig_len   On successful return,
+ *                  the number of bytes written to \p sig.
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_sign().
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
+                                mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                unsigned char *sig, size_t *sig_len,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_pk_restart_ctx *rs_ctx);
+
 /**
  * \brief           Decrypt message (including padding if relevant).
  *
- * \param ctx       PK context to use - must hold a private key
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
  * \param input     Input to decrypt
  * \param ilen      Input size
  * \param output    Decrypted output
@@ -368,7 +572,7 @@ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
 /**
  * \brief           Encrypt message (including padding if relevant).
  *
- * \param ctx       PK context to use
+ * \param ctx       The PK context to use. It must have been set up.
  * \param input     Message to encrypt
  * \param ilen      Message size
  * \param output    Encrypted output
@@ -392,14 +596,18 @@ int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
  * \param pub       Context holding a public key.
  * \param prv       Context holding a private (and public) key.
  *
- * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ * \return          \c 0 on success (keys were checked and match each other).
+ * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not
+ *                  be checked - in that case they may or may not match.
+ * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid.
+ * \return          Another non-zero value if the keys do not match.
  */
 int mbedtls_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_context *prv);
 
 /**
  * \brief           Export debug information
  *
- * \param ctx       Context to use
+ * \param ctx       The PK context to use. It must have been initialized.
  * \param items     Place to write debug items
  *
  * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
@@ -409,7 +617,7 @@ int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items
 /**
  * \brief           Access the type name
  *
- * \param ctx       Context to use
+ * \param ctx       The PK context to use. It must have been initialized.
  *
  * \return          Type name on success, or "invalid PK"
  */
@@ -418,9 +626,10 @@ const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx);
 /**
  * \brief           Get the key type
  *
- * \param ctx       Context to use
+ * \param ctx       The PK context to use. It must have been initialized.
  *
- * \return          Type on success, or MBEDTLS_PK_NONE
+ * \return          Type on success.
+ * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
  */
 mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx);
 
@@ -429,12 +638,22 @@ mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx);
 /**
  * \brief           Parse a private key in PEM or DER format
  *
- * \param ctx       key to be initialized
- * \param key       input buffer
- * \param keylen    size of the buffer
- *                  (including the terminating null byte for PEM data)
- * \param pwd       password for decryption (optional)
- * \param pwdlen    size of the password
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ * \param pwd       Optional password for decryption.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a string of \p pwdlen bytes if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ * \param pwdlen    Size of the password in bytes.
+ *                  Ignored if \p pwd is \c NULL.
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -452,10 +671,15 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *ctx,
 /**
  * \brief           Parse a public key in PEM or DER format
  *
- * \param ctx       key to be initialized
- * \param key       input buffer
- * \param keylen    size of the buffer
- *                  (including the terminating null byte for PEM data)
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -473,9 +697,14 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
 /**
  * \brief           Load and parse a private key
  *
- * \param ctx       key to be initialized
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
  * \param path      filename to read the private key from
- * \param password  password to decrypt the file (can be NULL)
+ * \param password  Optional password to decrypt the file.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a null-terminated string if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -492,7 +721,8 @@ int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
 /**
  * \brief           Load and parse a public key
  *
- * \param ctx       key to be initialized
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
  * \param path      filename to read the public key from
  *
  * \note            On entry, ctx must be empty, either freshly initialised
@@ -515,7 +745,7 @@ int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path);
  *                        return value to determine where you should start
  *                        using the buffer
  *
- * \param ctx       private to write away
+ * \param ctx       PK context which must contain a valid private key.
  * \param buf       buffer to write to
  * \param size      size of the buffer
  *
@@ -530,7 +760,7 @@ int mbedtls_pk_write_key_der(mbedtls_pk_context *ctx, unsigned char *buf, size_t
  *                        return value to determine where you should start
  *                        using the buffer
  *
- * \param ctx       public key to write away
+ * \param ctx       PK context which must contain a valid public or private key.
  * \param buf       buffer to write to
  * \param size      size of the buffer
  *
@@ -543,9 +773,10 @@ int mbedtls_pk_write_pubkey_der(mbedtls_pk_context *ctx, unsigned char *buf, siz
 /**
  * \brief           Write a public key to a PEM string
  *
- * \param ctx       public key to write away
- * \param buf       buffer to write to
- * \param size      size of the buffer
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
  *
  * \return          0 if successful, or a specific error code
  */
@@ -554,9 +785,10 @@ int mbedtls_pk_write_pubkey_pem(mbedtls_pk_context *ctx, unsigned char *buf, siz
 /**
  * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
  *
- * \param ctx       private to write away
- * \param buf       buffer to write to
- * \param size      size of the buffer
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
  *
  * \return          0 if successful, or a specific error code
  */
@@ -575,7 +807,8 @@ int mbedtls_pk_write_key_pem(mbedtls_pk_context *ctx, unsigned char *buf, size_t
  *
  * \param p         the position in the ASN.1 data
  * \param end       end of the buffer
- * \param pk        the key to fill
+ * \param pk        The PK context to fill. It must have been initialized
+ *                  but not set up.
  *
  * \return          0 if successful, or a specific PK error code
  */
@@ -590,7 +823,7 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
  *
  * \param p         reference to current position pointer
  * \param start     start of the buffer (for bounds-checking)
- * \param key       public key to write away
+ * \param key       PK context which must contain a valid public or private key.
  *
  * \return          the length written or a negative error code
  */
@@ -606,6 +839,32 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
 int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief           Turn an EC key into an opaque one.
+ *
+ * \warning         This is a temporary utility function for tests. It might
+ *                  change or be removed at any time without notice.
+ *
+ * \note            Only ECDSA keys are supported so far. Signing with the
+ *                  specified hash is the only allowed use of that key.
+ *
+ * \param pk        Input: the EC key to import to a PSA key.
+ *                  Output: a PK context wrapping that PSA key.
+ * \param key       Output: a PSA key identifier.
+ *                  It's the caller's responsibility to call
+ *                  psa_destroy_key() on that key identifier after calling
+ *                  mbedtls_pk_free() on the PK context.
+ * \param hash_alg  The hash algorithm to allow for use with that key.
+ *
+ * \return          \c 0 if successful.
+ * \return          An Mbed TLS error code otherwise.
+ */
+int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
+                              psa_key_id_t *key,
+                              psa_algorithm_t hash_alg);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/pk_internal.h b/common/mbedtls/pk_internal.h
index 009b976ea..7c13c8020 100644
--- a/common/mbedtls/pk_internal.h
+++ b/common/mbedtls/pk_internal.h
@@ -4,36 +4,32 @@
  * \brief Public Key abstraction layer: wrapper functions
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 #ifndef MBEDTLS_PK_WRAP_H
 #define MBEDTLS_PK_WRAP_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "pk.h"
+#include "mbedtls/pk.h"
 
 struct mbedtls_pk_info_t {
     /** Public key type */
@@ -60,6 +56,21 @@ struct mbedtls_pk_info_t {
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng);
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Verify signature (restartable) */
+    int (*verify_rs_func)(void *ctx, mbedtls_md_type_t md_alg,
+                          const unsigned char *hash, size_t hash_len,
+                          const unsigned char *sig, size_t sig_len,
+                          void *rs_ctx);
+
+    /** Make signature (restartable) */
+    int (*sign_rs_func)(void *ctx, mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        unsigned char *sig, size_t *sig_len,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng, void *rs_ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     /** Decrypt message */
     int (*decrypt_func)(void *ctx, const unsigned char *input, size_t ilen,
                         unsigned char *output, size_t *olen, size_t osize,
@@ -81,6 +92,14 @@ struct mbedtls_pk_info_t {
     /** Free the given context */
     void (*ctx_free_func)(void *ctx);
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Allocate the restart context */
+    void *(*rs_alloc_func)(void);
+
+    /** Free the restart context */
+    void (*rs_free_func)(void *rs_ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     /** Interface with the debug module */
     void (*debug_func)(const void *ctx, mbedtls_pk_debug_item *items);
 
@@ -112,4 +131,8 @@ extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
 extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+extern const mbedtls_pk_info_t mbedtls_pk_opaque_info;
+#endif
+
 #endif /* MBEDTLS_PK_WRAP_H */
diff --git a/common/mbedtls/pk_wrap.c b/common/mbedtls/pk_wrap.c
index e83cbeac5..b2057037e 100644
--- a/common/mbedtls/pk_wrap.c
+++ b/common/mbedtls/pk_wrap.c
@@ -1,34 +1,27 @@
 /*
  *  Public Key abstraction layer: wrapper functions
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PK_C)
 #include "mbedtls/pk_internal.h"
+#include "mbedtls/error.h"
 
 /* Even if RSA not activated, for the sake of RSA-alt */
 #include "mbedtls/rsa.h"
@@ -43,10 +36,20 @@
 #include "mbedtls/ecdsa.h"
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/asn1write.h"
+#endif
+
 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 #include "mbedtls/platform_util.h"
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#include "mbedtls/asn1.h"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
@@ -72,7 +75,7 @@ static size_t rsa_get_bitlen(const void *ctx) {
 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
                            const unsigned char *hash, size_t hash_len,
                            const unsigned char *sig, size_t sig_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
     size_t rsa_len = mbedtls_rsa_get_len(rsa);
 
@@ -182,11 +185,19 @@ const mbedtls_pk_info_t mbedtls_rsa_info = {
     rsa_can_do,
     rsa_verify_wrap,
     rsa_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     rsa_decrypt_wrap,
     rsa_encrypt_wrap,
     rsa_check_pair_wrap,
     rsa_alloc_wrap,
     rsa_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     rsa_debug,
 };
 #endif /* MBEDTLS_RSA_C */
@@ -219,7 +230,7 @@ static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
 static int eckey_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
                              const unsigned char *hash, size_t hash_len,
                              const unsigned char *sig, size_t sig_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecdsa_context ecdsa;
 
     mbedtls_ecdsa_init(&ecdsa);
@@ -236,7 +247,7 @@ static int eckey_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
                            const unsigned char *hash, size_t hash_len,
                            unsigned char *sig, size_t *sig_len,
                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecdsa_context ecdsa;
 
     mbedtls_ecdsa_init(&ecdsa);
@@ -250,6 +261,104 @@ static int eckey_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
     return (ret);
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/* Forward declarations */
+static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                const unsigned char *sig, size_t sig_len,
+                                void *rs_ctx);
+
+static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                              const unsigned char *hash, size_t hash_len,
+                              unsigned char *sig, size_t *sig_len,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                              void *rs_ctx);
+
+/*
+ * Restart context for ECDSA operations with ECKEY context
+ *
+ * We need to store an actual ECDSA context, as we need to pass the same to
+ * the underlying ecdsa function, so we can't create it on the fly every time.
+ */
+typedef struct {
+    mbedtls_ecdsa_restart_ctx ecdsa_rs;
+    mbedtls_ecdsa_context ecdsa_ctx;
+} eckey_restart_ctx;
+
+static void *eckey_rs_alloc(void) {
+    eckey_restart_ctx *rs_ctx;
+
+    void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
+
+    if (ctx != NULL) {
+        rs_ctx = ctx;
+        mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
+        mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
+    }
+
+    return (ctx);
+}
+
+static void eckey_rs_free(void *ctx) {
+    eckey_restart_ctx *rs_ctx;
+
+    if (ctx == NULL)
+        return;
+
+    rs_ctx = ctx;
+    mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
+    mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
+
+    mbedtls_free(ctx);
+}
+
+static int eckey_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                const unsigned char *sig, size_t sig_len,
+                                void *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if (rs == NULL)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if (rs->ecdsa_ctx.grp.pbits == 0)
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
+
+    MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(&rs->ecdsa_ctx,
+                                         md_alg, hash, hash_len,
+                                         sig, sig_len, &rs->ecdsa_rs));
+
+cleanup:
+    return (ret);
+}
+
+static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                              const unsigned char *hash, size_t hash_len,
+                              unsigned char *sig, size_t *sig_len,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                              void *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if (rs == NULL)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if (rs->ecdsa_ctx.grp.pbits == 0)
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
+
+    MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(&rs->ecdsa_ctx, md_alg,
+                                       hash, hash_len, sig, sig_len,
+                                       f_rng, p_rng, &rs->ecdsa_rs));
+
+cleanup:
+    return (ret);
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_ECDSA_C */
 
 static int eckey_check_pair(const void *pub, const void *prv) {
@@ -285,15 +394,23 @@ const mbedtls_pk_info_t mbedtls_eckey_info = {
 #if defined(MBEDTLS_ECDSA_C)
     eckey_verify_wrap,
     eckey_sign_wrap,
-#else
-    NULL,
-    NULL,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_verify_rs_wrap,
+    eckey_sign_rs_wrap,
 #endif
+#else /* MBEDTLS_ECDSA_C */
+    NULL,
+    NULL,
+#endif /* MBEDTLS_ECDSA_C */
     NULL,
     NULL,
     eckey_check_pair,
     eckey_alloc_wrap,
     eckey_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_rs_alloc,
+    eckey_rs_free,
+#endif
     eckey_debug,
 };
 
@@ -312,11 +429,19 @@ const mbedtls_pk_info_t mbedtls_eckeydh_info = {
     eckeydh_can_do,
     NULL,
     NULL,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     NULL,
     NULL,
     eckey_check_pair,
     eckey_alloc_wrap,       /* Same underlying key structure */
     eckey_free_wrap,        /* Same underlying key structure */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     eckey_debug,            /* Same underlying key structure */
 };
 #endif /* MBEDTLS_ECP_C */
@@ -326,10 +451,142 @@ static int ecdsa_can_do(mbedtls_pk_type_t type) {
     return (type == MBEDTLS_PK_ECDSA);
 }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
+ * those integers and convert it to the fixed-length encoding expected by PSA.
+ */
+static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end,
+                                 unsigned char *to, size_t to_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t unpadded_len, padding_len;
+
+    if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len,
+                                    MBEDTLS_ASN1_INTEGER)) != 0) {
+        return (ret);
+    }
+
+    while (unpadded_len > 0 && **from == 0x00) {
+        (*from)++;
+        unpadded_len--;
+    }
+
+    if (unpadded_len > to_len || unpadded_len == 0)
+        return (MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    padding_len = to_len - unpadded_len;
+    memset(to, 0x00, padding_len);
+    memcpy(to + padding_len, *from, unpadded_len);
+    (*from) += unpadded_len;
+
+    return (0);
+}
+
+/*
+ * Convert a signature from an ASN.1 sequence of two integers
+ * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
+ * twice as big as int_size.
+ */
+static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end,
+                             unsigned char *sig, size_t int_size) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t tmp_size;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+        return (ret);
+
+    /* Extract r */
+    if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0)
+        return (ret);
+    /* Extract s */
+    if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
+                             const unsigned char *hash, size_t hash_len,
+                             const unsigned char *sig, size_t sig_len) {
+    mbedtls_ecdsa_context *ctx = ctx_arg;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    psa_status_t status;
+    mbedtls_pk_context key;
+    int key_len;
+    /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */
+    unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
+    unsigned char *p;
+    mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
+    psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
+    size_t curve_bits;
+    psa_ecc_family_t curve =
+        mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
+    const size_t signature_part_size = (ctx->grp.nbits + 7) / 8;
+    ((void) md_alg);
+
+    if (curve == 0)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    /* mbedtls_pk_write_pubkey() expects a full PK context;
+     * re-construct one to make it happy */
+    key.pk_info = &pk_info;
+    key.pk_ctx = ctx;
+    p = buf + sizeof(buf);
+    key_len = mbedtls_pk_write_pubkey(&p, buf, &key);
+    if (key_len <= 0)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, psa_sig_md);
+
+    status = psa_import_key(&attributes,
+                            buf + sizeof(buf) - key_len, key_len,
+                            &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = mbedtls_psa_err_translate_pk(status);
+        goto cleanup;
+    }
+
+    /* We don't need the exported key anymore and can
+     * reuse its buffer for signature extraction. */
+    if (2 * signature_part_size > sizeof(buf)) {
+        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    p = (unsigned char *) sig;
+    if ((ret = extract_ecdsa_sig(&p, sig + sig_len, buf,
+                                 signature_part_size)) != 0) {
+        goto cleanup;
+    }
+
+    if (psa_verify_hash(key_id, psa_sig_md,
+                        hash, hash_len,
+                        buf, 2 * signature_part_size)
+            != PSA_SUCCESS) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    if (p != sig + sig_len) {
+        ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+        goto cleanup;
+    }
+    ret = 0;
+
+cleanup:
+    psa_destroy_key(key_id);
+    return (ret);
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
                              const unsigned char *hash, size_t hash_len,
                              const unsigned char *sig, size_t sig_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     ((void) md_alg);
 
     ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) ctx,
@@ -340,6 +597,7 @@ static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
 
     return (ret);
 }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
                            const unsigned char *hash, size_t hash_len,
@@ -349,6 +607,38 @@ static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
                                           md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng));
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                const unsigned char *sig, size_t sig_len,
+                                void *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature_restartable(
+              (mbedtls_ecdsa_context *) ctx,
+              hash, hash_len, sig, sig_len,
+              (mbedtls_ecdsa_restart_ctx *) rs_ctx);
+
+    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH)
+        return (MBEDTLS_ERR_PK_SIG_LEN_MISMATCH);
+
+    return (ret);
+}
+
+static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                              const unsigned char *hash, size_t hash_len,
+                              unsigned char *sig, size_t *sig_len,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                              void *rs_ctx) {
+    return (mbedtls_ecdsa_write_signature_restartable(
+                (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
+                (mbedtls_ecdsa_restart_ctx *) rs_ctx));
+
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 static void *ecdsa_alloc_wrap(void) {
     void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_context));
 
@@ -363,6 +653,22 @@ static void ecdsa_free_wrap(void *ctx) {
     mbedtls_free(ctx);
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static void *ecdsa_rs_alloc(void) {
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
+
+    if (ctx != NULL)
+        mbedtls_ecdsa_restart_init(ctx);
+
+    return (ctx);
+}
+
+static void ecdsa_rs_free(void *ctx) {
+    mbedtls_ecdsa_restart_free(ctx);
+    mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
     MBEDTLS_PK_ECDSA,
     "ECDSA",
@@ -370,11 +676,19 @@ const mbedtls_pk_info_t mbedtls_ecdsa_info = {
     ecdsa_can_do,
     ecdsa_verify_wrap,
     ecdsa_sign_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_verify_rs_wrap,
+    ecdsa_sign_rs_wrap,
+#endif
     NULL,
     NULL,
     eckey_check_pair,   /* Compatible key structures */
     ecdsa_alloc_wrap,
     ecdsa_free_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_rs_alloc,
+    ecdsa_rs_free,
+#endif
     eckey_debug,        /* Compatible key structures */
 };
 #endif /* MBEDTLS_ECDSA_C */
@@ -406,6 +720,8 @@ static int rsa_alt_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
 #endif /* SIZE_MAX > UINT_MAX */
 
     *sig_len = rsa_alt->key_len_func(rsa_alt->key);
+    if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
     return (rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
                                md_alg, (unsigned int) hash_len, hash, sig));
@@ -432,7 +748,7 @@ static int rsa_alt_check_pair(const void *pub, const void *prv) {
     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
     unsigned char hash[32];
     size_t sig_len = 0;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub))
         return (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED);
@@ -475,6 +791,10 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
     rsa_alt_can_do,
     NULL,
     rsa_alt_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     rsa_alt_decrypt_wrap,
     NULL,
 #if defined(MBEDTLS_RSA_C)
@@ -484,9 +804,204 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
 #endif
     rsa_alt_alloc_wrap,
     rsa_alt_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     NULL,
 };
 
 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+static void *pk_opaque_alloc_wrap(void) {
+    void *ctx = mbedtls_calloc(1, sizeof(psa_key_id_t));
+
+    /* no _init() function to call, an calloc() already zeroized */
+
+    return (ctx);
+}
+
+static void pk_opaque_free_wrap(void *ctx) {
+    mbedtls_platform_zeroize(ctx, sizeof(psa_key_id_t));
+    mbedtls_free(ctx);
+}
+
+static size_t pk_opaque_get_bitlen(const void *ctx) {
+    const psa_key_id_t *key = (const psa_key_id_t *) ctx;
+    size_t bits;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    if (PSA_SUCCESS != psa_get_key_attributes(*key, &attributes))
+        return (0);
+
+    bits = psa_get_key_bits(&attributes);
+    psa_reset_key_attributes(&attributes);
+    return (bits);
+}
+
+static int pk_opaque_can_do(mbedtls_pk_type_t type) {
+    /* For now opaque PSA keys can only wrap ECC keypairs,
+     * as checked by setup_psa().
+     * Also, ECKEY_DH does not really make sense with the current API. */
+    return (type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECDSA);
+}
+
+#if defined(MBEDTLS_ECDSA_C)
+
+/*
+ * Simultaneously convert and move raw MPI from the beginning of a buffer
+ * to an ASN.1 MPI at the end of the buffer.
+ * See also mbedtls_asn1_write_mpi().
+ *
+ * p: pointer to the end of the output buffer
+ * start: start of the output buffer, and also of the mpi to write at the end
+ * n_len: length of the mpi to read from start
+ */
+static int asn1_write_mpibuf(unsigned char **p, unsigned char *start,
+                             size_t n_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    if ((size_t)(*p - start) < n_len)
+        return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+
+    len = n_len;
+    *p -= len;
+    memmove(*p, start, len);
+
+    /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
+     * Neither r nor s should be 0, but as a failsafe measure, still detect
+     * that rather than overflowing the buffer in case of a PSA error. */
+    while (len > 0 && **p == 0x00) {
+        ++(*p);
+        --len;
+    }
+
+    /* this is only reached if the signature was invalid */
+    if (len == 0)
+        return (MBEDTLS_ERR_PK_HW_ACCEL_FAILED);
+
+    /* if the msb is 1, ASN.1 requires that we prepend a 0.
+     * Neither r nor s can be 0, so we can assume len > 0 at all times. */
+    if (**p & 0x80) {
+        if (*p - start < 1)
+            return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+                                                     MBEDTLS_ASN1_INTEGER));
+
+    return ((int) len);
+}
+
+/* Transcode signature from PSA format to ASN.1 sequence.
+ * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
+ * MPIs, and in-place.
+ *
+ * [in/out] sig: the signature pre- and post-transcoding
+ * [in/out] sig_len: signature length pre- and post-transcoding
+ * [int] buf_len: the available size the in/out buffer
+ */
+static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
+                                      size_t buf_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    const size_t rs_len = *sig_len / 2;
+    unsigned char *p = sig + buf_len;
+
+    MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len));
+    MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig,
+                                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+    memmove(sig, p, len);
+    *sig_len = len;
+
+    return (0);
+}
+
+#endif /* MBEDTLS_ECDSA_C */
+
+static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
+                               const unsigned char *hash, size_t hash_len,
+                               unsigned char *sig, size_t *sig_len,
+                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
+#if !defined(MBEDTLS_ECDSA_C)
+    ((void) ctx);
+    ((void) md_alg);
+    ((void) hash);
+    ((void) hash_len);
+    ((void) sig);
+    ((void) sig_len);
+    ((void) f_rng);
+    ((void) p_rng);
+    return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+#else /* !MBEDTLS_ECDSA_C */
+    const psa_key_id_t *key = (const psa_key_id_t *) ctx;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_algorithm_t alg = PSA_ALG_ECDSA(mbedtls_psa_translate_md(md_alg));
+    size_t buf_len;
+    psa_status_t status;
+
+    /* PSA has its own RNG */
+    (void) f_rng;
+    (void) p_rng;
+
+    /* PSA needs an output buffer of known size, but our API doesn't provide
+     * that information. Assume that the buffer is large enough for a
+     * maximal-length signature with that key (otherwise the application is
+     * buggy anyway). */
+    status = psa_get_key_attributes(*key, &attributes);
+    if (status != PSA_SUCCESS)
+        return (mbedtls_psa_err_translate_pk(status));
+    buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN(psa_get_key_bits(&attributes));
+    psa_reset_key_attributes(&attributes);
+    if (buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE)
+        return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    /* make the signature */
+    status = psa_sign_hash(*key, alg, hash, hash_len,
+                           sig, buf_len, sig_len);
+    if (status != PSA_SUCCESS)
+        return (mbedtls_psa_err_translate_pk(status));
+
+    /* transcode it to ASN.1 sequence */
+    return (pk_ecdsa_sig_asn1_from_psa(sig, sig_len, buf_len));
+#endif /* !MBEDTLS_ECDSA_C */
+}
+
+const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
+    MBEDTLS_PK_OPAQUE,
+    "Opaque",
+    pk_opaque_get_bitlen,
+    pk_opaque_can_do,
+    NULL, /* verify - will be done later */
+    pk_opaque_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL, /* restartable verify - not relevant */
+    NULL, /* restartable sign - not relevant */
+#endif
+    NULL, /* decrypt - will be done later */
+    NULL, /* encrypt - will be done later */
+    NULL, /* check_pair - could be done later or left NULL */
+    pk_opaque_alloc_wrap,
+    pk_opaque_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL, /* restart alloc - not relevant */
+    NULL, /* restart free - not relevant */
+#endif
+    NULL, /* debug - could be done later, or even left NULL */
+};
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #endif /* MBEDTLS_PK_C */
diff --git a/common/mbedtls/pkcs11.c b/common/mbedtls/pkcs11.c
new file mode 100644
index 000000000..297ec8720
--- /dev/null
+++ b/common/mbedtls/pkcs11.c
@@ -0,0 +1,221 @@
+/**
+ * \file pkcs11.c
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "mbedtls/pkcs11.h"
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/x509_crt.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+void mbedtls_pkcs11_init(mbedtls_pkcs11_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_pkcs11_context));
+}
+
+int mbedtls_pkcs11_x509_cert_bind(mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert) {
+    int ret = 1;
+    unsigned char *cert_blob = NULL;
+    size_t cert_blob_size = 0;
+
+    if (cert == NULL) {
+        ret = 2;
+        goto cleanup;
+    }
+
+    if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL,
+                                               &cert_blob_size) != CKR_OK) {
+        ret = 3;
+        goto cleanup;
+    }
+
+    cert_blob = mbedtls_calloc(1, cert_blob_size);
+    if (NULL == cert_blob) {
+        ret = 4;
+        goto cleanup;
+    }
+
+    if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob,
+                                               &cert_blob_size) != CKR_OK) {
+        ret = 5;
+        goto cleanup;
+    }
+
+    if (0 != mbedtls_x509_crt_parse(cert, cert_blob, cert_blob_size)) {
+        ret = 6;
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    if (NULL != cert_blob)
+        mbedtls_free(cert_blob);
+
+    return (ret);
+}
+
+
+int mbedtls_pkcs11_priv_key_bind(mbedtls_pkcs11_context *priv_key,
+                                 pkcs11h_certificate_t pkcs11_cert) {
+    int ret = 1;
+    mbedtls_x509_crt cert;
+
+    mbedtls_x509_crt_init(&cert);
+
+    if (priv_key == NULL)
+        goto cleanup;
+
+    if (0 != mbedtls_pkcs11_x509_cert_bind(&cert, pkcs11_cert))
+        goto cleanup;
+
+    priv_key->len = mbedtls_pk_get_len(&cert.pk);
+    priv_key->pkcs11h_cert = pkcs11_cert;
+
+    ret = 0;
+
+cleanup:
+    mbedtls_x509_crt_free(&cert);
+
+    return (ret);
+}
+
+void mbedtls_pkcs11_priv_key_free(mbedtls_pkcs11_context *priv_key) {
+    if (NULL != priv_key)
+        pkcs11h_certificate_freeCertificate(priv_key->pkcs11h_cert);
+}
+
+int mbedtls_pkcs11_decrypt(mbedtls_pkcs11_context *ctx,
+                           int mode, size_t *olen,
+                           const unsigned char *input,
+                           unsigned char *output,
+                           size_t output_max_len) {
+    size_t input_len, output_len;
+
+    if (NULL == ctx)
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+    if (MBEDTLS_RSA_PRIVATE != mode)
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+    output_len = input_len = ctx->len;
+
+    if (input_len < 16 || input_len > output_max_len)
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+    /* Determine size of output buffer */
+    if (pkcs11h_certificate_decryptAny(ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+                                       input_len, NULL, &output_len) != CKR_OK) {
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    }
+
+    if (output_len > output_max_len)
+        return (MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE);
+
+    if (pkcs11h_certificate_decryptAny(ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+                                       input_len, output, &output_len) != CKR_OK) {
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    }
+    *olen = output_len;
+    return (0);
+}
+
+int mbedtls_pkcs11_sign(mbedtls_pkcs11_context *ctx,
+                        int mode,
+                        mbedtls_md_type_t md_alg,
+                        unsigned int hashlen,
+                        const unsigned char *hash,
+                        unsigned char *sig) {
+    size_t sig_len = 0, asn_len = 0, oid_size = 0;
+    unsigned char *p = sig;
+    const char *oid;
+
+    if (NULL == ctx)
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+    if (MBEDTLS_RSA_PRIVATE != mode)
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+    if (md_alg != MBEDTLS_MD_NONE) {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
+        if (md_info == NULL)
+            return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+        if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0)
+            return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
+        hashlen = mbedtls_md_get_size(md_info);
+        asn_len = 10 + oid_size;
+    }
+
+    sig_len = ctx->len;
+    if (hashlen > sig_len || asn_len > sig_len ||
+            hashlen + asn_len > sig_len) {
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    }
+
+    if (md_alg != MBEDTLS_MD_NONE) {
+        /*
+         * DigestInfo ::= SEQUENCE {
+         *   digestAlgorithm DigestAlgorithmIdentifier,
+         *   digest Digest }
+         *
+         * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+         *
+         * Digest ::= OCTET STRING
+         */
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char)(0x08 + oid_size + hashlen);
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char)(0x04 + oid_size);
+        *p++ = MBEDTLS_ASN1_OID;
+        *p++ = oid_size & 0xFF;
+        memcpy(p, oid, oid_size);
+        p += oid_size;
+        *p++ = MBEDTLS_ASN1_NULL;
+        *p++ = 0x00;
+        *p++ = MBEDTLS_ASN1_OCTET_STRING;
+        *p++ = hashlen;
+    }
+
+    memcpy(p, hash, hashlen);
+
+    if (pkcs11h_certificate_signAny(ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
+                                    asn_len + hashlen, sig, &sig_len) != CKR_OK) {
+        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    }
+
+    return (0);
+}
+
+#endif /* defined(MBEDTLS_PKCS11_C) */
diff --git a/common/mbedtls/pkcs11.h b/common/mbedtls/pkcs11.h
new file mode 100644
index 000000000..1f864a515
--- /dev/null
+++ b/common/mbedtls/pkcs11.h
@@ -0,0 +1,242 @@
+/**
+ * \file pkcs11.h
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_PKCS11_H
+#define MBEDTLS_PKCS11_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "mbedtls/x509_crt.h"
+
+#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+
+/**
+ * Context for PKCS #11 private keys.
+ */
+typedef struct mbedtls_pkcs11_context {
+    pkcs11h_certificate_t pkcs11h_cert;
+    int len;
+} mbedtls_pkcs11_context;
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * Initialize a mbedtls_pkcs11_context.
+ * (Just making memory references valid.)
+ *
+ * \deprecated          This function is deprecated and will be removed in a
+ *                      future version of the library.
+ */
+MBEDTLS_DEPRECATED void mbedtls_pkcs11_init(mbedtls_pkcs11_context *ctx);
+
+/**
+ * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
+ *
+ * \deprecated          This function is deprecated and will be removed in a
+ *                      future version of the library.
+ *
+ * \param cert          X.509 certificate to fill
+ * \param pkcs11h_cert  PKCS #11 helper certificate
+ *
+ * \return              0 on success.
+ */
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind(mbedtls_x509_crt *cert,
+                                                     pkcs11h_certificate_t pkcs11h_cert);
+
+/**
+ * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
+ * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
+ * done.
+ *
+ * \deprecated          This function is deprecated and will be removed in a
+ *                      future version of the library.
+ *
+ * \param priv_key      Private key structure to fill.
+ * \param pkcs11_cert   PKCS #11 helper certificate
+ *
+ * \return              0 on success
+ */
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
+    mbedtls_pkcs11_context *priv_key,
+    pkcs11h_certificate_t pkcs11_cert);
+
+/**
+ * Free the contents of the given private key context. Note that the structure
+ * itself is not freed.
+ *
+ * \deprecated          This function is deprecated and will be removed in a
+ *                      future version of the library.
+ *
+ * \param priv_key      Private key structure to cleanup
+ */
+MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
+    mbedtls_pkcs11_context *priv_key);
+
+/**
+ * \brief          Do an RSA private key decrypt, then remove the message
+ *                 padding
+ *
+ * \deprecated     This function is deprecated and will be removed in a future
+ *                 version of the library.
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param input    buffer holding the encrypted data
+ * \param output   buffer that will hold the plaintext
+ * \param olen     will contain the plaintext length
+ * \param output_max_len    maximum length of the output buffer
+ *
+ * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The output buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
+ *                 an error is thrown.
+ */
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt(mbedtls_pkcs11_context *ctx,
+                                              int mode, size_t *olen,
+                                              const unsigned char *input,
+                                              unsigned char *output,
+                                              size_t output_max_len);
+
+/**
+ * \brief          Do a private RSA to sign a message digest
+ *
+ * \deprecated     This function is deprecated and will be removed in a future
+ *                 version of the library.
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
+ * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
+ * \param hash     buffer holding the message digest
+ * \param sig      buffer that will hold the ciphertext
+ *
+ * \return         0 if the signing operation was successful,
+ *                 or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The "sig" buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
+ */
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign(mbedtls_pkcs11_context *ctx,
+                                           int mode,
+                                           mbedtls_md_type_t md_alg,
+                                           unsigned int hashlen,
+                                           const unsigned char *hash,
+                                           unsigned char *sig);
+
+/**
+ * SSL/TLS wrappers for PKCS#11 functions
+ *
+ * \deprecated     This function is deprecated and will be removed in a future
+ *                 version of the library.
+ */
+MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt(void *ctx,
+        int mode, size_t *olen,
+        const unsigned char *input, unsigned char *output,
+        size_t output_max_len) {
+    return mbedtls_pkcs11_decrypt((mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
+                                  output_max_len);
+}
+
+/**
+ * \brief          This function signs a message digest using RSA.
+ *
+ * \deprecated     This function is deprecated and will be removed in a future
+ *                 version of the library.
+ *
+ * \param ctx      The PKCS #11 context.
+ * \param f_rng    The RNG function. This parameter is unused.
+ * \param p_rng    The RNG context. This parameter is unused.
+ * \param mode     The operation to run. This must be set to
+ *                 MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
+ *                 signature.
+ * \param md_alg   The message digest algorithm. One of the MBEDTLS_MD_XXX
+ *                 must be passed to this function and MBEDTLS_MD_NONE can be
+ *                 used for signing raw data.
+ * \param hashlen  The message digest length (for MBEDTLS_MD_NONE only).
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer that will hold the ciphertext.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         A non-zero error code on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size of
+ *                 <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
+ *                 used.
+ */
+MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign(void *ctx,
+        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+        int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+        const unsigned char *hash, unsigned char *sig) {
+    ((void) f_rng);
+    ((void) p_rng);
+    return mbedtls_pkcs11_sign((mbedtls_pkcs11_context *) ctx, mode, md_alg,
+                               hashlen, hash, sig);
+}
+
+/**
+ * This function gets the length of the private key.
+ *
+ * \deprecated     This function is deprecated and will be removed in a future
+ *                 version of the library.
+ *
+ * \param ctx      The PKCS #11 context.
+ *
+ * \return         The length of the private key.
+ */
+MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len(void *ctx) {
+    return ((mbedtls_pkcs11_context *) ctx)->len;
+}
+
+#undef MBEDTLS_DEPRECATED
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PKCS11_C */
+
+#endif /* MBEDTLS_PKCS11_H */
diff --git a/common/mbedtls/pkcs12.c b/common/mbedtls/pkcs12.c
index eb15881be..78523b83e 100644
--- a/common/mbedtls/pkcs12.c
+++ b/common/mbedtls/pkcs12.c
@@ -1,24 +1,20 @@
 /*
  *  PKCS#12 Personal Information Exchange Syntax
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
@@ -27,11 +23,7 @@
  *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PKCS12_C)
 
@@ -39,6 +31,7 @@
 #include "mbedtls/asn1.h"
 #include "mbedtls/cipher.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -50,9 +43,11 @@
 #include "mbedtls/des.h"
 #endif
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
 static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
                                    mbedtls_asn1_buf *salt, int *iterations) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char **p = &params->p;
     const unsigned char *end = params->p + params->len;
 
@@ -140,7 +135,7 @@ int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
     ((void) output);
     return (MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE);
 #else
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char key[16];
     mbedtls_arc4_context ctx;
     ((void) mode);
@@ -219,6 +214,8 @@ exit:
     return (ret);
 }
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
                                const unsigned char *filler, size_t fill_len) {
     unsigned char *p = data;
@@ -236,7 +233,7 @@ int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
                               const unsigned char *pwd, size_t pwdlen,
                               const unsigned char *salt, size_t saltlen,
                               mbedtls_md_type_t md_type, int id, int iterations) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned int j;
 
     unsigned char diversifier[128];
diff --git a/common/mbedtls/pkcs12.h b/common/mbedtls/pkcs12.h
index 917eaceb4..448410e71 100644
--- a/common/mbedtls/pkcs12.h
+++ b/common/mbedtls/pkcs12.h
@@ -4,31 +4,33 @@
  * \brief PKCS#12 Personal Information Exchange Syntax
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_PKCS12_H
 #define MBEDTLS_PKCS12_H
 
-#include "md.h"
-#include "cipher.h"
-#include "asn1.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/md.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/asn1.h"
 
 #include <stddef.h>
 
@@ -48,6 +50,8 @@
 extern "C" {
 #endif
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
 /**
  * \brief            PKCS12 Password Based function (encryption / decryption)
  *                   for pbeWithSHAAnd128BitRC4
@@ -89,6 +93,8 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
                        const unsigned char *input, size_t len,
                        unsigned char *output);
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 /**
  * \brief            The PKCS#12 derivation function uses a password and a salt
  *                   to produce pseudo-random bits for a particular "purpose".
diff --git a/common/mbedtls/pkcs5.c b/common/mbedtls/pkcs5.c
index 1dd2478ef..72d06d05d 100644
--- a/common/mbedtls/pkcs5.c
+++ b/common/mbedtls/pkcs5.c
@@ -5,24 +5,20 @@
  *
  * \author Mathias Olsson <mathias@kompetensum.com>
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  * PKCS#5 includes PBKDF2 and more
@@ -31,15 +27,12 @@
  * http://tools.ietf.org/html/rfc6070 (Test vectors)
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PKCS5_C)
 
 #include "mbedtls/pkcs5.h"
+#include "mbedtls/error.h"
 
 #if defined(MBEDTLS_ASN1_PARSE_C)
 #include "mbedtls/asn1.h"
@@ -56,25 +49,11 @@
 #define mbedtls_printf printf
 #endif
 
-#if !defined(MBEDTLS_ASN1_PARSE_C)
-int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
-                        const unsigned char *pwd,  size_t pwdlen,
-                        const unsigned char *data, size_t datalen,
-                        unsigned char *output) {
-    ((void) pbe_params);
-    ((void) mode);
-    ((void) pwd);
-    ((void) pwdlen);
-    ((void) data);
-    ((void) datalen);
-    ((void) output);
-    return (MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE);
-}
-#else
+#if defined(MBEDTLS_ASN1_PARSE_C)
 static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
                                      mbedtls_asn1_buf *salt, int *iterations,
                                      int *keylen, mbedtls_md_type_t *md_type) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_asn1_buf prf_alg_oid;
     unsigned char *p = params->p;
     const unsigned char *end = params->p + params->len;
@@ -91,7 +70,8 @@ static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
      *  }
      *
      */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0)
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &salt->len,
+                                    MBEDTLS_ASN1_OCTET_STRING)) != 0)
         return (MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret);
 
     salt->p = p;
@@ -154,7 +134,8 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
         return (MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
 
-    if ((ret = mbedtls_asn1_get_alg(&p, end, &kdf_alg_oid, &kdf_alg_params)) != 0)
+    if ((ret = mbedtls_asn1_get_alg(&p, end, &kdf_alg_oid,
+                                    &kdf_alg_params)) != 0)
         return (MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret);
 
     // Only PBKDF2 supported at the moment
@@ -211,7 +192,8 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
     if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0)
         goto exit;
 
-    if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode)) != 0)
+    if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
+                                     (mbedtls_operation_t) mode)) != 0)
         goto exit;
 
     if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
@@ -226,11 +208,13 @@ exit:
 }
 #endif /* MBEDTLS_ASN1_PARSE_C */
 
-int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx, const unsigned char *password,
+int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+                              const unsigned char *password,
                               size_t plen, const unsigned char *salt, size_t slen,
                               unsigned int iteration_count,
                               uint32_t key_length, unsigned char *output) {
-    int ret, j;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int j;
     unsigned int i;
     unsigned char md1[MBEDTLS_MD_MAX_SIZE];
     unsigned char work[MBEDTLS_MD_MAX_SIZE];
@@ -247,34 +231,36 @@ int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx, const unsigned char *pa
         return (MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA);
 #endif
 
+    if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0)
+        return (ret);
     while (key_length) {
         // U1 ends up in work
         //
-        if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0)
-            return (ret);
-
         if ((ret = mbedtls_md_hmac_update(ctx, salt, slen)) != 0)
-            return (ret);
+            goto cleanup;
 
         if ((ret = mbedtls_md_hmac_update(ctx, counter, 4)) != 0)
-            return (ret);
+            goto cleanup;
 
         if ((ret = mbedtls_md_hmac_finish(ctx, work)) != 0)
-            return (ret);
+            goto cleanup;
+
+        if ((ret = mbedtls_md_hmac_reset(ctx)) != 0)
+            goto cleanup;
 
         memcpy(md1, work, md_size);
 
         for (i = 1; i < iteration_count; i++) {
             // U2 ends up in md1
             //
-            if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0)
-                return (ret);
-
             if ((ret = mbedtls_md_hmac_update(ctx, md1, md_size)) != 0)
-                return (ret);
+                goto cleanup;
 
             if ((ret = mbedtls_md_hmac_finish(ctx, md1)) != 0)
-                return (ret);
+                goto cleanup;
+
+            if ((ret = mbedtls_md_hmac_reset(ctx)) != 0)
+                goto cleanup;
 
             // U1 xor U2
             //
@@ -293,7 +279,12 @@ int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx, const unsigned char *pa
                 break;
     }
 
-    return (0);
+cleanup:
+    /* Zeroise buffers to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(work, MBEDTLS_MD_MAX_SIZE);
+    mbedtls_platform_zeroize(md1, MBEDTLS_MD_MAX_SIZE);
+
+    return (ret);
 }
 
 #if defined(MBEDTLS_SELF_TEST)
@@ -309,10 +300,10 @@ int mbedtls_pkcs5_self_test(int verbose) {
 
 #define MAX_TESTS   6
 
-static const size_t plen[MAX_TESTS] =
+static const size_t plen_test_data[MAX_TESTS] =
 { 8, 8, 8, 24, 9 };
 
-static const unsigned char password[MAX_TESTS][32] = {
+static const unsigned char password_test_data[MAX_TESTS][32] = {
     "password",
     "password",
     "password",
@@ -320,10 +311,10 @@ static const unsigned char password[MAX_TESTS][32] = {
     "pass\0word",
 };
 
-static const size_t slen[MAX_TESTS] =
+static const size_t slen_test_data[MAX_TESTS] =
 { 4, 4, 4, 36, 5 };
 
-static const unsigned char salt[MAX_TESTS][40] = {
+static const unsigned char salt_test_data[MAX_TESTS][40] = {
     "salt",
     "salt",
     "salt",
@@ -331,13 +322,13 @@ static const unsigned char salt[MAX_TESTS][40] = {
     "sa\0lt",
 };
 
-static const uint32_t it_cnt[MAX_TESTS] =
+static const uint32_t it_cnt_test_data[MAX_TESTS] =
 { 1, 2, 4096, 4096, 4096 };
 
-static const uint32_t key_len[MAX_TESTS] =
+static const uint32_t key_len_test_data[MAX_TESTS] =
 { 20, 20, 20, 25, 16 };
 
-static const unsigned char result_key[MAX_TESTS][32] = {
+static const unsigned char result_key_test_data[MAX_TESTS][32] = {
     {
         0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
         0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
@@ -388,10 +379,12 @@ int mbedtls_pkcs5_self_test(int verbose) {
         if (verbose != 0)
             mbedtls_printf("  PBKDF2 (SHA1) #%d: ", i);
 
-        ret = mbedtls_pkcs5_pbkdf2_hmac(&sha1_ctx, password[i], plen[i], salt[i],
-                                        slen[i], it_cnt[i], key_len[i], key);
+        ret = mbedtls_pkcs5_pbkdf2_hmac(&sha1_ctx, password_test_data[i],
+                                        plen_test_data[i], salt_test_data[i],
+                                        slen_test_data[i], it_cnt_test_data[i],
+                                        key_len_test_data[i], key);
         if (ret != 0 ||
-                memcmp(result_key[i], key, key_len[i]) != 0) {
+                memcmp(result_key_test_data[i], key, key_len_test_data[i]) != 0) {
             if (verbose != 0)
                 mbedtls_printf("failed\n");
 
diff --git a/common/mbedtls/pkcs5.h b/common/mbedtls/pkcs5.h
index c60f15834..db9f501dd 100644
--- a/common/mbedtls/pkcs5.h
+++ b/common/mbedtls/pkcs5.h
@@ -6,30 +6,32 @@
  * \author Mathias Olsson <mathias@kompetensum.com>
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_PKCS5_H
 #define MBEDTLS_PKCS5_H
 
-#include "asn1.h"
-#include "md.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/md.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -46,6 +48,8 @@
 extern "C" {
 #endif
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
 /**
  * \brief          PKCS#5 PBES2 function
  *
@@ -64,6 +68,8 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
                         const unsigned char *data, size_t datalen,
                         unsigned char *output);
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 /**
  * \brief          PKCS#5 PBKDF2 using HMAC
  *
@@ -83,6 +89,8 @@ int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx, const unsigned char *pa
                               unsigned int iteration_count,
                               uint32_t key_length, unsigned char *output);
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -90,6 +98,8 @@ int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx, const unsigned char *pa
  */
 int mbedtls_pkcs5_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/pkparse.c b/common/mbedtls/pkparse.c
index 9b1ded1b2..75222ffd7 100644
--- a/common/mbedtls/pkparse.c
+++ b/common/mbedtls/pkparse.c
@@ -1,31 +1,23 @@
 /*
  *  Public Key layer for parsing key files and structures
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PK_PARSE_C)
 
@@ -33,6 +25,7 @@
 #include "mbedtls/asn1.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -63,6 +56,12 @@
 #define mbedtls_free       free
 #endif
 
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_FS_IO)
 /*
  * Load all data from a file into a given buffer.
@@ -75,6 +74,10 @@ int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n) {
     FILE *f;
     long size;
 
+    PK_VALIDATE_RET(path != NULL);
+    PK_VALIDATE_RET(buf != NULL);
+    PK_VALIDATE_RET(n != NULL);
+
     if ((f = fopen(path, "rb")) == NULL)
         return (MBEDTLS_ERR_PK_FILE_IO_ERROR);
 
@@ -117,10 +120,13 @@ int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n) {
  */
 int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
                              const char *path, const char *pwd) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n;
     unsigned char *buf;
 
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET(path != NULL);
+
     if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0)
         return (ret);
 
@@ -140,10 +146,13 @@ int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
  * Load and parse a public key
  */
 int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n;
     unsigned char *buf;
 
+    PK_VALIDATE_RET(ctx != NULL);
+    PK_VALIDATE_RET(path != NULL);
+
     if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0)
         return (ret);
 
@@ -167,7 +176,7 @@ int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path) {
  */
 static int pk_get_ecparams(unsigned char **p, const unsigned char *end,
                            mbedtls_asn1_buf *params) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (end - *p < 1)
         return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
@@ -219,7 +228,7 @@ static int pk_get_ecparams(unsigned char **p, const unsigned char *end,
  * We only support prime-field as field type, and ignore hash and cofactor.
  */
 static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p = params->p;
     const unsigned char *const end = params->p + params->len;
     const unsigned char *end_field, *end_curve;
@@ -400,7 +409,7 @@ cleanup:
  */
 static int pk_group_id_from_specified(const mbedtls_asn1_buf *params,
                                       mbedtls_ecp_group_id *grp_id) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecp_group grp;
 
     mbedtls_ecp_group_init(&grp);
@@ -426,7 +435,7 @@ cleanup:
  *   -- implicitCurve   NULL
  */
 static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecp_group_id grp_id;
 
     if (params->tag == MBEDTLS_ASN1_OID) {
@@ -462,7 +471,7 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *gr
  */
 static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
                            mbedtls_ecp_keypair *key) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if ((ret = mbedtls_ecp_point_read_binary(&key->grp, &key->Q,
                                              (const unsigned char *) *p, end - *p)) == 0) {
@@ -488,7 +497,7 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
 static int pk_get_rsapubkey(unsigned char **p,
                             const unsigned char *end,
                             mbedtls_rsa_context *rsa) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
 
     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
@@ -541,7 +550,7 @@ static int pk_get_rsapubkey(unsigned char **p,
 static int pk_get_pk_alg(unsigned char **p,
                          const unsigned char *end,
                          mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_asn1_buf alg_oid;
 
     memset(params, 0, sizeof(mbedtls_asn1_buf));
@@ -571,12 +580,17 @@ static int pk_get_pk_alg(unsigned char **p,
  */
 int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
                                mbedtls_pk_context *pk) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
     mbedtls_asn1_buf alg_params;
     mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
     const mbedtls_pk_info_t *pk_info;
 
+    PK_VALIDATE_RET(p != NULL);
+    PK_VALIDATE_RET(*p != NULL);
+    PK_VALIDATE_RET(end != NULL);
+    PK_VALIDATE_RET(pk != NULL);
+
     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
         return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret);
@@ -615,7 +629,7 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
             ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
 
     if (ret == 0 && *p != end)
-        ret = MBEDTLS_ERR_PK_INVALID_PUBKEY
+        ret = MBEDTLS_ERR_PK_INVALID_PUBKEY +
               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
 
     if (ret != 0)
@@ -625,6 +639,31 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
 }
 
 #if defined(MBEDTLS_RSA_C)
+/*
+ * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
+ *
+ * The value zero is:
+ * - never a valid value for an RSA parameter
+ * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
+ *
+ * Since values can't be omitted in PKCS#1, passing a zero value to
+ * rsa_complete() would be incorrect, so reject zero values early.
+ */
+static int asn1_get_nonzero_mpi(unsigned char **p,
+                                const unsigned char *end,
+                                mbedtls_mpi *X) {
+    int ret;
+
+    ret = mbedtls_asn1_get_mpi(p, end, X);
+    if (ret != 0)
+        return (ret);
+
+    if (mbedtls_mpi_cmp_int(X, 0) == 0)
+        return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
+
+    return (0);
+}
+
 /*
  * Parse a PKCS#1 encoded private RSA key
  */
@@ -673,55 +712,84 @@ static int pk_parse_key_pkcs1_der(mbedtls_rsa_context *rsa,
     }
 
     /* Import N */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_INTEGER)) != 0 ||
-            (ret = mbedtls_rsa_import_raw(rsa, p, len, NULL, 0, NULL, 0,
-                                          NULL, 0, NULL, 0)) != 0)
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL,
+                                      NULL, NULL)) != 0)
         goto cleanup;
-    p += len;
 
     /* Import E */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_INTEGER)) != 0 ||
-            (ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
-                                          NULL, 0, p, len)) != 0)
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
+                                      NULL, &T)) != 0)
         goto cleanup;
-    p += len;
 
     /* Import D */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_INTEGER)) != 0 ||
-            (ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
-                                          p, len, NULL, 0)) != 0)
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
+                                      &T, NULL)) != 0)
         goto cleanup;
-    p += len;
 
     /* Import P */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_INTEGER)) != 0 ||
-            (ret = mbedtls_rsa_import_raw(rsa, NULL, 0, p, len, NULL, 0,
-                                          NULL, 0, NULL, 0)) != 0)
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL,
+                                      NULL, NULL)) != 0)
         goto cleanup;
-    p += len;
 
     /* Import Q */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_INTEGER)) != 0 ||
-            (ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, p, len,
-                                          NULL, 0, NULL, 0)) != 0)
-        goto cleanup;
-    p += len;
-
-    /* Complete the RSA private key */
-    if ((ret = mbedtls_rsa_complete(rsa)) != 0)
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T,
+                                      NULL, NULL)) != 0)
         goto cleanup;
 
-    /* Check optional parameters */
-    if ((ret = mbedtls_asn1_get_mpi(&p, end, &T)) != 0 ||
-            (ret = mbedtls_asn1_get_mpi(&p, end, &T)) != 0 ||
-            (ret = mbedtls_asn1_get_mpi(&p, end, &T)) != 0)
+#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
+    /*
+    * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+    * that they can be easily recomputed from D, P and Q. However by
+    * parsing them from the PKCS1 structure it is possible to avoid
+    * recalculating them which both reduces the overhead of loading
+    * RSA private keys into memory and also avoids side channels which
+    * can arise when computing those values, since all of D, P, and Q
+    * are secret. See https://eprint.iacr.org/2020/055 for a
+    * description of one such attack.
+    */
+
+    /* Import DP */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0)
         goto cleanup;
 
+    /* Import DQ */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0)
+        goto cleanup;
+
+    /* Import QP */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0)
+        goto cleanup;
+
+#else
+    /* Verify existance of the CRT params */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+            (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0)
+        goto cleanup;
+#endif
+
+    /* rsa_complete() doesn't complete anything with the default
+     * implementation but is still called:
+     * - for the benefit of alternative implementation that may want to
+     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
+     * - as is also sanity-checks the key
+     *
+     * Furthermore, we also check the public part for consistency with
+     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
+     */
+    if ((ret = mbedtls_rsa_complete(rsa)) != 0 ||
+            (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) {
+        goto cleanup;
+    }
+
     if (p != end) {
         ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
@@ -752,7 +820,7 @@ cleanup:
 static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
                                  const unsigned char *key,
                                  size_t keylen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     int version, pubkey_done;
     size_t len;
     mbedtls_asn1_buf params;
@@ -1073,18 +1141,24 @@ static int pk_parse_key_pkcs8_encrypted_der(
 int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
                          const unsigned char *key, size_t keylen,
                          const unsigned char *pwd, size_t pwdlen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const mbedtls_pk_info_t *pk_info;
-
 #if defined(MBEDTLS_PEM_PARSE_C)
     size_t len;
     mbedtls_pem_context pem;
+#endif
 
+    PK_VALIDATE_RET(pk != NULL);
+    if (keylen == 0)
+        return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
+    PK_VALIDATE_RET(key != NULL);
+
+#if defined(MBEDTLS_PEM_PARSE_C)
     mbedtls_pem_init(&pem);
 
 #if defined(MBEDTLS_RSA_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (keylen == 0 || key[keylen - 1] != '\0')
+    if (key[keylen - 1] != '\0')
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer(&pem,
@@ -1112,7 +1186,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
 
 #if defined(MBEDTLS_ECP_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (keylen == 0 || key[keylen - 1] != '\0')
+    if (key[keylen - 1] != '\0')
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer(&pem,
@@ -1139,7 +1213,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
 #endif /* MBEDTLS_ECP_C */
 
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (keylen == 0 || key[keylen - 1] != '\0')
+    if (key[keylen - 1] != '\0')
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer(&pem,
@@ -1159,7 +1233,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
 
 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (keylen == 0 || key[keylen - 1] != '\0')
+    if (key[keylen - 1] != '\0')
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer(&pem,
@@ -1194,9 +1268,6 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
     {
         unsigned char *key_copy;
 
-        if (keylen == 0)
-            return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
-
         if ((key_copy = mbedtls_calloc(1, keylen)) == NULL)
             return (MBEDTLS_ERR_PK_ALLOC_FAILED);
 
@@ -1213,6 +1284,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
         return (0);
 
     mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
 
     if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) {
         return (ret);
@@ -1223,33 +1295,40 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
         return (0);
 
     mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
 
 #if defined(MBEDTLS_RSA_C)
 
     pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
-    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
-            (ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk),
-                                          key, keylen)) != 0) {
-        mbedtls_pk_free(pk);
-    } else {
+    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
+            pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), key, keylen) == 0) {
         return (0);
     }
 
+    mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
 #endif /* MBEDTLS_RSA_C */
 
 #if defined(MBEDTLS_ECP_C)
-
     pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
-    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
-            (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
-                                         key, keylen)) != 0) {
-        mbedtls_pk_free(pk);
-    } else {
+    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
+            pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
+                                  key, keylen) == 0) {
         return (0);
     }
-
+    mbedtls_pk_free(pk);
 #endif /* MBEDTLS_ECP_C */
 
+    /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
+     * it is ok to leave the PK context initialized but not
+     * freed: It is the caller's responsibility to call pk_init()
+     * before calling this function, and to call pk_free()
+     * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
+     * isn't, this leads to mbedtls_pk_free() being called
+     * twice, once here and once by the caller, but this is
+     * also ok and in line with the mbedtls_pk_free() calls
+     * on failed PEM parsing attempts. */
+
     return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
 }
 
@@ -1258,7 +1337,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
  */
 int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
                                 const unsigned char *key, size_t keylen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p;
 #if defined(MBEDTLS_RSA_C)
     const mbedtls_pk_info_t *pk_info;
@@ -1266,11 +1345,18 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
 #if defined(MBEDTLS_PEM_PARSE_C)
     size_t len;
     mbedtls_pem_context pem;
+#endif
 
+    PK_VALIDATE_RET(ctx != NULL);
+    if (keylen == 0)
+        return (MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
+    PK_VALIDATE_RET(key != NULL || keylen == 0);
+
+#if defined(MBEDTLS_PEM_PARSE_C)
     mbedtls_pem_init(&pem);
 #if defined(MBEDTLS_RSA_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (keylen == 0 || key[keylen - 1] != '\0')
+    if (key[keylen - 1] != '\0')
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer(&pem,
@@ -1298,7 +1384,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
 #endif /* MBEDTLS_RSA_C */
 
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (keylen == 0 || key[keylen - 1] != '\0')
+    if (key[keylen - 1] != '\0')
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer(&pem,
diff --git a/common/mbedtls/pkwrite.c b/common/mbedtls/pkwrite.c
index 8fccc2bbb..216c98542 100644
--- a/common/mbedtls/pkwrite.c
+++ b/common/mbedtls/pkwrite.c
@@ -1,37 +1,31 @@
 /*
  *  Public Key layer for writing key files and structures
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PK_WRITE_C)
 
 #include "mbedtls/pk.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -39,7 +33,9 @@
 #include "mbedtls/rsa.h"
 #endif
 #if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
 #include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
 #endif
 #if defined(MBEDTLS_ECDSA_C)
 #include "mbedtls/ecdsa.h"
@@ -48,6 +44,10 @@
 #include "mbedtls/pem.h"
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
@@ -56,6 +56,12 @@
 #define mbedtls_free       free
 #endif
 
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_RSA_C)
 /*
  *  RSAPublicKey ::= SEQUENCE {
@@ -65,7 +71,7 @@
  */
 static int pk_write_rsa_pubkey(unsigned char **p, unsigned char *start,
                                mbedtls_rsa_context *rsa) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
     mbedtls_mpi T;
 
@@ -103,7 +109,7 @@ end_of_export:
  */
 static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
                               mbedtls_ecp_keypair *ec) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
     unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
 
@@ -129,7 +135,7 @@ static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
  */
 static int pk_write_ec_param(unsigned char **p, unsigned char *start,
                              mbedtls_ecp_keypair *ec) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
     const char *oid;
     size_t oid_len;
@@ -141,13 +147,37 @@ static int pk_write_ec_param(unsigned char **p, unsigned char *start,
 
     return ((int) len);
 }
+
+/*
+ * privateKey  OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+static int pk_write_ec_private(unsigned char **p, unsigned char *start,
+                               mbedtls_ecp_keypair *ec) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t byte_length = (ec->grp.pbits + 7) / 8;
+    unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+
+    ret = mbedtls_ecp_write_key(ec, tmp, byte_length);
+    if (ret != 0)
+        goto exit;
+    ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+
+exit:
+    mbedtls_platform_zeroize(tmp, byte_length);
+    return (ret);
+}
 #endif /* MBEDTLS_ECP_C */
 
 int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
                             const mbedtls_pk_context *key) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
+    PK_VALIDATE_RET(p != NULL);
+    PK_VALIDATE_RET(*p != NULL);
+    PK_VALIDATE_RET(start != NULL);
+    PK_VALIDATE_RET(key != NULL);
+
 #if defined(MBEDTLS_RSA_C)
     if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA)
         MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, mbedtls_pk_rsa(*key)));
@@ -158,17 +188,41 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
             MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, mbedtls_pk_ec(*key)));
         else
 #endif
-            return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+            if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
+                size_t buffer_size;
+                psa_key_id_t *key_id = (psa_key_id_t *) key->pk_ctx;
+
+                if (*p < start)
+                    return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+                buffer_size = (size_t)(*p - start);
+                if (psa_export_public_key(*key_id, start, buffer_size, &len)
+                        != PSA_SUCCESS) {
+                    return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+                } else {
+                    *p -= len;
+                    memmove(*p, start, len);
+                }
+            } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+                return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
 
     return ((int) len);
 }
 
 int mbedtls_pk_write_pubkey_der(mbedtls_pk_context *key, unsigned char *buf, size_t size) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *c;
     size_t len = 0, par_len = 0, oid_len;
+    mbedtls_pk_type_t pk_type;
     const char *oid;
 
+    PK_VALIDATE_RET(key != NULL);
+    if (size == 0)
+        return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+    PK_VALIDATE_RET(buf != NULL);
+
     c = buf + size;
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_pk_write_pubkey(&c, buf, key));
@@ -187,16 +241,49 @@ int mbedtls_pk_write_pubkey_der(mbedtls_pk_context *key, unsigned char *buf, siz
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
 
-    if ((ret = mbedtls_oid_get_oid_by_pk_alg(mbedtls_pk_get_type(key),
-                                             &oid, &oid_len)) != 0) {
-        return (ret);
-    }
-
+    pk_type = mbedtls_pk_get_type(key);
 #if defined(MBEDTLS_ECP_C)
-    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
+    if (pk_type == MBEDTLS_PK_ECKEY) {
         MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, mbedtls_pk_ec(*key)));
     }
 #endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (pk_type == MBEDTLS_PK_OPAQUE) {
+        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+        psa_key_type_t key_type;
+        psa_key_id_t key_id;
+        psa_ecc_family_t curve;
+        size_t bits;
+
+        key_id = *((psa_key_id_t *) key->pk_ctx);
+        if (PSA_SUCCESS != psa_get_key_attributes(key_id, &attributes))
+            return (MBEDTLS_ERR_PK_HW_ACCEL_FAILED);
+        key_type = psa_get_key_type(&attributes);
+        bits = psa_get_key_bits(&attributes);
+        psa_reset_key_attributes(&attributes);
+
+        curve = PSA_KEY_TYPE_ECC_GET_FAMILY(key_type);
+        if (curve == 0)
+            return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+
+        ret = mbedtls_psa_get_ecc_oid_from_id(curve, bits, &oid, &oid_len);
+        if (ret != 0)
+            return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+
+        /* Write EC algorithm parameters; that's akin
+         * to pk_write_ec_param() above. */
+        MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_oid(&c, buf,
+                                                             oid, oid_len));
+
+        /* The rest of the function works as for legacy EC contexts. */
+        pk_type = MBEDTLS_PK_ECKEY;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    if ((ret = mbedtls_oid_get_oid_by_pk_alg(pk_type, &oid,
+                                             &oid_len)) != 0) {
+        return (ret);
+    }
 
     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier(&c, buf, oid, oid_len,
                          par_len));
@@ -209,10 +296,17 @@ int mbedtls_pk_write_pubkey_der(mbedtls_pk_context *key, unsigned char *buf, siz
 }
 
 int mbedtls_pk_write_key_der(mbedtls_pk_context *key, unsigned char *buf, size_t size) {
-    int ret;
-    unsigned char *c = buf + size;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *c;
     size_t len = 0;
 
+    PK_VALIDATE_RET(key != NULL);
+    if (size == 0)
+        return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+    PK_VALIDATE_RET(buf != NULL);
+
+    c = buf + size;
+
 #if defined(MBEDTLS_RSA_C)
     if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
         mbedtls_mpi T; /* Temporary holding the exported parameters */
@@ -330,9 +424,8 @@ end_of_export:
                                                                  MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0));
             len += par_len;
 
-            /* privateKey: write as MPI then fix tag */
-            MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&c, buf, &ec->d));
-            *c = MBEDTLS_ASN1_OCTET_STRING;
+            /* privateKey */
+            MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(&c, buf, ec));
 
             /* version */
             MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 1));
@@ -374,7 +467,7 @@ end_of_export:
  *      publicExponent    INTEGER   -- e            1 + 3 + MPI_MAX + 1
  *  }
  */
-#define RSA_PUB_DER_MAX_BYTES   38 + 2 * MBEDTLS_MPI_MAX_SIZE
+#define RSA_PUB_DER_MAX_BYTES   ( 38 + 2 * MBEDTLS_MPI_MAX_SIZE )
 
 /*
  * RSA private keys:
@@ -391,10 +484,10 @@ end_of_export:
  *      otherPrimeInfos   OtherPrimeInfos OPTIONAL  0 (not supported)
  *  }
  */
-#define MPI_MAX_SIZE_2          MBEDTLS_MPI_MAX_SIZE / 2 + \
-    MBEDTLS_MPI_MAX_SIZE % 2
-#define RSA_PRV_DER_MAX_BYTES   47 + 3 * MBEDTLS_MPI_MAX_SIZE \
-    + 5 * MPI_MAX_SIZE_2
+#define MPI_MAX_SIZE_2          ( MBEDTLS_MPI_MAX_SIZE / 2 + \
+                                  MBEDTLS_MPI_MAX_SIZE % 2 )
+#define RSA_PRV_DER_MAX_BYTES   ( 47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+                                   + 5 * MPI_MAX_SIZE_2 )
 
 #else /* MBEDTLS_RSA_C */
 
@@ -415,7 +508,7 @@ end_of_export:
  *                                            + 2 * ECP_MAX (coords)    [1]
  *  }
  */
-#define ECP_PUB_DER_MAX_BYTES   30 + 2 * MBEDTLS_ECP_MAX_BYTES
+#define ECP_PUB_DER_MAX_BYTES   ( 30 + 2 * MBEDTLS_ECP_MAX_BYTES )
 
 /*
  * EC private keys:
@@ -426,7 +519,7 @@ end_of_export:
  *      publicKey  [1] BIT STRING OPTIONAL      1 + 2 + [1] above
  *    }
  */
-#define ECP_PRV_DER_MAX_BYTES   29 + 3 * MBEDTLS_ECP_MAX_BYTES
+#define ECP_PRV_DER_MAX_BYTES   ( 29 + 3 * MBEDTLS_ECP_MAX_BYTES )
 
 #else /* MBEDTLS_ECP_C */
 
@@ -435,16 +528,19 @@ end_of_export:
 
 #endif /* MBEDTLS_ECP_C */
 
-#define PUB_DER_MAX_BYTES   RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
-    RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES
-#define PRV_DER_MAX_BYTES   RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
-    RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES
+#define PUB_DER_MAX_BYTES   ( RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
+                              RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES )
+#define PRV_DER_MAX_BYTES   ( RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
+                              RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES )
 
 int mbedtls_pk_write_pubkey_pem(mbedtls_pk_context *key, unsigned char *buf, size_t size) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char output_buf[PUB_DER_MAX_BYTES];
     size_t olen = 0;
 
+    PK_VALIDATE_RET(key != NULL);
+    PK_VALIDATE_RET(buf != NULL || size == 0);
+
     if ((ret = mbedtls_pk_write_pubkey_der(key, output_buf,
                                            sizeof(output_buf))) < 0) {
         return (ret);
@@ -460,11 +556,14 @@ int mbedtls_pk_write_pubkey_pem(mbedtls_pk_context *key, unsigned char *buf, siz
 }
 
 int mbedtls_pk_write_key_pem(mbedtls_pk_context *key, unsigned char *buf, size_t size) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char output_buf[PRV_DER_MAX_BYTES];
     const char *begin, *end;
     size_t olen = 0;
 
+    PK_VALIDATE_RET(key != NULL);
+    PK_VALIDATE_RET(buf != NULL || size == 0);
+
     if ((ret = mbedtls_pk_write_key_der(key, output_buf, sizeof(output_buf))) < 0)
         return (ret);
 
diff --git a/common/mbedtls/platform.c b/common/mbedtls/platform.c
index e0905bbfd..15a18eb91 100644
--- a/common/mbedtls/platform.c
+++ b/common/mbedtls/platform.c
@@ -1,38 +1,38 @@
 /*
  *  Platform abstraction layer
  *
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_PLATFORM_C)
 
 #include "mbedtls/platform.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+/* The compile time configuration of memory allocation via the macros
+ * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
+ * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
+ * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
+#if defined(MBEDTLS_PLATFORM_MEMORY) &&                 \
+    !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&        \
+       defined(MBEDTLS_PLATFORM_FREE_MACRO) )
 
-#if defined(MBEDTLS_PLATFORM_MEMORY)
 #if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
 static void *platform_calloc_uninit(size_t n, size_t size) {
     ((void) n);
@@ -68,28 +68,18 @@ int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
     mbedtls_free_func = free_func;
     return (0);
 }
-#endif /* MBEDTLS_PLATFORM_MEMORY */
+#endif /* MBEDTLS_PLATFORM_MEMORY &&
+          !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
+             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
 
-#if defined(_WIN32)
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
 #include <stdarg.h>
 int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     va_list argp;
 
-    /* Avoid calling the invalid parameter handler by checking ourselves */
-    if (s == NULL || n == 0 || fmt == NULL)
-        return (-1);
-
     va_start(argp, fmt);
-#if defined(_TRUNCATE) && !defined(__MINGW32__)
-    ret = _vsnprintf_s(s, n, _TRUNCATE, fmt, argp);
-#else
-    ret = _vsnprintf(s, n, fmt, argp);
-    if (ret < 0 || (size_t) ret == n) {
-        s[n - 1] = '\0';
-        ret = -1;
-    }
-#endif
+    ret = mbedtls_vsnprintf(s, n, fmt, argp);
     va_end(argp);
 
     return (ret);
@@ -124,6 +114,58 @@ int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
 }
 #endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
 
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#include <stdarg.h>
+int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Avoid calling the invalid parameter handler by checking ourselves */
+    if (s == NULL || n == 0 || fmt == NULL)
+        return (-1);
+
+#if defined(_TRUNCATE)
+    ret = vsnprintf_s(s, n, _TRUNCATE, fmt, arg);
+#else
+    ret = vsnprintf(s, n, fmt, arg);
+    if (ret < 0 || (size_t) ret == n) {
+        s[n - 1] = '\0';
+        ret = -1;
+    }
+#endif
+
+    return (ret);
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_vsnprintf_uninit(char *s, size_t n,
+                                     const char *format, va_list arg) {
+    ((void) s);
+    ((void) n);
+    ((void) format);
+    ((void) arg);
+    return (-1);
+}
+
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF    platform_vsnprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_VSNPRINTF */
+
+int (*mbedtls_vsnprintf)(char *s, size_t n,
+                         const char *format,
+                         va_list arg) = MBEDTLS_PLATFORM_STD_VSNPRINTF;
+
+int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
+                                                         const char *format,
+                                                         va_list arg)) {
+    mbedtls_vsnprintf = vsnprintf_func;
+    return (0);
+}
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+
 #if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
 #if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
 /*
diff --git a/common/mbedtls/platform.h b/common/mbedtls/platform.h
index b32f0bb6e..9497289ff 100644
--- a/common/mbedtls/platform.h
+++ b/common/mbedtls/platform.h
@@ -13,38 +13,37 @@
  *        dynamically configured at runtime.
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_PLATFORM_H
 #define MBEDTLS_PLATFORM_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME)
-#include "platform_time.h"
+#include "mbedtls/platform_time.h"
 #endif
 
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070 /**< Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -57,17 +56,33 @@ extern "C" {
  * \{
  */
 
+/* The older Microsoft Windows common runtime provides non-conforming
+ * implementations of some standard library functions, including snprintf
+ * and vsnprintf. This affects MSVC and MinGW builds.
+ */
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
+#define MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF
+#define MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF
+#endif
+
 #if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
-#if defined(_WIN32)
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
 #define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
 #else
 #define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
 #endif
 #endif
+#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF   mbedtls_platform_win32_vsnprintf /**< The default \c vsnprintf function to use.  */
+#else
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF   vsnprintf /**< The default \c vsnprintf function to use.  */
+#endif
+#endif
 #if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
 #define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
 #endif
@@ -203,7 +218,7 @@ int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...));
  * - however it is acceptable to return -1 instead of the required length when
  *   the destination buffer is too short.
  */
-#if defined(_WIN32)
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
 /* For Windows (inc. MSYS2), we provide our own fixed implementation */
 int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...);
 #endif
@@ -229,6 +244,42 @@ int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
 #endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
 #endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
 
+/*
+ * The function pointers for vsnprintf
+ *
+ * The vsnprintf implementation should conform to C99:
+ * - it *must* always correctly zero-terminate the buffer
+ *   (except when n == 0, then it must leave the buffer untouched)
+ * - however it is acceptable to return -1 instead of the required length when
+ *   the destination buffer is too short.
+ */
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#include <stdarg.h>
+/* For Older Windows (inc. MSYS2), we provide our own fixed implementation */
+int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg);
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+#include <stdarg.h>
+extern int (*mbedtls_vsnprintf)(char *s, size_t n, const char *format, va_list arg);
+
+/**
+ * \brief   Set your own snprintf function pointer
+ *
+ * \param   vsnprintf_func   The \c vsnprintf function implementation
+ *
+ * \return  \c 0
+ */
+int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
+                                                         const char *format, va_list arg));
+#else /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
+#define mbedtls_vsnprintf   MBEDTLS_PLATFORM_VSNPRINTF_MACRO
+#else
+#define mbedtls_vsnprintf   vsnprintf
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+
 /*
  * The function pointers for exit
  */
diff --git a/common/mbedtls/platform_time.h b/common/mbedtls/platform_time.h
new file mode 100644
index 000000000..623f7e45d
--- /dev/null
+++ b/common/mbedtls/platform_time.h
@@ -0,0 +1,80 @@
+/**
+ * \file platform_time.h
+ *
+ * \brief mbed TLS Platform time abstraction
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_PLATFORM_TIME_H
+#define MBEDTLS_PLATFORM_TIME_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+/*
+ * The time_t datatype
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
+#else
+/* For time_t */
+#include <time.h>
+typedef time_t mbedtls_time_t;
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+/*
+ * The function pointers for time
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+extern mbedtls_time_t (*mbedtls_time)(mbedtls_time_t *time);
+
+/**
+ * \brief   Set your own time function pointer
+ *
+ * \param   time_func   the time function implementation
+ *
+ * \return              0
+ */
+int mbedtls_platform_set_time(mbedtls_time_t (*time_func)(mbedtls_time_t *time));
+#else
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+#define mbedtls_time    MBEDTLS_PLATFORM_TIME_MACRO
+#else
+#define mbedtls_time   time
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform_time.h */
diff --git a/common/mbedtls/platform_util.c b/common/mbedtls/platform_util.c
index c30a52c08..0f5623eba 100644
--- a/common/mbedtls/platform_util.c
+++ b/common/mbedtls/platform_util.c
@@ -2,33 +2,35 @@
  * Common and shared functions used by multiple modules in the Mbed TLS
  * library.
  *
- *  Copyright (C) 2018, Arm Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
 #endif
 
+#include "common.h"
+
 #include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/threading.h"
 
 #include <stddef.h>
 #include <string.h>
@@ -63,6 +65,66 @@
 //static void *(* const volatile memset_func)(void *, int, size_t) = memset;
 
 void mbedtls_platform_zeroize(void *buf, size_t len) {
-    memset(buf, 0, len);
+    MBEDTLS_INTERNAL_VALIDATE(len == 0 || buf != NULL);
+
+    if (len > 0)
+        memset(buf, 0, len);
 }
 #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+#include <time.h>
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define PLATFORM_UTIL_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
+
+struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
+                                     struct tm *tm_buf) {
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    return ((gmtime_s(tm_buf, tt) == 0) ? tm_buf : NULL);
+#elif !defined(PLATFORM_UTIL_USE_GMTIME)
+    return (gmtime_r(tt, tm_buf));
+#else
+    struct tm *lt;
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_lock(&mbedtls_threading_gmtime_mutex) != 0)
+        return (NULL);
+#endif /* MBEDTLS_THREADING_C */
+
+    lt = gmtime(tt);
+
+    if (lt != NULL) {
+        memcpy(tm_buf, lt, sizeof(struct tm));
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&mbedtls_threading_gmtime_mutex) != 0)
+        return (NULL);
+#endif /* MBEDTLS_THREADING_C */
+
+    return ((lt == NULL) ? NULL : tm_buf);
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
diff --git a/common/mbedtls/platform_util.h b/common/mbedtls/platform_util.h
index 5e56c6004..b59846fa7 100644
--- a/common/mbedtls/platform_util.h
+++ b/common/mbedtls/platform_util.h
@@ -5,34 +5,133 @@
  *        library.
  */
 /*
- *  Copyright (C) 2018, Arm Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_PLATFORM_UTIL_H
 #define MBEDTLS_PLATFORM_UTIL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_time.h"
+#include <time.h>
+#endif /* MBEDTLS_HAVE_TIME_DATE */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+
+#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+/* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert
+ * (which is what our config.h suggests). */
+#include <assert.h>
+#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
+
+#if defined(MBEDTLS_PARAM_FAILED)
+/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
+ *
+ * This flag can be used to check whether it is safe to assume that
+ * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
+ */
+#define MBEDTLS_PARAM_FAILED_ALT
+
+#elif defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+#define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
+#define MBEDTLS_PARAM_FAILED_ALT
+
+#else /* MBEDTLS_PARAM_FAILED */
+#define MBEDTLS_PARAM_FAILED( cond ) \
+    mbedtls_param_failed( #cond, __FILE__, __LINE__ )
+
+/**
+ * \brief       User supplied callback function for parameter validation failure.
+ *              See #MBEDTLS_CHECK_PARAMS for context.
+ *
+ *              This function will be called unless an alternative treatement
+ *              is defined through the #MBEDTLS_PARAM_FAILED macro.
+ *
+ *              This function can return, and the operation will be aborted, or
+ *              alternatively, through use of setjmp()/longjmp() can resume
+ *              execution in the application code.
+ *
+ * \param failure_condition The assertion that didn't hold.
+ * \param file  The file where the assertion failed.
+ * \param line  The line in the file where the assertion failed.
+ */
+void mbedtls_param_failed(const char *failure_condition,
+                          const char *file,
+                          int line);
+#endif /* MBEDTLS_PARAM_FAILED */
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return( ret );                          \
+        }                                           \
+    } while( 0 )
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return;                                 \
+        }                                           \
+    } while( 0 )
+
+#else /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal macros meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  do { } while( 0 )
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           do { } while( 0 )
+
+#endif /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal helper macros for deprecating API constants. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
+ * to avoid conflict with other headers which define and use
+ * it, too. We might want to move all these definitions here at
+ * some point for uniformity. */
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const *mbedtls_deprecated_string_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_string_constant_t) ( VAL ) )
+MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
+#undef MBEDTLS_DEPRECATED
+#else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
 /**
  * \brief       Securely zeroize a buffer
  *
@@ -57,6 +156,37 @@ extern "C" {
  */
 void mbedtls_platform_zeroize(void *buf, size_t len);
 
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief      Platform-specific implementation of gmtime_r()
+ *
+ *             The function is a thread-safe abstraction that behaves
+ *             similarly to the gmtime_r() function from Unix/POSIX.
+ *
+ *             Mbed TLS will try to identify the underlying platform and
+ *             make use of an appropriate underlying implementation (e.g.
+ *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
+ *             not possible, then gmtime() will be used. In this case, calls
+ *             from the library to gmtime() will be guarded by the mutex
+ *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
+ *             enabled. It is recommended that calls from outside the library
+ *             are also guarded by this mutex.
+ *
+ *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
+ *             unconditionally use the alternative implementation for
+ *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
+ *
+ * \param tt     Pointer to an object containing time (in seconds) since the
+ *               epoch to be converted
+ * \param tm_buf Pointer to an object where the results will be stored
+ *
+ * \return      Pointer to an object of type struct tm on success, otherwise
+ *              NULL
+ */
+struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
+                                     struct tm *tm_buf);
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/poly1305.c b/common/mbedtls/poly1305.c
new file mode 100644
index 000000000..b6982b593
--- /dev/null
+++ b/common/mbedtls/poly1305.c
@@ -0,0 +1,533 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define POLY1305_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define POLY1305_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                     \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )   \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )  \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )  \
+    )
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64(uint32_t a, uint32_t b) {
+    /* a = al + 2**16 ah, b = bl + 2**16 bh */
+    const uint16_t al = (uint16_t) a;
+    const uint16_t bl = (uint16_t) b;
+    const uint16_t ah = a >> 16;
+    const uint16_t bh = b >> 16;
+
+    /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+    const uint32_t lo = (uint32_t) al * bl;
+    const uint64_t me = (uint64_t)((uint32_t) ah * bl) + (uint32_t) al * bh;
+    const uint32_t hi = (uint32_t) ah * bh;
+
+    return (lo + (me << 16) + ((uint64_t) hi << 32));
+}
+#else
+static inline uint64_t mul64(uint32_t a, uint32_t b) {
+    return ((uint64_t) a * b);
+}
+#endif
+
+
+/**
+ * \brief                   Process blocks with Poly1305.
+ *
+ * \param ctx               The Poly1305 context.
+ * \param nblocks           Number of blocks to process. Note that this
+ *                          function only processes full blocks.
+ * \param input             Buffer containing the input block(s).
+ * \param needs_padding     Set to 0 if the padding bit has already been
+ *                          applied to the input data before calling this
+ *                          function.  Otherwise, set this parameter to 1.
+ */
+static void poly1305_process(mbedtls_poly1305_context *ctx,
+                             size_t nblocks,
+                             const unsigned char *input,
+                             uint32_t needs_padding) {
+    uint64_t d0, d1, d2, d3;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t r0, r1, r2, r3;
+    uint32_t rs1, rs2, rs3;
+    size_t offset  = 0U;
+    size_t i;
+
+    r0 = ctx->r[0];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
+    r3 = ctx->r[3];
+
+    rs1 = r1 + (r1 >> 2U);
+    rs2 = r2 + (r2 >> 2U);
+    rs3 = r3 + (r3 >> 2U);
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Process full blocks */
+    for (i = 0U; i < nblocks; i++) {
+        /* The input block is treated as a 128-bit little-endian integer */
+        d0   = BYTES_TO_U32_LE(input, offset + 0);
+        d1   = BYTES_TO_U32_LE(input, offset + 4);
+        d2   = BYTES_TO_U32_LE(input, offset + 8);
+        d3   = BYTES_TO_U32_LE(input, offset + 12);
+
+        /* Compute: acc += (padded) block as a 130-bit integer */
+        d0  += (uint64_t) acc0;
+        d1  += (uint64_t) acc1 + (d0 >> 32U);
+        d2  += (uint64_t) acc2 + (d1 >> 32U);
+        d3  += (uint64_t) acc3 + (d2 >> 32U);
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 += (uint32_t)(d3 >> 32U) + needs_padding;
+
+        /* Compute: acc *= r */
+        d0 = mul64(acc0, r0) +
+             mul64(acc1, rs3) +
+             mul64(acc2, rs2) +
+             mul64(acc3, rs1);
+        d1 = mul64(acc0, r1) +
+             mul64(acc1, r0) +
+             mul64(acc2, rs3) +
+             mul64(acc3, rs2) +
+             mul64(acc4, rs1);
+        d2 = mul64(acc0, r2) +
+             mul64(acc1, r1) +
+             mul64(acc2, r0) +
+             mul64(acc3, rs3) +
+             mul64(acc4, rs2);
+        d3 = mul64(acc0, r3) +
+             mul64(acc1, r2) +
+             mul64(acc2, r1) +
+             mul64(acc3, r0) +
+             mul64(acc4, rs3);
+        acc4 *= r0;
+
+        /* Compute: acc %= (2^130 - 5) (partial remainder) */
+        d1 += (d0 >> 32);
+        d2 += (d1 >> 32);
+        d3 += (d2 >> 32);
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 = (uint32_t)(d3 >> 32) + acc4;
+
+        d0 = (uint64_t) acc0 + (acc4 >> 2) + (acc4 & 0xFFFFFFFCU);
+        acc4 &= 3U;
+        acc0 = (uint32_t) d0;
+        d0 = (uint64_t) acc1 + (d0 >> 32U);
+        acc1 = (uint32_t) d0;
+        d0 = (uint64_t) acc2 + (d0 >> 32U);
+        acc2 = (uint32_t) d0;
+        d0 = (uint64_t) acc3 + (d0 >> 32U);
+        acc3 = (uint32_t) d0;
+        d0 = (uint64_t) acc4 + (d0 >> 32U);
+        acc4 = (uint32_t) d0;
+
+        offset    += POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    ctx->acc[0] = acc0;
+    ctx->acc[1] = acc1;
+    ctx->acc[2] = acc2;
+    ctx->acc[3] = acc3;
+    ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief                   Compute the Poly1305 MAC
+ *
+ * \param ctx               The Poly1305 context.
+ * \param mac               The buffer to where the MAC is written. Must be
+ *                          big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac(const mbedtls_poly1305_context *ctx,
+                                 unsigned char mac[16]) {
+    uint64_t d;
+    uint32_t g0, g1, g2, g3, g4;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t mask;
+    uint32_t mask_inv;
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+     * We do this by calculating acc - (2^130 - 5), then checking if
+     * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+     */
+
+    /* Calculate acc + -(2^130 - 5) */
+    d  = ((uint64_t) acc0 + 5U);
+    g0 = (uint32_t) d;
+    d  = ((uint64_t) acc1 + (d >> 32));
+    g1 = (uint32_t) d;
+    d  = ((uint64_t) acc2 + (d >> 32));
+    g2 = (uint32_t) d;
+    d  = ((uint64_t) acc3 + (d >> 32));
+    g3 = (uint32_t) d;
+    g4 = acc4 + (uint32_t)(d >> 32U);
+
+    /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+    mask = (uint32_t) 0U - (g4 >> 2U);
+    mask_inv = ~mask;
+
+    /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+    acc0 = (acc0 & mask_inv) | (g0 & mask);
+    acc1 = (acc1 & mask_inv) | (g1 & mask);
+    acc2 = (acc2 & mask_inv) | (g2 & mask);
+    acc3 = (acc3 & mask_inv) | (g3 & mask);
+
+    /* Add 's' */
+    d = (uint64_t) acc0 + ctx->s[0];
+    acc0 = (uint32_t) d;
+    d = (uint64_t) acc1 + ctx->s[1] + (d >> 32U);
+    acc1 = (uint32_t) d;
+    d = (uint64_t) acc2 + ctx->s[2] + (d >> 32U);
+    acc2 = (uint32_t) d;
+    acc3 += ctx->s[3] + (uint32_t)(d >> 32U);
+
+    /* Compute MAC (128 least significant bits of the accumulator) */
+    mac[ 0] = (unsigned char)(acc0);
+    mac[ 1] = (unsigned char)(acc0 >>  8);
+    mac[ 2] = (unsigned char)(acc0 >> 16);
+    mac[ 3] = (unsigned char)(acc0 >> 24);
+    mac[ 4] = (unsigned char)(acc1);
+    mac[ 5] = (unsigned char)(acc1 >>  8);
+    mac[ 6] = (unsigned char)(acc1 >> 16);
+    mac[ 7] = (unsigned char)(acc1 >> 24);
+    mac[ 8] = (unsigned char)(acc2);
+    mac[ 9] = (unsigned char)(acc2 >>  8);
+    mac[10] = (unsigned char)(acc2 >> 16);
+    mac[11] = (unsigned char)(acc2 >> 24);
+    mac[12] = (unsigned char)(acc3);
+    mac[13] = (unsigned char)(acc3 >>  8);
+    mac[14] = (unsigned char)(acc3 >> 16);
+    mac[15] = (unsigned char)(acc3 >> 24);
+}
+
+void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx) {
+    POLY1305_VALIDATE(ctx != NULL);
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
+}
+
+void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
+}
+
+int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
+                            const unsigned char key[32]) {
+    POLY1305_VALIDATE_RET(ctx != NULL);
+    POLY1305_VALIDATE_RET(key != NULL);
+
+    /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+    ctx->r[0] = BYTES_TO_U32_LE(key, 0)  & 0x0FFFFFFFU;
+    ctx->r[1] = BYTES_TO_U32_LE(key, 4)  & 0x0FFFFFFCU;
+    ctx->r[2] = BYTES_TO_U32_LE(key, 8)  & 0x0FFFFFFCU;
+    ctx->r[3] = BYTES_TO_U32_LE(key, 12) & 0x0FFFFFFCU;
+
+    ctx->s[0] = BYTES_TO_U32_LE(key, 16);
+    ctx->s[1] = BYTES_TO_U32_LE(key, 20);
+    ctx->s[2] = BYTES_TO_U32_LE(key, 24);
+    ctx->s[3] = BYTES_TO_U32_LE(key, 28);
+
+    /* Initial accumulator state */
+    ctx->acc[0] = 0U;
+    ctx->acc[1] = 0U;
+    ctx->acc[2] = 0U;
+    ctx->acc[3] = 0U;
+    ctx->acc[4] = 0U;
+
+    /* Queue initially empty */
+    mbedtls_platform_zeroize(ctx->queue, sizeof(ctx->queue));
+    ctx->queue_len = 0U;
+
+    return (0);
+}
+
+int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen) {
+    size_t offset    = 0U;
+    size_t remaining = ilen;
+    size_t queue_free_len;
+    size_t nblocks;
+    POLY1305_VALIDATE_RET(ctx != NULL);
+    POLY1305_VALIDATE_RET(ilen == 0 || input != NULL);
+
+    if ((remaining > 0U) && (ctx->queue_len > 0U)) {
+        queue_free_len = (POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
+
+        if (ilen < queue_free_len) {
+            /* Not enough data to complete the block.
+             * Store this data with the other leftovers.
+             */
+            memcpy(&ctx->queue[ctx->queue_len],
+                   input,
+                   ilen);
+
+            ctx->queue_len += ilen;
+
+            remaining = 0U;
+        } else {
+            /* Enough data to produce a complete block */
+            memcpy(&ctx->queue[ctx->queue_len],
+                   input,
+                   queue_free_len);
+
+            ctx->queue_len = 0U;
+
+            poly1305_process(ctx, 1U, ctx->queue, 1U);   /* add padding bit */
+
+            offset    += queue_free_len;
+            remaining -= queue_free_len;
+        }
+    }
+
+    if (remaining >= POLY1305_BLOCK_SIZE_BYTES) {
+        nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+        poly1305_process(ctx, nblocks, &input[offset], 1U);
+
+        offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+        remaining %= POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    if (remaining > 0U) {
+        /* Store partial block */
+        ctx->queue_len = remaining;
+        memcpy(ctx->queue, &input[offset], remaining);
+    }
+
+    return (0);
+}
+
+int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
+                            unsigned char mac[16]) {
+    POLY1305_VALIDATE_RET(ctx != NULL);
+    POLY1305_VALIDATE_RET(mac != NULL);
+
+    /* Process any leftover data */
+    if (ctx->queue_len > 0U) {
+        /* Add padding bit */
+        ctx->queue[ctx->queue_len] = 1U;
+        ctx->queue_len++;
+
+        /* Pad with zeroes */
+        memset(&ctx->queue[ctx->queue_len],
+               0,
+               POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
+
+        poly1305_process(ctx, 1U,           /* Process 1 block */
+                         ctx->queue, 0U);  /* Already padded above */
+    }
+
+    poly1305_compute_mac(ctx, mac);
+
+    return (0);
+}
+
+int mbedtls_poly1305_mac(const unsigned char key[32],
+                         const unsigned char *input,
+                         size_t ilen,
+                         unsigned char mac[16]) {
+    mbedtls_poly1305_context ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    POLY1305_VALIDATE_RET(key != NULL);
+    POLY1305_VALIDATE_RET(mac != NULL);
+    POLY1305_VALIDATE_RET(ilen == 0 || input != NULL);
+
+    mbedtls_poly1305_init(&ctx);
+
+    ret = mbedtls_poly1305_starts(&ctx, key);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_poly1305_update(&ctx, input, ilen);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = mbedtls_poly1305_finish(&ctx, mac);
+
+cleanup:
+    mbedtls_poly1305_free(&ctx);
+    return (ret);
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] = {
+    {
+        0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+        0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+        0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+        0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+    },
+    {
+        0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+        0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+        0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+        0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+    }
+};
+
+static const unsigned char test_data[2][127] = {
+    {
+        0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+        0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+        0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+        0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+        0x75, 0x70
+    },
+    {
+        0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+        0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+        0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+        0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+        0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+        0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+        0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+        0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+        0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+        0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+        0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+        0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+        0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+        0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+    }
+};
+
+static const size_t test_data_len[2] = {
+    34U,
+    127U
+};
+
+static const unsigned char test_mac[2][16] = {
+    {
+        0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+        0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+    },
+    {
+        0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+        0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+    }
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_poly1305_self_test(int verbose) {
+    unsigned char mac[16];
+    unsigned i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    for (i = 0U; i < 2U; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  Poly1305 test %u ", i);
+
+        ret = mbedtls_poly1305_mac(test_keys[i],
+                                   test_data[i],
+                                   test_data_len[i],
+                                   mac);
+        ASSERT(0 == ret, ("error code: %i\n", ret));
+
+        ASSERT(0 == memcmp(mac, test_mac[i], 16U), ("failed (mac)\n"));
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/common/mbedtls/poly1305.h b/common/mbedtls/poly1305.h
new file mode 100644
index 000000000..7382d382d
--- /dev/null
+++ b/common/mbedtls/poly1305.h
@@ -0,0 +1,190 @@
+/**
+ * \file poly1305.h
+ *
+ * \brief   This file contains Poly1305 definitions and functions.
+ *
+ *          Poly1305 is a one-time message authenticator that can be used to
+ *          authenticate messages. Poly1305-AES was created by Daniel
+ *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
+ *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
+ *          7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_POLY1305_H
+#define MBEDTLS_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE    -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED        -0x005B  /**< Poly1305 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+typedef struct mbedtls_poly1305_context {
+    uint32_t r[4];      /** The value for 'r' (low 128 bits of the key). */
+    uint32_t s[4];      /** The value for 's' (high 128 bits of the key). */
+    uint32_t acc[5];    /** The accumulator number. */
+    uint8_t queue[16];  /** The current partial block of data. */
+    size_t queue_len;   /** The number of bytes stored in 'queue'. */
+}
+mbedtls_poly1305_context;
+
+#else  /* MBEDTLS_POLY1305_ALT */
+#include "poly1305_alt.h"
+#endif /* MBEDTLS_POLY1305_ALT */
+
+/**
+ * \brief           This function initializes the specified Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by a call to
+ *                  \c mbedtls_poly1305_starts(), then one or more calls to
+ *                  \c mbedtls_poly1305_update(), then one call to
+ *                  \c mbedtls_poly1305_finish(), then finally
+ *                  \c mbedtls_poly1305_free().
+ *
+ * \param ctx       The Poly1305 context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx);
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  Poly1305 context.
+ *
+ * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op. If it is not \c NULL, it must
+ *                  point to an initialized Poly1305 context.
+ */
+void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx);
+
+/**
+ * \brief           This function sets the one-time authentication key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param ctx       The Poly1305 context to which the key should be bound.
+ *                  This must be initialized.
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
+                            const unsigned char key[32]);
+
+/**
+ * \brief           This functions feeds an input buffer into an ongoing
+ *                  Poly1305 computation.
+ *
+ *                  It is called between \c mbedtls_cipher_poly1305_starts() and
+ *                  \c mbedtls_cipher_poly1305_finish().
+ *                  It can be called repeatedly to process a stream of data.
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen);
+
+/**
+ * \brief           This function generates the Poly1305 Message
+ *                  Authentication Code (MAC).
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param mac       The buffer to where the MAC is written. This must
+ *                  be a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
+                            unsigned char mac[16]);
+
+/**
+ * \brief           This function calculates the Poly1305 MAC of the input
+ *                  buffer with the provided key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param mac       The buffer to where the MAC is written. This must be
+ *                  a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_mac(const unsigned char key[32],
+                         const unsigned char *input,
+                         size_t ilen,
+                         unsigned char mac[16]);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_poly1305_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_POLY1305_H */
diff --git a/common/mbedtls/psa_crypto.c b/common/mbedtls/psa_crypto.c
new file mode 100644
index 000000000..d5905dc4b
--- /dev/null
+++ b/common/mbedtls/psa_crypto.c
@@ -0,0 +1,5744 @@
+/*
+ *  PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "check_crypto_config.h"
+#endif
+
+#include "psa_crypto_service_integration.h"
+#include "psa/crypto.h"
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_invasive.h"
+#include "psa_crypto_driver_wrappers.h"
+#include "psa_crypto_ecp.h"
+#include "psa_crypto_rsa.h"
+#include "psa_crypto_ecp.h"
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#include "psa_crypto_se.h"
+#endif
+#include "psa_crypto_slot_management.h"
+/* Include internal declarations that are useful for implementing persistently
+ * stored keys. */
+#include "psa_crypto_storage.h"
+
+#include "psa_crypto_random_impl.h"
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#include "mbedtls/aes.h"
+#include "mbedtls/arc4.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/blowfish.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/des.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/md2.h"
+#include "mbedtls/md4.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/md.h"
+#include "mbedtls/md_internal.h"
+#include "mbedtls/pk.h"
+#include "mbedtls/pk_internal.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/xtea.h"
+
+#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
+
+/* constant-time buffer comparison */
+static inline int safer_memcmp(const uint8_t *a, const uint8_t *b, size_t n) {
+    size_t i;
+    unsigned char diff = 0;
+
+    for (i = 0; i < n; i++)
+        diff |= a[i] ^ b[i];
+
+    return (diff);
+}
+
+
+
+/****************************************************************/
+/* Global data, support functions and library management */
+/****************************************************************/
+
+static int key_type_is_raw_bytes(psa_key_type_t type) {
+    return (PSA_KEY_TYPE_IS_UNSTRUCTURED(type));
+}
+
+/* Values for psa_global_data_t::rng_state */
+#define RNG_NOT_INITIALIZED 0
+#define RNG_INITIALIZED 1
+#define RNG_SEEDED 2
+
+typedef struct {
+    mbedtls_psa_random_context_t rng;
+    unsigned initialized : 1;
+    unsigned rng_state : 2;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
+    &global_data.rng.drbg;
+#endif
+
+#define GUARD_MODULE_INITIALIZED        \
+    if( global_data.initialized == 0 )  \
+        return( PSA_ERROR_BAD_STATE );
+
+psa_status_t mbedtls_to_psa_error(int ret) {
+    /* Mbed TLS error codes can combine a high-level error code and a
+     * low-level error code. The low-level error usually reflects the
+     * root cause better, so dispatch on that preferably. */
+    int low_level_ret = - (-ret & 0x007f);
+    switch (low_level_ret != 0 ? low_level_ret : ret) {
+        case 0:
+            return (PSA_SUCCESS);
+
+        case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
+        case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
+        case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
+        case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
+        case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
+        case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
+        case MBEDTLS_ERR_ASN1_INVALID_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
+            return (PSA_ERROR_BUFFER_TOO_SMALL);
+
+#if defined(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA)
+        case MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA:
+#elif defined(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH)
+        case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
+#endif
+        case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+#if defined(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA)
+        case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
+#elif defined(MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH)
+        case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
+#endif
+        case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_CCM_BAD_INPUT:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_CCM_AUTH_FAILED:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+        case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+
+        case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
+            return (PSA_ERROR_BAD_STATE);
+        case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+
+        case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
+            return (PSA_ERROR_INVALID_PADDING);
+        case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+        case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
+            return (PSA_ERROR_CORRUPTION_DETECTED);
+        case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+#if !( defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) ||      \
+       defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) )
+        /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
+         * functions are passed a CTR_DRBG instance. */
+        case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+        case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
+        case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+#endif
+
+        case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
+        case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
+        case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+
+        case MBEDTLS_ERR_GCM_AUTH_FAILED:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+        case MBEDTLS_ERR_GCM_BAD_INPUT:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) &&        \
+    defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
+        /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
+         * functions are passed a HMAC_DRBG instance. */
+        case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+        case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
+        case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+#endif
+
+        case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
+        case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
+        case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_MD_ALLOC_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        case MBEDTLS_ERR_MD_FILE_IO_ERROR:
+            return (PSA_ERROR_STORAGE_FAILURE);
+        case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
+            return (PSA_ERROR_STORAGE_FAILURE);
+        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
+            return (PSA_ERROR_BUFFER_TOO_SMALL);
+        case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_MPI_ALLOC_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+        case MBEDTLS_ERR_PK_ALLOC_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        case MBEDTLS_ERR_PK_TYPE_MISMATCH:
+        case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_PK_FILE_IO_ERROR:
+            return (PSA_ERROR_STORAGE_FAILURE);
+        case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
+        case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
+        case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
+            return (PSA_ERROR_NOT_PERMITTED);
+        case MBEDTLS_ERR_PK_INVALID_PUBKEY:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_PK_INVALID_ALG:
+        case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
+        case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+        case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+        case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
+            return (PSA_ERROR_NOT_SUPPORTED);
+
+        case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_RSA_INVALID_PADDING:
+            return (PSA_ERROR_INVALID_PADDING);
+        case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+        case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
+        case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
+            return (PSA_ERROR_CORRUPTION_DETECTED);
+        case MBEDTLS_ERR_RSA_VERIFY_FAILED:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+        case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
+            return (PSA_ERROR_BUFFER_TOO_SMALL);
+        case MBEDTLS_ERR_RSA_RNG_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+        case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
+        case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
+        case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
+        case MBEDTLS_ERR_ECP_INVALID_KEY:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
+            return (PSA_ERROR_BUFFER_TOO_SMALL);
+        case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
+            return (PSA_ERROR_NOT_SUPPORTED);
+        case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
+        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
+            return (PSA_ERROR_INVALID_SIGNATURE);
+        case MBEDTLS_ERR_ECP_ALLOC_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        case MBEDTLS_ERR_ECP_RANDOM_FAILED:
+            return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+        case MBEDTLS_ERR_ECP_HW_ACCEL_FAILED:
+            return (PSA_ERROR_HARDWARE_FAILURE);
+
+        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
+            return (PSA_ERROR_CORRUPTION_DETECTED);
+
+        default:
+            return (PSA_ERROR_GENERIC_ERROR);
+    }
+}
+
+
+
+
+/****************************************************************/
+/* Key management */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+static inline int psa_key_slot_is_external(const psa_key_slot_t *slot) {
+    return (psa_key_lifetime_is_external(slot->attr.lifetime));
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+/* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the
+ * current test driver in key_management.c is using this function
+ * when accelerators are used for ECC key pair and public key.
+ * Once that dependency is resolved these guards can be removed.
+ */
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
+mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
+                                              size_t bits,
+                                              int bits_is_sloppy) {
+    switch (curve) {
+        case PSA_ECC_FAMILY_SECP_R1:
+            switch (bits) {
+                case 192:
+                    return (MBEDTLS_ECP_DP_SECP192R1);
+                case 224:
+                    return (MBEDTLS_ECP_DP_SECP224R1);
+                case 256:
+                    return (MBEDTLS_ECP_DP_SECP256R1);
+                case 384:
+                    return (MBEDTLS_ECP_DP_SECP384R1);
+                case 521:
+                    return (MBEDTLS_ECP_DP_SECP521R1);
+                case 528:
+                    if (bits_is_sloppy)
+                        return (MBEDTLS_ECP_DP_SECP521R1);
+                    break;
+            }
+            break;
+
+        case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+            switch (bits) {
+                case 256:
+                    return (MBEDTLS_ECP_DP_BP256R1);
+                case 384:
+                    return (MBEDTLS_ECP_DP_BP384R1);
+                case 512:
+                    return (MBEDTLS_ECP_DP_BP512R1);
+            }
+            break;
+
+        case PSA_ECC_FAMILY_MONTGOMERY:
+            switch (bits) {
+                case 255:
+                    return (MBEDTLS_ECP_DP_CURVE25519);
+                case 256:
+                    if (bits_is_sloppy)
+                        return (MBEDTLS_ECP_DP_CURVE25519);
+                    break;
+                case 448:
+                    return (MBEDTLS_ECP_DP_CURVE448);
+            }
+            break;
+
+        case PSA_ECC_FAMILY_SECP_K1:
+            switch (bits) {
+                case 192:
+                    return (MBEDTLS_ECP_DP_SECP192K1);
+                case 224:
+                    return (MBEDTLS_ECP_DP_SECP224K1);
+                case 256:
+                    return (MBEDTLS_ECP_DP_SECP256K1);
+            }
+            break;
+    }
+
+    return (MBEDTLS_ECP_DP_NONE);
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
+        * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+static psa_status_t validate_unstructured_key_bit_size(psa_key_type_t type,
+                                                       size_t bits) {
+    /* Check that the bit size is acceptable for the key type */
+    switch (type) {
+        case PSA_KEY_TYPE_RAW_DATA:
+        case PSA_KEY_TYPE_HMAC:
+        case PSA_KEY_TYPE_DERIVE:
+            break;
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES)
+        case PSA_KEY_TYPE_AES:
+            if (bits != 128 && bits != 192 && bits != 256)
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA)
+        case PSA_KEY_TYPE_CAMELLIA:
+            if (bits != 128 && bits != 192 && bits != 256)
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+        case PSA_KEY_TYPE_DES:
+            if (bits != 64 && bits != 128 && bits != 192)
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4)
+        case PSA_KEY_TYPE_ARC4:
+            if (bits < 8 || bits > 2048)
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20)
+        case PSA_KEY_TYPE_CHACHA20:
+            if (bits != 256)
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            break;
+#endif
+        default:
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+    if (bits % 8 != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    return (PSA_SUCCESS);
+}
+
+/** Return the size of the key in the given slot, in bits.
+ *
+ * \param[in] slot      A key slot.
+ *
+ * \return The key size in bits, read from the metadata in the slot.
+ */
+static inline size_t psa_get_key_slot_bits(const psa_key_slot_t *slot) {
+    return (slot->attr.bits);
+}
+
+/** Check whether a given key type is valid for use with a given MAC algorithm
+ *
+ * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
+ * when called with the validated \p algorithm and \p key_type is well-defined.
+ *
+ * \param[in] algorithm     The specific MAC algorithm (can be wildcard).
+ * \param[in] key_type      The key type of the key to be used with the
+ *                          \p algorithm.
+ *
+ * \retval #PSA_SUCCESS
+ *         The \p key_type is valid for use with the \p algorithm
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The \p key_type is not valid for use with the \p algorithm
+ */
+MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
+    psa_algorithm_t algorithm,
+    psa_key_type_t key_type) {
+    if (PSA_ALG_IS_HMAC(algorithm)) {
+        if (key_type == PSA_KEY_TYPE_HMAC)
+            return (PSA_SUCCESS);
+    }
+
+    if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
+        /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
+         * key. */
+        if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
+                PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
+            /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
+             * the block length (larger than 1) for block ciphers. */
+            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1)
+                return (PSA_SUCCESS);
+        }
+    }
+
+    return (PSA_ERROR_INVALID_ARGUMENT);
+}
+
+/** Try to allocate a buffer to an empty key slot.
+ *
+ * \param[in,out] slot          Key slot to attach buffer to.
+ * \param[in] buffer_length     Requested size of the buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The buffer has been successfully allocated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         Not enough memory was available for allocation.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         Trying to allocate a buffer to a non-empty key slot.
+ */
+static psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
+                                                size_t buffer_length) {
+    if (slot->key.data != NULL)
+        return (PSA_ERROR_ALREADY_EXISTS);
+
+    slot->key.data = mbedtls_calloc(1, buffer_length);
+    if (slot->key.data == NULL)
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+    slot->key.bytes = buffer_length;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
+                                             const uint8_t *data,
+                                             size_t data_length) {
+    psa_status_t status = psa_allocate_buffer_to_slot(slot,
+                                                      data_length);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    memcpy(slot->key.data, data, data_length);
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_import_key_into_slot(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_type_t type = attributes->core.type;
+
+    /* zero-length keys are never supported. */
+    if (data_length == 0)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    if (key_type_is_raw_bytes(type)) {
+        *bits = PSA_BYTES_TO_BITS(data_length);
+
+        /* Ensure that the bytes-to-bits conversion hasn't overflown. */
+        if (data_length > SIZE_MAX / 8)
+            return (PSA_ERROR_NOT_SUPPORTED);
+
+        /* Enforce a size limit, and in particular ensure that the bit
+         * size fits in its representation type. */
+        if ((*bits) > PSA_MAX_KEY_BITS)
+            return (PSA_ERROR_NOT_SUPPORTED);
+
+        status = validate_unstructured_key_bit_size(type, *bits);
+        if (status != PSA_SUCCESS)
+            return (status);
+
+        /* Copy the key material. */
+        memcpy(key_buffer, data, data_length);
+        *key_buffer_length = data_length;
+        (void)key_buffer_size;
+
+        return (PSA_SUCCESS);
+    } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+        if (PSA_KEY_TYPE_IS_ECC(type)) {
+            return (mbedtls_psa_ecp_import_key(attributes,
+                                               data, data_length,
+                                               key_buffer, key_buffer_size,
+                                               key_buffer_length,
+                                               bits));
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+        if (PSA_KEY_TYPE_IS_RSA(type)) {
+            return (mbedtls_psa_rsa_import_key(attributes,
+                                               data, data_length,
+                                               key_buffer, key_buffer_size,
+                                               key_buffer_length,
+                                               bits));
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+    }
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+}
+
+/** Calculate the intersection of two algorithm usage policies.
+ *
+ * Return 0 (which allows no operation) on incompatibility.
+ */
+static psa_algorithm_t psa_key_policy_algorithm_intersection(
+    psa_key_type_t key_type,
+    psa_algorithm_t alg1,
+    psa_algorithm_t alg2) {
+    /* Common case: both sides actually specify the same policy. */
+    if (alg1 == alg2)
+        return (alg1);
+    /* If the policies are from the same hash-and-sign family, check
+     * if one is a wildcard. If so the other has the specific algorithm. */
+    if (PSA_ALG_IS_HASH_AND_SIGN(alg1) &&
+            PSA_ALG_IS_HASH_AND_SIGN(alg2) &&
+            (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
+        if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH)
+            return (alg2);
+        if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH)
+            return (alg1);
+    }
+    /* If the policies are from the same AEAD family, check whether
+     * one of them is a minimum-tag-length wildcard. Calculate the most
+     * restrictive tag length. */
+    if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
+            (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
+             PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
+        size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
+        size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
+        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
+
+        /* If both are wildcards, return most restrictive wildcard */
+        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+                ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+            return (PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
+                        alg1, restricted_len));
+        }
+        /* If only one is a wildcard, return specific algorithm if compatible. */
+        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+                (alg1_len <= alg2_len)) {
+            return (alg2);
+        }
+        if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+                (alg2_len <= alg1_len)) {
+            return (alg1);
+        }
+    }
+    /* If the policies are from the same MAC family, check whether one
+     * of them is a minimum-MAC-length policy. Calculate the most
+     * restrictive tag length. */
+    if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
+            (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
+             PSA_ALG_FULL_LENGTH_MAC(alg2))) {
+        /* Validate the combination of key type and algorithm. Since the base
+         * algorithm of alg1 and alg2 are the same, we only need this once. */
+        if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type))
+            return (0);
+
+        /* Get the (exact or at-least) output lengths for both sides of the
+         * requested intersection. None of the currently supported algorithms
+         * have an output length dependent on the actual key size, so setting it
+         * to a bogus value of 0 is currently OK.
+         *
+         * Note that for at-least-this-length wildcard algorithms, the output
+         * length is set to the shortest allowed length, which allows us to
+         * calculate the most restrictive tag length for the intersection. */
+        size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
+        size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
+        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
+
+        /* If both are wildcards, return most restrictive wildcard */
+        if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+                ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+            return (PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len));
+        }
+
+        /* If only one is an at-least-this-length policy, the intersection would
+         * be the other (fixed-length) policy as long as said fixed length is
+         * equal to or larger than the shortest allowed length. */
+        if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+            return ((alg1_len <= alg2_len) ? alg2 : 0);
+        }
+        if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+            return ((alg2_len <= alg1_len) ? alg1 : 0);
+        }
+
+        /* If none of them are wildcards, check whether they define the same tag
+         * length. This is still possible here when one is default-length and
+         * the other specific-length. Ensure to always return the
+         * specific-length version for the intersection. */
+        if (alg1_len == alg2_len)
+            return (PSA_ALG_TRUNCATED_MAC(alg1, alg1_len));
+    }
+    /* If the policies are incompatible, allow nothing. */
+    return (0);
+}
+
+static int psa_key_algorithm_permits(psa_key_type_t key_type,
+                                     psa_algorithm_t policy_alg,
+                                     psa_algorithm_t requested_alg) {
+    /* Common case: the policy only allows requested_alg. */
+    if (requested_alg == policy_alg)
+        return (1);
+    /* If policy_alg is a hash-and-sign with a wildcard for the hash,
+     * and requested_alg is the same hash-and-sign family with any hash,
+     * then requested_alg is compliant with policy_alg. */
+    if (PSA_ALG_IS_HASH_AND_SIGN(requested_alg) &&
+            PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
+        return ((policy_alg & ~PSA_ALG_HASH_MASK) ==
+                (requested_alg & ~PSA_ALG_HASH_MASK));
+    }
+    /* If policy_alg is a wildcard AEAD algorithm of the same base as
+     * the requested algorithm, check the requested tag length to be
+     * equal-length or longer than the wildcard-specified length. */
+    if (PSA_ALG_IS_AEAD(policy_alg) &&
+            PSA_ALG_IS_AEAD(requested_alg) &&
+            (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
+             PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
+            ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+        return (PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
+                PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg));
+    }
+    /* If policy_alg is a MAC algorithm of the same base as the requested
+     * algorithm, check whether their MAC lengths are compatible. */
+    if (PSA_ALG_IS_MAC(policy_alg) &&
+            PSA_ALG_IS_MAC(requested_alg) &&
+            (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
+             PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
+        /* Validate the combination of key type and algorithm. Since the policy
+         * and requested algorithms are the same, we only need this once. */
+        if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type))
+            return (0);
+
+        /* Get both the requested output length for the algorithm which is to be
+         * verified, and the default output length for the base algorithm.
+         * Note that none of the currently supported algorithms have an output
+         * length dependent on actual key size, so setting it to a bogus value
+         * of 0 is currently OK. */
+        size_t requested_output_length = PSA_MAC_LENGTH(
+                                             key_type, 0, requested_alg);
+        size_t default_output_length = PSA_MAC_LENGTH(
+                                           key_type, 0,
+                                           PSA_ALG_FULL_LENGTH_MAC(requested_alg));
+
+        /* If the policy is default-length, only allow an algorithm with
+         * a declared exact-length matching the default. */
+        if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0)
+            return (requested_output_length == default_output_length);
+
+        /* If the requested algorithm is default-length, allow it if the policy
+         * length exactly matches the default length. */
+        if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
+                PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
+            return (1);
+        }
+
+        /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
+         * check for the requested MAC length to be equal to or longer than the
+         * minimum allowed length. */
+        if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+            return (PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
+                    requested_output_length);
+        }
+    }
+    /* If policy_alg is a generic key agreement operation, then using it for
+     * a key derivation with that key agreement should also be allowed. This
+     * behaviour is expected to be defined in a future specification version. */
+    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
+            PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
+        return (PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
+                policy_alg);
+    }
+    /* If it isn't explicitly permitted, it's forbidden. */
+    return (0);
+}
+
+/** Test whether a policy permits an algorithm.
+ *
+ * The caller must test usage flags separately.
+ *
+ * \note This function requires providing the key type for which the policy is
+ *       being validated, since some algorithm policy definitions (e.g. MAC)
+ *       have different properties depending on what kind of cipher it is
+ *       combined with.
+ *
+ * \retval PSA_SUCCESS                  When \p alg is a specific algorithm
+ *                                      allowed by the \p policy.
+ * \retval PSA_ERROR_INVALID_ARGUMENT   When \p alg is not a specific algorithm
+ * \retval PSA_ERROR_NOT_PERMITTED      When \p alg is a specific algorithm, but
+ *                                      the \p policy does not allow it.
+ */
+static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
+                                           psa_key_type_t key_type,
+                                           psa_algorithm_t alg) {
+    /* '0' is not a valid algorithm */
+    if (alg == 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    /* A requested algorithm cannot be a wildcard. */
+    if (PSA_ALG_IS_WILDCARD(alg))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
+            psa_key_algorithm_permits(key_type, policy->alg2, alg))
+        return (PSA_SUCCESS);
+    else
+        return (PSA_ERROR_NOT_PERMITTED);
+}
+
+/** Restrict a key policy based on a constraint.
+ *
+ * \note This function requires providing the key type for which the policy is
+ *       being restricted, since some algorithm policy definitions (e.g. MAC)
+ *       have different properties depending on what kind of cipher it is
+ *       combined with.
+ *
+ * \param[in] key_type      The key type for which to restrict the policy
+ * \param[in,out] policy    The policy to restrict.
+ * \param[in] constraint    The policy constraint to apply.
+ *
+ * \retval #PSA_SUCCESS
+ *         \c *policy contains the intersection of the original value of
+ *         \c *policy and \c *constraint.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c key_type, \c *policy and \c *constraint are incompatible.
+ *         \c *policy is unchanged.
+ */
+static psa_status_t psa_restrict_key_policy(
+    psa_key_type_t key_type,
+    psa_key_policy_t *policy,
+    const psa_key_policy_t *constraint) {
+    psa_algorithm_t intersection_alg =
+        psa_key_policy_algorithm_intersection(key_type, policy->alg,
+                                              constraint->alg);
+    psa_algorithm_t intersection_alg2 =
+        psa_key_policy_algorithm_intersection(key_type, policy->alg2,
+                                              constraint->alg2);
+    if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    policy->usage &= constraint->usage;
+    policy->alg = intersection_alg;
+    policy->alg2 = intersection_alg2;
+    return (PSA_SUCCESS);
+}
+
+/** Get the description of a key given its identifier and policy constraints
+ *  and lock it.
+ *
+ * The key must have allow all the usage flags set in \p usage. If \p alg is
+ * nonzero, the key must allow operations with this algorithm. If \p alg is
+ * zero, the algorithm is not checked.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot is locked. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
+ */
+static psa_status_t psa_get_and_lock_key_slot_with_policy(
+    mbedtls_svc_key_id_t key,
+    psa_key_slot_t **p_slot,
+    psa_key_usage_t usage,
+    psa_algorithm_t alg) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_key_slot(key, p_slot);
+    if (status != PSA_SUCCESS)
+        return (status);
+    slot = *p_slot;
+
+    /* Enforce that usage policy for the key slot contains all the flags
+     * required by the usage parameter. There is one exception: public
+     * keys can always be exported, so we treat public key objects as
+     * if they had the export flag. */
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type))
+        usage &= ~PSA_KEY_USAGE_EXPORT;
+
+    if ((slot->attr.policy.usage & usage) != usage) {
+        status = PSA_ERROR_NOT_PERMITTED;
+        goto error;
+    }
+
+    /* Enforce that the usage policy permits the requested algortihm. */
+    if (alg != 0) {
+        status = psa_key_policy_permits(&slot->attr.policy,
+                                        slot->attr.type,
+                                        alg);
+        if (status != PSA_SUCCESS)
+            goto error;
+    }
+
+    return (PSA_SUCCESS);
+
+error:
+    *p_slot = NULL;
+    psa_unlock_key_slot(slot);
+
+    return (status);
+}
+
+/** Get a key slot containing a transparent key and lock it.
+ *
+ * A transparent key is a key for which the key material is directly
+ * available, as opposed to a key in a secure element.
+ *
+ * This is a temporary function to use instead of
+ * psa_get_and_lock_key_slot_with_policy() until secure element support is
+ * fully implemented.
+ *
+ * On success, the returned key slot is locked. It is the responsibility of the
+ * caller to unlock the key slot when it does not access it anymore.
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
+    mbedtls_svc_key_id_t key,
+    psa_key_slot_t **p_slot,
+    psa_key_usage_t usage,
+    psa_algorithm_t alg) {
+    psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
+                                                                usage, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    if (psa_key_slot_is_external(*p_slot)) {
+        psa_unlock_key_slot(*p_slot);
+        *p_slot = NULL;
+        return (PSA_ERROR_NOT_SUPPORTED);
+    }
+
+    return (PSA_SUCCESS);
+}
+#else /* MBEDTLS_PSA_CRYPTO_SE_C */
+/* With no secure element support, all keys are transparent. */
+#define psa_get_and_lock_transparent_key_slot_with_policy( key, p_slot, usage, alg )   \
+    psa_get_and_lock_key_slot_with_policy( key, p_slot, usage, alg )
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+/** Wipe key data from a slot. Preserve metadata such as the policy. */
+static psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot) {
+    /* Data pointer will always be either a valid pointer or NULL in an
+     * initialized slot, so we can just free it. */
+    if (slot->key.data != NULL)
+        mbedtls_platform_zeroize(slot->key.data, slot->key.bytes);
+
+    mbedtls_free(slot->key.data);
+    slot->key.data = NULL;
+    slot->key.bytes = 0;
+
+    return (PSA_SUCCESS);
+}
+
+/** Completely wipe a slot in memory, including its policy.
+ * Persistent storage is not affected. */
+psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot) {
+    psa_status_t status = psa_remove_key_data_from_memory(slot);
+
+    /*
+     * As the return error code may not be handled in case of multiple errors,
+     * do our best to report an unexpected lock counter: if available
+     * call MBEDTLS_PARAM_FAILED that may terminate execution (if called as
+     * part of the execution of a test suite this will stop the test suite
+     * execution).
+     */
+    if (slot->lock_count != 1) {
+#ifdef MBEDTLS_CHECK_PARAMS
+        MBEDTLS_PARAM_FAILED(slot->lock_count == 1);
+#endif
+        status = PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    /* Multipart operations may still be using the key. This is safe
+     * because all multipart operation objects are independent from
+     * the key slot: if they need to access the key after the setup
+     * phase, they have a copy of the key. Note that this means that
+     * key material can linger until all operations are completed. */
+    /* At this point, key material and other type-specific content has
+     * been wiped. Clear remaining metadata. We can call memset and not
+     * zeroize because the metadata is not particularly sensitive. */
+    memset(slot, 0, sizeof(*slot));
+    return (status);
+}
+
+psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) {
+    psa_key_slot_t *slot;
+    psa_status_t status; /* status of the last operation */
+    psa_status_t overall_status = PSA_SUCCESS;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    psa_se_drv_table_entry_t *driver;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    if (mbedtls_svc_key_id_is_null(key))
+        return (PSA_SUCCESS);
+
+    /*
+     * Get the description of the key in a key slot. In case of a persistent
+     * key, this will load the key description from persistent memory if not
+     * done yet. We cannot avoid this loading as without it we don't know if
+     * the key is operated by an SE or not and this information is needed by
+     * the current implementation.
+     */
+    status = psa_get_and_lock_key_slot(key, &slot);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    /*
+     * If the key slot containing the key description is under access by the
+     * library (apart from the present access), the key cannot be destroyed
+     * yet. For the time being, just return in error. Eventually (to be
+     * implemented), the key should be destroyed when all accesses have
+     * stopped.
+     */
+    if (slot->lock_count > 1) {
+        psa_unlock_key_slot(slot);
+        return (PSA_ERROR_GENERIC_ERROR);
+    }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    driver = psa_get_se_driver_entry(slot->attr.lifetime);
+    if (driver != NULL) {
+        /* For a key in a secure element, we need to do three things:
+         * remove the key file in internal storage, destroy the
+         * key inside the secure element, and update the driver's
+         * persistent data. Start a transaction that will encompass these
+         * three actions. */
+        psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
+        psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
+        psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
+        psa_crypto_transaction.key.id = slot->attr.id;
+        status = psa_crypto_save_transaction();
+        if (status != PSA_SUCCESS) {
+            (void) psa_crypto_stop_transaction();
+            /* We should still try to destroy the key in the secure
+             * element and the key metadata in storage. This is especially
+             * important if the error is that the storage is full.
+             * But how to do it exactly without risking an inconsistent
+             * state after a reset?
+             * https://github.com/ARMmbed/mbed-crypto/issues/215
+             */
+            overall_status = status;
+            goto exit;
+        }
+
+        status = psa_destroy_se_key(driver,
+                                    psa_key_slot_get_slot_number(slot));
+        if (overall_status == PSA_SUCCESS)
+            overall_status = status;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    if (! PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+        status = psa_destroy_persistent_key(slot->attr.id);
+        if (overall_status == PSA_SUCCESS)
+            overall_status = status;
+
+        /* TODO: other slots may have a copy of the same key. We should
+         * invalidate them.
+         * https://github.com/ARMmbed/mbed-crypto/issues/214
+         */
+    }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (driver != NULL) {
+        status = psa_save_se_persistent_data(driver);
+        if (overall_status == PSA_SUCCESS)
+            overall_status = status;
+        status = psa_crypto_stop_transaction();
+        if (overall_status == PSA_SUCCESS)
+            overall_status = status;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+exit:
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+    status = psa_wipe_key_slot(slot);
+    /* Prioritize CORRUPTION_DETECTED from wiping over a storage error */
+    if (overall_status == PSA_SUCCESS)
+        overall_status = status;
+    return (overall_status);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+static psa_status_t psa_get_rsa_public_exponent(
+    const mbedtls_rsa_context *rsa,
+    psa_key_attributes_t *attributes) {
+    mbedtls_mpi mpi;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint8_t *buffer = NULL;
+    size_t buflen;
+    mbedtls_mpi_init(&mpi);
+
+    ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &mpi);
+    if (ret != 0)
+        goto exit;
+    if (mbedtls_mpi_cmp_int(&mpi, 65537) == 0) {
+        /* It's the default value, which is reported as an empty string,
+         * so there's nothing to do. */
+        goto exit;
+    }
+
+    buflen = mbedtls_mpi_size(&mpi);
+    buffer = mbedtls_calloc(1, buflen);
+    if (buffer == NULL) {
+        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+        goto exit;
+    }
+    ret = mbedtls_mpi_write_binary(&mpi, buffer, buflen);
+    if (ret != 0)
+        goto exit;
+    attributes->domain_parameters = buffer;
+    attributes->domain_parameters_size = buflen;
+
+exit:
+    mbedtls_mpi_free(&mpi);
+    if (ret != 0)
+        mbedtls_free(buffer);
+    return (mbedtls_to_psa_error(ret));
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+/** Retrieve all the publicly-accessible attributes of a key.
+ */
+psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
+                                    psa_key_attributes_t *attributes) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    psa_reset_key_attributes(attributes);
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    attributes->core = slot->attr;
+    attributes->core.flags &= (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
+                               MBEDTLS_PSA_KA_MASK_DUAL_USE);
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (psa_key_slot_is_external(slot))
+        psa_set_key_slot_number(attributes,
+                                psa_key_slot_get_slot_number(slot));
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    switch (slot->attr.type) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+        case PSA_KEY_TYPE_RSA_KEY_PAIR:
+        case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+            /* TODO: reporting the public exponent for opaque keys
+             * is not yet implemented.
+             * https://github.com/ARMmbed/mbed-crypto/issues/216
+             */
+            if (psa_key_slot_is_external(slot))
+                break;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+            {
+                mbedtls_rsa_context *rsa = NULL;
+
+                status = mbedtls_psa_rsa_load_representation(
+                             slot->attr.type,
+                             slot->key.data,
+                             slot->key.bytes,
+                             &rsa);
+                if (status != PSA_SUCCESS)
+                    break;
+
+                status = psa_get_rsa_public_exponent(rsa,
+                                                     attributes);
+                mbedtls_rsa_free(rsa);
+                mbedtls_free(rsa);
+            }
+            break;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+        default:
+            /* Nothing else to do. */
+            break;
+    }
+
+    if (status != PSA_SUCCESS)
+        psa_reset_key_attributes(attributes);
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t psa_get_key_slot_number(
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_number_t *slot_number) {
+    if (attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER) {
+        *slot_number = attributes->slot_number;
+        return (PSA_SUCCESS);
+    } else
+        return (PSA_ERROR_INVALID_ARGUMENT);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
+                                                   size_t key_buffer_size,
+                                                   uint8_t *data,
+                                                   size_t data_size,
+                                                   size_t *data_length) {
+    if (key_buffer_size > data_size)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+    memcpy(data, key_buffer, key_buffer_size);
+    memset(data + key_buffer_size, 0,
+           data_size - key_buffer_size);
+    *data_length = key_buffer_size;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_export_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    psa_key_type_t type = attributes->core.type;
+
+    if (key_type_is_raw_bytes(type) ||
+            PSA_KEY_TYPE_IS_RSA(type)   ||
+            PSA_KEY_TYPE_IS_ECC(type)) {
+        return (psa_export_key_buffer_internal(
+                    key_buffer, key_buffer_size,
+                    data, data_size, data_length));
+    } else {
+        /* This shouldn't happen in the reference implementation, but
+           it is valid for a special-purpose implementation to omit
+           support for exporting certain key types. */
+        return (PSA_ERROR_NOT_SUPPORTED);
+    }
+}
+
+psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
+                            uint8_t *data,
+                            size_t data_size,
+                            size_t *data_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    /* Reject a zero-length output buffer now, since this can never be a
+     * valid key representation. This way we know that data must be a valid
+     * pointer and we can do things like memset(data, ..., data_size). */
+    if (data_size == 0)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+
+    /* Set the key to empty now, so that even when there are errors, we always
+     * set data_length to a value between 0 and data_size. On error, setting
+     * the key to empty is a good choice because an empty key representation is
+     * unlikely to be accepted anywhere. */
+    *data_length = 0;
+
+    /* Export requires the EXPORT flag. There is an exception for public keys,
+     * which don't require any flag, but
+     * psa_get_and_lock_key_slot_with_policy() takes care of this.
+     */
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_EXPORT, 0);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+    status = psa_driver_wrapper_export_key(&attributes,
+                                           slot->key.data, slot->key.bytes,
+                                           data, data_size, data_length);
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+psa_status_t psa_export_public_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    uint8_t *data,
+    size_t data_size,
+    size_t *data_length) {
+    psa_key_type_t type = attributes->core.type;
+
+    if (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type)) {
+        if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+            /* Exporting public -> public */
+            return (psa_export_key_buffer_internal(
+                        key_buffer, key_buffer_size,
+                        data, data_size, data_length));
+        }
+
+        if (PSA_KEY_TYPE_IS_RSA(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+            return (mbedtls_psa_rsa_export_public_key(attributes,
+                                                      key_buffer,
+                                                      key_buffer_size,
+                                                      data,
+                                                      data_size,
+                                                      data_length));
+#else
+            /* We don't know how to convert a private RSA key to public. */
+            return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+        } else {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+            return (mbedtls_psa_ecp_export_public_key(attributes,
+                                                      key_buffer,
+                                                      key_buffer_size,
+                                                      data,
+                                                      data_size,
+                                                      data_length));
+#else
+            /* We don't know how to convert a private ECC key to public */
+            return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+        }
+    } else {
+        /* This shouldn't happen in the reference implementation, but
+           it is valid for a special-purpose implementation to omit
+           support for exporting certain key types. */
+        return (PSA_ERROR_NOT_SUPPORTED);
+    }
+}
+
+psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
+                                   uint8_t *data,
+                                   size_t data_size,
+                                   size_t *data_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    /* Reject a zero-length output buffer now, since this can never be a
+     * valid key representation. This way we know that data must be a valid
+     * pointer and we can do things like memset(data, ..., data_size). */
+    if (data_size == 0)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+
+    /* Set the key to empty now, so that even when there are errors, we always
+     * set data_length to a value between 0 and data_size. On error, setting
+     * the key to empty is a good choice because an empty key representation is
+     * unlikely to be accepted anywhere. */
+    *data_length = 0;
+
+    /* Exporting a public key doesn't require a usage flag. */
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    if (! PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+    status = psa_driver_wrapper_export_public_key(
+                 &attributes, slot->key.data, slot->key.bytes,
+                 data, data_size, data_length);
+
+exit:
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+#if defined(static_assert)
+static_assert((MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY &MBEDTLS_PSA_KA_MASK_DUAL_USE) == 0,
+              "One or more key attribute flag is listed as both external-only and dual-use");
+static_assert((PSA_KA_MASK_INTERNAL_ONLY &MBEDTLS_PSA_KA_MASK_DUAL_USE) == 0,
+              "One or more key attribute flag is listed as both internal-only and dual-use");
+static_assert((PSA_KA_MASK_INTERNAL_ONLY &MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY) == 0,
+              "One or more key attribute flag is listed as both internal-only and external-only");
+#endif
+
+/** Validate that a key policy is internally well-formed.
+ *
+ * This function only rejects invalid policies. It does not validate the
+ * consistency of the policy with respect to other attributes of the key
+ * such as the key type.
+ */
+static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy) {
+    if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
+                           PSA_KEY_USAGE_COPY |
+                           PSA_KEY_USAGE_ENCRYPT |
+                           PSA_KEY_USAGE_DECRYPT |
+                           PSA_KEY_USAGE_SIGN_HASH |
+                           PSA_KEY_USAGE_VERIFY_HASH |
+                           PSA_KEY_USAGE_DERIVE)) != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    return (PSA_SUCCESS);
+}
+
+/** Validate the internal consistency of key attributes.
+ *
+ * This function only rejects invalid attribute values. If does not
+ * validate the consistency of the attributes with any key data that may
+ * be involved in the creation of the key.
+ *
+ * Call this function early in the key creation process.
+ *
+ * \param[in] attributes    Key attributes for the new key.
+ * \param[out] p_drv        On any return, the driver for the key, if any.
+ *                          NULL for a transparent key.
+ *
+ */
+static psa_status_t psa_validate_key_attributes(
+    const psa_key_attributes_t *attributes,
+    psa_se_drv_table_entry_t **p_drv) {
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
+    mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
+
+    status = psa_validate_key_location(lifetime, p_drv);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    status = psa_validate_key_persistence(lifetime);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+        if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0)
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    } else {
+        status = psa_validate_key_id(psa_get_key_id(attributes), 0);
+        if (status != PSA_SUCCESS)
+            return (status);
+    }
+
+    status = psa_validate_key_policy(&attributes->core.policy);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    /* Refuse to create overly large keys.
+     * Note that this doesn't trigger on import if the attributes don't
+     * explicitly specify a size (so psa_get_key_bits returns 0), so
+     * psa_import_key() needs its own checks. */
+    if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    /* Reject invalid flags. These should not be reachable through the API. */
+    if (attributes->core.flags & ~(MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
+                                   MBEDTLS_PSA_KA_MASK_DUAL_USE))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    return (PSA_SUCCESS);
+}
+
+/** Prepare a key slot to receive key material.
+ *
+ * This function allocates a key slot and sets its metadata.
+ *
+ * If this function fails, call psa_fail_key_creation().
+ *
+ * This function is intended to be used as follows:
+ * -# Call psa_start_key_creation() to allocate a key slot, prepare
+ *    it with the specified attributes, and in case of a volatile key assign it
+ *    a volatile key identifier.
+ * -# Populate the slot with the key material.
+ * -# Call psa_finish_key_creation() to finalize the creation of the slot.
+ * In case of failure at any step, stop the sequence and call
+ * psa_fail_key_creation().
+ *
+ * On success, the key slot is locked. It is the responsibility of the caller
+ * to unlock the key slot when it does not access it anymore.
+ *
+ * \param method            An identification of the calling function.
+ * \param[in] attributes    Key attributes for the new key.
+ * \param[out] p_slot       On success, a pointer to the prepared slot.
+ * \param[out] p_drv        On any return, the driver for the key, if any.
+ *                          NULL for a transparent key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key slot is ready to receive key material.
+ * \return If this function fails, the key slot is an invalid state.
+ *         You must call psa_fail_key_creation() to wipe and free the slot.
+ */
+static psa_status_t psa_start_key_creation(
+    psa_key_creation_method_t method,
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_t **p_slot,
+    psa_se_drv_table_entry_t **p_drv) {
+    psa_status_t status;
+    psa_key_id_t volatile_key_id;
+    psa_key_slot_t *slot;
+
+    (void) method;
+    *p_drv = NULL;
+
+    status = psa_validate_key_attributes(attributes, p_drv);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    status = psa_get_empty_key_slot(&volatile_key_id, p_slot);
+    if (status != PSA_SUCCESS)
+        return (status);
+    slot = *p_slot;
+
+    /* We're storing the declared bit-size of the key. It's up to each
+     * creation mechanism to verify that this information is correct.
+     * It's automatically correct for mechanisms that use the bit-size as
+     * an input (generate, device) but not for those where the bit-size
+     * is optional (import, copy). In case of a volatile key, assign it the
+     * volatile key identifier associated to the slot returned to contain its
+     * definition. */
+
+    slot->attr = attributes->core;
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+        slot->attr.id = volatile_key_id;
+#else
+        slot->attr.id.key_id = volatile_key_id;
+#endif
+    }
+
+    /* Erase external-only flags from the internal copy. To access
+     * external-only flags, query `attributes`. Thanks to the check
+     * in psa_validate_key_attributes(), this leaves the dual-use
+     * flags and any internal flag that psa_get_empty_key_slot()
+     * may have set. */
+    slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* For a key in a secure element, we need to do three things
+     * when creating or registering a persistent key:
+     * create the key file in internal storage, create the
+     * key inside the secure element, and update the driver's
+     * persistent data. This is done by starting a transaction that will
+     * encompass these three actions.
+     * For registering a volatile key, we just need to find an appropriate
+     * slot number inside the SE. Since the key is designated volatile, creating
+     * a transaction is not required. */
+    /* The first thing to do is to find a slot number for the new key.
+     * We save the slot number in persistent storage as part of the
+     * transaction data. It will be needed to recover if the power
+     * fails during the key creation process, to clean up on the secure
+     * element side after restarting. Obtaining a slot number from the
+     * secure element driver updates its persistent state, but we do not yet
+     * save the driver's persistent state, so that if the power fails,
+     * we can roll back to a state where the key doesn't exist. */
+    if (*p_drv != NULL) {
+        psa_key_slot_number_t slot_number;
+        status = psa_find_se_slot_for_key(attributes, method, *p_drv,
+                                          &slot_number);
+        if (status != PSA_SUCCESS)
+            return (status);
+
+        if (! PSA_KEY_LIFETIME_IS_VOLATILE(attributes->core.lifetime)) {
+            psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
+            psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
+            psa_crypto_transaction.key.slot = slot_number;
+            psa_crypto_transaction.key.id = slot->attr.id;
+            status = psa_crypto_save_transaction();
+            if (status != PSA_SUCCESS) {
+                (void) psa_crypto_stop_transaction();
+                return (status);
+            }
+        }
+
+        status = psa_copy_key_material_into_slot(
+                     slot, (uint8_t *)(&slot_number), sizeof(slot_number));
+    }
+
+    if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
+        /* Key registration only makes sense with a secure element. */
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    return (PSA_SUCCESS);
+}
+
+/** Finalize the creation of a key once its key material has been set.
+ *
+ * This entails writing the key to persistent storage.
+ *
+ * If this function fails, call psa_fail_key_creation().
+ * See the documentation of psa_start_key_creation() for the intended use
+ * of this function.
+ *
+ * If the finalization succeeds, the function unlocks the key slot (it was
+ * locked by psa_start_key_creation()) and the key slot cannot be accessed
+ * anymore as part of the key creation process.
+ *
+ * \param[in,out] slot  Pointer to the slot with key material.
+ * \param[in] driver    The secure element driver for the key,
+ *                      or NULL for a transparent key.
+ * \param[out] key      On success, identifier of the key. Note that the
+ *                      key identifier is also stored in the key slot.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully created.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *
+ * \return If this function fails, the key slot is an invalid state.
+ *         You must call psa_fail_key_creation() to wipe and free the slot.
+ */
+static psa_status_t psa_finish_key_creation(
+    psa_key_slot_t *slot,
+    psa_se_drv_table_entry_t *driver,
+    mbedtls_svc_key_id_t *key) {
+    psa_status_t status = PSA_SUCCESS;
+    (void) slot;
+    (void) driver;
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    if (! PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        if (driver != NULL) {
+            psa_se_key_data_storage_t data;
+            psa_key_slot_number_t slot_number =
+                psa_key_slot_get_slot_number(slot) ;
+
+#if defined(static_assert)
+            static_assert(sizeof(slot_number) ==
+                          sizeof(data.slot_number),
+                          "Slot number size does not match psa_se_key_data_storage_t");
+#endif
+            memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
+            status = psa_save_persistent_key(&slot->attr,
+                                             (uint8_t *) &data,
+                                             sizeof(data));
+        } else
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+        {
+            /* Key material is saved in export representation in the slot, so
+             * just pass the slot buffer for storage. */
+            status = psa_save_persistent_key(&slot->attr,
+                                             slot->key.data,
+                                             slot->key.bytes);
+        }
+    }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* Finish the transaction for a key creation. This does not
+     * happen when registering an existing key. Detect this case
+     * by checking whether a transaction is in progress (actual
+     * creation of a persistent key in a secure element requires a transaction,
+     * but registration or volatile key creation doesn't use one). */
+    if (driver != NULL &&
+            psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
+        status = psa_save_se_persistent_data(driver);
+        if (status != PSA_SUCCESS) {
+            psa_destroy_persistent_key(slot->attr.id);
+            return (status);
+        }
+        status = psa_crypto_stop_transaction();
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    if (status == PSA_SUCCESS) {
+        *key = slot->attr.id;
+        status = psa_unlock_key_slot(slot);
+        if (status != PSA_SUCCESS)
+            *key = MBEDTLS_SVC_KEY_ID_INIT;
+    }
+
+    return (status);
+}
+
+/** Abort the creation of a key.
+ *
+ * You may call this function after calling psa_start_key_creation(),
+ * or after psa_finish_key_creation() fails. In other circumstances, this
+ * function may not clean up persistent storage.
+ * See the documentation of psa_start_key_creation() for the intended use
+ * of this function.
+ *
+ * \param[in,out] slot  Pointer to the slot with key material.
+ * \param[in] driver    The secure element driver for the key,
+ *                      or NULL for a transparent key.
+ */
+static void psa_fail_key_creation(psa_key_slot_t *slot,
+                                  psa_se_drv_table_entry_t *driver) {
+    (void) driver;
+
+    if (slot == NULL)
+        return;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* TODO: If the key has already been created in the secure
+     * element, and the failure happened later (when saving metadata
+     * to internal storage), we need to destroy the key in the secure
+     * element.
+     * https://github.com/ARMmbed/mbed-crypto/issues/217
+     */
+
+    /* Abort the ongoing transaction if any (there may not be one if
+     * the creation process failed before starting one, or if the
+     * key creation is a registration of a key in a secure element).
+     * Earlier functions must already have done what it takes to undo any
+     * partial creation. All that's left is to update the transaction data
+     * itself. */
+    (void) psa_crypto_stop_transaction();
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    psa_wipe_key_slot(slot);
+}
+
+/** Validate optional attributes during key creation.
+ *
+ * Some key attributes are optional during key creation. If they are
+ * specified in the attributes structure, check that they are consistent
+ * with the data in the slot.
+ *
+ * This function should be called near the end of key creation, after
+ * the slot in memory is fully populated but before saving persistent data.
+ */
+static psa_status_t psa_validate_optional_attributes(
+    const psa_key_slot_t *slot,
+    const psa_key_attributes_t *attributes) {
+    if (attributes->core.type != 0) {
+        if (attributes->core.type != slot->attr.type)
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+
+    if (attributes->domain_parameters_size != 0) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+        if (PSA_KEY_TYPE_IS_RSA(slot->attr.type)) {
+            mbedtls_rsa_context *rsa = NULL;
+            mbedtls_mpi actual, required;
+            int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+            psa_status_t status = mbedtls_psa_rsa_load_representation(
+                                      slot->attr.type,
+                                      slot->key.data,
+                                      slot->key.bytes,
+                                      &rsa);
+            if (status != PSA_SUCCESS)
+                return (status);
+
+            mbedtls_mpi_init(&actual);
+            mbedtls_mpi_init(&required);
+            ret = mbedtls_rsa_export(rsa,
+                                     NULL, NULL, NULL, NULL, &actual);
+            mbedtls_rsa_free(rsa);
+            mbedtls_free(rsa);
+            if (ret != 0)
+                goto rsa_exit;
+            ret = mbedtls_mpi_read_binary(&required,
+                                          attributes->domain_parameters,
+                                          attributes->domain_parameters_size);
+            if (ret != 0)
+                goto rsa_exit;
+            if (mbedtls_mpi_cmp_mpi(&actual, &required) != 0)
+                ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+rsa_exit:
+            mbedtls_mpi_free(&actual);
+            mbedtls_mpi_free(&required);
+            if (ret != 0)
+                return (mbedtls_to_psa_error(ret));
+        } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+        {
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        }
+    }
+
+    if (attributes->core.bits != 0) {
+        if (attributes->core.bits != slot->attr.bits)
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
+                            const uint8_t *data,
+                            size_t data_length,
+                            mbedtls_svc_key_id_t *key) {
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    size_t bits;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Reject zero-length symmetric keys (including raw data key objects).
+     * This also rejects any key which might be encoded as an empty string,
+     * which is never valid. */
+    if (data_length == 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
+                                    &slot, &driver);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* In the case of a transparent key or an opaque key stored in local
+     * storage (thus not in the case of generating a key in a secure element
+     * or cryptoprocessor with storage), we have to allocate a buffer to
+     * hold the generated key material. */
+    if (slot->key.data == NULL) {
+        status = psa_allocate_buffer_to_slot(slot, data_length);
+        if (status != PSA_SUCCESS)
+            goto exit;
+    }
+
+    bits = slot->attr.bits;
+    status = psa_driver_wrapper_import_key(attributes,
+                                           data, data_length,
+                                           slot->key.data,
+                                           slot->key.bytes,
+                                           &slot->key.bytes, &bits);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    if (slot->attr.bits == 0)
+        slot->attr.bits = (psa_key_bits_t) bits;
+    else if (bits != slot->attr.bits) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    status = psa_validate_optional_attributes(slot, attributes);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_finish_key_creation(slot, driver, key);
+exit:
+    if (status != PSA_SUCCESS)
+        psa_fail_key_creation(slot, driver);
+
+    return (status);
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *attributes) {
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Leaving attributes unspecified is not currently supported.
+     * It could make sense to query the key type and size from the
+     * secure element, but not all secure elements support this
+     * and the driver HAL doesn't currently support it. */
+    if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE)
+        return (PSA_ERROR_NOT_SUPPORTED);
+    if (psa_get_key_bits(attributes) == 0)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
+                                    &slot, &driver);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_finish_key_creation(slot, driver, &key);
+
+exit:
+    if (status != PSA_SUCCESS)
+        psa_fail_key_creation(slot, driver);
+
+    /* Registration doesn't keep the key in RAM. */
+    psa_close_key(key);
+    return (status);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+static psa_status_t psa_copy_key_material(const psa_key_slot_t *source,
+                                          psa_key_slot_t *target) {
+    psa_status_t status = psa_copy_key_material_into_slot(target,
+                                                          source->key.data,
+                                                          source->key.bytes);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    target->attr.type = source->attr.type;
+    target->attr.bits = source->attr.bits;
+
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
+                          const psa_key_attributes_t *specified_attributes,
+                          mbedtls_svc_key_id_t *target_key) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *source_slot = NULL;
+    psa_key_slot_t *target_slot = NULL;
+    psa_key_attributes_t actual_attributes = *specified_attributes;
+    psa_se_drv_table_entry_t *driver = NULL;
+
+    *target_key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_validate_optional_attributes(source_slot,
+                                              specified_attributes);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_restrict_key_policy(source_slot->attr.type,
+                                     &actual_attributes.core.policy,
+                                     &source_slot->attr.policy);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
+                                    &target_slot, &driver);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (driver != NULL) {
+        /* Copying to a secure element is not implemented yet. */
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    status = psa_copy_key_material(source_slot, target_slot);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_finish_key_creation(target_slot, driver, target_key);
+exit:
+    if (status != PSA_SUCCESS)
+        psa_fail_key_creation(target_slot, driver);
+
+    unlock_status = psa_unlock_key_slot(source_slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+
+
+/****************************************************************/
+/* Message digests */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+const mbedtls_md_info_t *mbedtls_md_info_from_psa(psa_algorithm_t alg) {
+    switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
+        case PSA_ALG_MD2:
+            return (&mbedtls_md2_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
+        case PSA_ALG_MD4:
+            return (&mbedtls_md4_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            return (&mbedtls_md5_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            return (&mbedtls_ripemd160_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            return (&mbedtls_sha1_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            return (&mbedtls_sha224_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            return (&mbedtls_sha256_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            return (&mbedtls_sha384_info);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            return (&mbedtls_sha512_info);
+#endif
+        default:
+            return (NULL);
+    }
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+
+psa_status_t psa_hash_abort(psa_hash_operation_t *operation) {
+    switch (operation->alg) {
+        case 0:
+            /* The object has (apparently) been initialized but it is not
+             * in use. It's ok to call abort on such an object, and there's
+             * nothing to do. */
+            break;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
+        case PSA_ALG_MD2:
+            mbedtls_md2_free(&operation->ctx.md2);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
+        case PSA_ALG_MD4:
+            mbedtls_md4_free(&operation->ctx.md4);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            mbedtls_md5_free(&operation->ctx.md5);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            mbedtls_ripemd160_free(&operation->ctx.ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            mbedtls_sha1_free(&operation->ctx.sha1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            mbedtls_sha256_free(&operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            mbedtls_sha256_free(&operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            mbedtls_sha512_free(&operation->ctx.sha512);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            mbedtls_sha512_free(&operation->ctx.sha512);
+            break;
+#endif
+        default:
+            return (PSA_ERROR_BAD_STATE);
+    }
+    operation->alg = 0;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
+                            psa_algorithm_t alg) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->alg != 0) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
+        case PSA_ALG_MD2:
+            mbedtls_md2_init(&operation->ctx.md2);
+            ret = mbedtls_md2_starts_ret(&operation->ctx.md2);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
+        case PSA_ALG_MD4:
+            mbedtls_md4_init(&operation->ctx.md4);
+            ret = mbedtls_md4_starts_ret(&operation->ctx.md4);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            mbedtls_md5_init(&operation->ctx.md5);
+            ret = mbedtls_md5_starts_ret(&operation->ctx.md5);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            mbedtls_ripemd160_init(&operation->ctx.ripemd160);
+            ret = mbedtls_ripemd160_starts_ret(&operation->ctx.ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            mbedtls_sha1_init(&operation->ctx.sha1);
+            ret = mbedtls_sha1_starts_ret(&operation->ctx.sha1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            mbedtls_sha256_init(&operation->ctx.sha256);
+            ret = mbedtls_sha256_starts_ret(&operation->ctx.sha256, 1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            mbedtls_sha256_init(&operation->ctx.sha256);
+            ret = mbedtls_sha256_starts_ret(&operation->ctx.sha256, 0);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            mbedtls_sha512_init(&operation->ctx.sha512);
+            ret = mbedtls_sha512_starts_ret(&operation->ctx.sha512, 1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            mbedtls_sha512_init(&operation->ctx.sha512);
+            ret = mbedtls_sha512_starts_ret(&operation->ctx.sha512, 0);
+            break;
+#endif
+        default:
+            return (PSA_ALG_IS_HASH(alg) ?
+                    PSA_ERROR_NOT_SUPPORTED :
+                    PSA_ERROR_INVALID_ARGUMENT);
+    }
+    if (ret == 0)
+        operation->alg = alg;
+    else
+        psa_hash_abort(operation);
+    return (mbedtls_to_psa_error(ret));
+}
+
+psa_status_t psa_hash_update(psa_hash_operation_t *operation,
+                             const uint8_t *input,
+                             size_t input_length) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Don't require hash implementations to behave correctly on a
+     * zero-length input, which may have an invalid pointer. */
+    if (input_length == 0)
+        return (PSA_SUCCESS);
+
+    switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
+        case PSA_ALG_MD2:
+            ret = mbedtls_md2_update_ret(&operation->ctx.md2,
+                                         input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
+        case PSA_ALG_MD4:
+            ret = mbedtls_md4_update_ret(&operation->ctx.md4,
+                                         input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            ret = mbedtls_md5_update_ret(&operation->ctx.md5,
+                                         input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            ret = mbedtls_ripemd160_update_ret(&operation->ctx.ripemd160,
+                                               input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            ret = mbedtls_sha1_update_ret(&operation->ctx.sha1,
+                                          input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            ret = mbedtls_sha256_update_ret(&operation->ctx.sha256,
+                                            input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            ret = mbedtls_sha256_update_ret(&operation->ctx.sha256,
+                                            input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            ret = mbedtls_sha512_update_ret(&operation->ctx.sha512,
+                                            input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            ret = mbedtls_sha512_update_ret(&operation->ctx.sha512,
+                                            input, input_length);
+            break;
+#endif
+        default:
+            (void)input;
+            return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (ret != 0)
+        psa_hash_abort(operation);
+    return (mbedtls_to_psa_error(ret));
+}
+
+psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
+                             uint8_t *hash,
+                             size_t hash_size,
+                             size_t *hash_length) {
+    psa_status_t status;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t actual_hash_length = PSA_HASH_LENGTH(operation->alg);
+
+    /* Fill the output buffer with something that isn't a valid hash
+     * (barring an attack on the hash and deliberately-crafted input),
+     * in case the caller doesn't check the return status properly. */
+    *hash_length = hash_size;
+    /* If hash_size is 0 then hash may be NULL and then the
+     * call to memset would have undefined behavior. */
+    if (hash_size != 0)
+        memset(hash, '!', hash_size);
+
+    if (hash_size < actual_hash_length) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
+        case PSA_ALG_MD2:
+            ret = mbedtls_md2_finish_ret(&operation->ctx.md2, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
+        case PSA_ALG_MD4:
+            ret = mbedtls_md4_finish_ret(&operation->ctx.md4, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            ret = mbedtls_md5_finish_ret(&operation->ctx.md5, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            ret = mbedtls_ripemd160_finish_ret(&operation->ctx.ripemd160, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            ret = mbedtls_sha1_finish_ret(&operation->ctx.sha1, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            ret = mbedtls_sha256_finish_ret(&operation->ctx.sha256, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            ret = mbedtls_sha256_finish_ret(&operation->ctx.sha256, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            ret = mbedtls_sha512_finish_ret(&operation->ctx.sha512, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            ret = mbedtls_sha512_finish_ret(&operation->ctx.sha512, hash);
+            break;
+#endif
+        default:
+            return (PSA_ERROR_BAD_STATE);
+    }
+    status = mbedtls_to_psa_error(ret);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        *hash_length = actual_hash_length;
+        return (psa_hash_abort(operation));
+    } else {
+        psa_hash_abort(operation);
+        return (status);
+    }
+}
+
+psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
+                             const uint8_t *hash,
+                             size_t hash_length) {
+    uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
+    size_t actual_hash_length;
+    psa_status_t status = psa_hash_finish(operation,
+                                          actual_hash, sizeof(actual_hash),
+                                          &actual_hash_length);
+    if (status != PSA_SUCCESS)
+        return (status);
+    if (actual_hash_length != hash_length)
+        return (PSA_ERROR_INVALID_SIGNATURE);
+    if (safer_memcmp(hash, actual_hash, actual_hash_length) != 0)
+        return (PSA_ERROR_INVALID_SIGNATURE);
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_hash_compute(psa_algorithm_t alg,
+                              const uint8_t *input, size_t input_length,
+                              uint8_t *hash, size_t hash_size,
+                              size_t *hash_length) {
+    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    *hash_length = hash_size;
+    status = psa_hash_setup(&operation, alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    status = psa_hash_update(&operation, input, input_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    status = psa_hash_finish(&operation, hash, hash_size, hash_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+exit:
+    if (status == PSA_SUCCESS)
+        status = psa_hash_abort(&operation);
+    else
+        psa_hash_abort(&operation);
+    return (status);
+}
+
+psa_status_t psa_hash_compare(psa_algorithm_t alg,
+                              const uint8_t *input, size_t input_length,
+                              const uint8_t *hash, size_t hash_length) {
+    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_hash_setup(&operation, alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    status = psa_hash_update(&operation, input, input_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    status = psa_hash_verify(&operation, hash, hash_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+exit:
+    if (status == PSA_SUCCESS)
+        status = psa_hash_abort(&operation);
+    else
+        psa_hash_abort(&operation);
+    return (status);
+}
+
+psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+                            psa_hash_operation_t *target_operation) {
+    if (target_operation->alg != 0)
+        return (PSA_ERROR_BAD_STATE);
+
+    switch (source_operation->alg) {
+        case 0:
+            return (PSA_ERROR_BAD_STATE);
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
+        case PSA_ALG_MD2:
+            mbedtls_md2_clone(&target_operation->ctx.md2,
+                              &source_operation->ctx.md2);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
+        case PSA_ALG_MD4:
+            mbedtls_md4_clone(&target_operation->ctx.md4,
+                              &source_operation->ctx.md4);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            mbedtls_md5_clone(&target_operation->ctx.md5,
+                              &source_operation->ctx.md5);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            mbedtls_ripemd160_clone(&target_operation->ctx.ripemd160,
+                                    &source_operation->ctx.ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            mbedtls_sha1_clone(&target_operation->ctx.sha1,
+                               &source_operation->ctx.sha1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            mbedtls_sha256_clone(&target_operation->ctx.sha256,
+                                 &source_operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            mbedtls_sha256_clone(&target_operation->ctx.sha256,
+                                 &source_operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            mbedtls_sha512_clone(&target_operation->ctx.sha512,
+                                 &source_operation->ctx.sha512);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            mbedtls_sha512_clone(&target_operation->ctx.sha512,
+                                 &source_operation->ctx.sha512);
+            break;
+#endif
+        default:
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+
+    target_operation->alg = source_operation->alg;
+    return (PSA_SUCCESS);
+}
+
+
+/****************************************************************/
+/* MAC */
+/****************************************************************/
+
+static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
+    psa_algorithm_t alg,
+    psa_key_type_t key_type,
+    size_t key_bits,
+    mbedtls_cipher_id_t *cipher_id) {
+    mbedtls_cipher_mode_t mode;
+    mbedtls_cipher_id_t cipher_id_tmp;
+
+    if (PSA_ALG_IS_AEAD(alg))
+        alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0);
+
+    if (PSA_ALG_IS_CIPHER(alg) || PSA_ALG_IS_AEAD(alg)) {
+        switch (alg) {
+            case PSA_ALG_STREAM_CIPHER:
+                mode = MBEDTLS_MODE_STREAM;
+                break;
+            case PSA_ALG_CTR:
+                mode = MBEDTLS_MODE_CTR;
+                break;
+            case PSA_ALG_CFB:
+                mode = MBEDTLS_MODE_CFB;
+                break;
+            case PSA_ALG_OFB:
+                mode = MBEDTLS_MODE_OFB;
+                break;
+            case PSA_ALG_ECB_NO_PADDING:
+                mode = MBEDTLS_MODE_ECB;
+                break;
+            case PSA_ALG_CBC_NO_PADDING:
+                mode = MBEDTLS_MODE_CBC;
+                break;
+            case PSA_ALG_CBC_PKCS7:
+                mode = MBEDTLS_MODE_CBC;
+                break;
+            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+                mode = MBEDTLS_MODE_CCM;
+                break;
+            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+                mode = MBEDTLS_MODE_GCM;
+                break;
+            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+                mode = MBEDTLS_MODE_CHACHAPOLY;
+                break;
+            default:
+                return (NULL);
+        }
+    } else if (alg == PSA_ALG_CMAC)
+        mode = MBEDTLS_MODE_ECB;
+    else
+        return (NULL);
+
+    switch (key_type) {
+        case PSA_KEY_TYPE_AES:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
+            break;
+        case PSA_KEY_TYPE_DES:
+            /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
+             * and 192 for three-key Triple-DES. */
+            if (key_bits == 64)
+                cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
+            else
+                cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
+            /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
+             * but two-key Triple-DES is functionally three-key Triple-DES
+             * with K1=K3, so that's how we present it to mbedtls. */
+            if (key_bits == 128)
+                key_bits = 192;
+            break;
+        case PSA_KEY_TYPE_CAMELLIA:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
+            break;
+        case PSA_KEY_TYPE_ARC4:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_ARC4;
+            break;
+        case PSA_KEY_TYPE_CHACHA20:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
+            break;
+        default:
+            return (NULL);
+    }
+    if (cipher_id != NULL)
+        *cipher_id = cipher_id_tmp;
+
+    return (mbedtls_cipher_info_from_values(cipher_id_tmp,
+                                            (int) key_bits, mode));
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+static size_t psa_get_hash_block_size(psa_algorithm_t alg) {
+    switch (alg) {
+        case PSA_ALG_MD2:
+            return (16);
+        case PSA_ALG_MD4:
+            return (64);
+        case PSA_ALG_MD5:
+            return (64);
+        case PSA_ALG_RIPEMD160:
+            return (64);
+        case PSA_ALG_SHA_1:
+            return (64);
+        case PSA_ALG_SHA_224:
+            return (64);
+        case PSA_ALG_SHA_256:
+            return (64);
+        case PSA_ALG_SHA_384:
+            return (128);
+        case PSA_ALG_SHA_512:
+            return (128);
+        default:
+            return (0);
+    }
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) */
+
+/* Initialize the MAC operation structure. Once this function has been
+ * called, psa_mac_abort can run and will do the right thing. */
+static psa_status_t psa_mac_init(psa_mac_operation_t *operation,
+                                 psa_algorithm_t alg) {
+    psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+
+    operation->alg = PSA_ALG_FULL_LENGTH_MAC(alg);
+    operation->key_set = 0;
+    operation->iv_set = 0;
+    operation->iv_required = 0;
+    operation->has_input = 0;
+    operation->is_sign = 0;
+
+#if defined(MBEDTLS_CMAC_C)
+    if (operation->alg == PSA_ALG_CMAC) {
+        operation->iv_required = 0;
+        mbedtls_cipher_init(&operation->ctx.cmac);
+        status = PSA_SUCCESS;
+    } else
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+        if (PSA_ALG_IS_HMAC(operation->alg)) {
+            /* We'll set up the hash operation later in psa_hmac_setup_internal. */
+            operation->ctx.hmac.hash_ctx.alg = 0;
+            status = PSA_SUCCESS;
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+        {
+            if (! PSA_ALG_IS_MAC(alg))
+                status = PSA_ERROR_INVALID_ARGUMENT;
+        }
+
+    if (status != PSA_SUCCESS)
+        memset(operation, 0, sizeof(*operation));
+    return (status);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+static psa_status_t psa_hmac_abort_internal(psa_hmac_internal_data *hmac) {
+    mbedtls_platform_zeroize(hmac->opad, sizeof(hmac->opad));
+    return (psa_hash_abort(&hmac->hash_ctx));
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+
+psa_status_t psa_mac_abort(psa_mac_operation_t *operation) {
+    if (operation->alg == 0) {
+        /* The object has (apparently) been initialized but it is not
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return (PSA_SUCCESS);
+    } else
+#if defined(MBEDTLS_CMAC_C)
+        if (operation->alg == PSA_ALG_CMAC) {
+            mbedtls_cipher_free(&operation->ctx.cmac);
+        } else
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+            if (PSA_ALG_IS_HMAC(operation->alg)) {
+                psa_hmac_abort_internal(&operation->ctx.hmac);
+            } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+            {
+                /* Sanity check (shouldn't happen: operation->alg should
+                 * always have been initialized to a valid value). */
+                goto bad_state;
+            }
+
+    operation->alg = 0;
+    operation->key_set = 0;
+    operation->iv_set = 0;
+    operation->iv_required = 0;
+    operation->has_input = 0;
+    operation->is_sign = 0;
+
+    return (PSA_SUCCESS);
+
+bad_state:
+    /* If abort is called on an uninitialized object, we can't trust
+     * anything. Wipe the object in case it contains confidential data.
+     * This may result in a memory leak if a pointer gets overwritten,
+     * but it's too late to do anything about this. */
+    memset(operation, 0, sizeof(*operation));
+    return (PSA_ERROR_BAD_STATE);
+}
+
+#if defined(MBEDTLS_CMAC_C)
+static psa_status_t psa_cmac_setup(psa_mac_operation_t *operation,
+                                   psa_key_slot_t *slot) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info =
+        mbedtls_cipher_info_from_psa(PSA_ALG_CMAC,
+                                     slot->attr.type, slot->attr.bits,
+                                     NULL);
+    if (cipher_info == NULL)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    ret = mbedtls_cipher_setup(&operation->ctx.cmac, cipher_info);
+    if (ret != 0)
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_starts(&operation->ctx.cmac,
+                                     slot->key.data,
+                                     slot->attr.bits);
+exit:
+    return (mbedtls_to_psa_error(ret));
+}
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+static psa_status_t psa_hmac_setup_internal(psa_hmac_internal_data *hmac,
+                                            const uint8_t *key,
+                                            size_t key_length,
+                                            psa_algorithm_t hash_alg) {
+    uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+    size_t i;
+    size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+    size_t block_size = psa_get_hash_block_size(hash_alg);
+    psa_status_t status;
+
+    /* Sanity checks on block_size, to guarantee that there won't be a buffer
+     * overflow below. This should never trigger if the hash algorithm
+     * is implemented correctly. */
+    /* The size checks against the ipad and opad buffers cannot be written
+     * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
+     * because that triggers -Wlogical-op on GCC 7.3. */
+    if (block_size > sizeof(ipad))
+        return (PSA_ERROR_NOT_SUPPORTED);
+    if (block_size > sizeof(hmac->opad))
+        return (PSA_ERROR_NOT_SUPPORTED);
+    if (block_size < hash_size)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    if (key_length > block_size) {
+        status = psa_hash_compute(hash_alg, key, key_length,
+                                  ipad, sizeof(ipad), &key_length);
+        if (status != PSA_SUCCESS)
+            goto cleanup;
+    }
+    /* A 0-length key is not commonly used in HMAC when used as a MAC,
+     * but it is permitted. It is common when HMAC is used in HKDF, for
+     * example. Don't call `memcpy` in the 0-length because `key` could be
+     * an invalid pointer which would make the behavior undefined. */
+    else if (key_length != 0)
+        memcpy(ipad, key, key_length);
+
+    /* ipad contains the key followed by garbage. Xor and fill with 0x36
+     * to create the ipad value. */
+    for (i = 0; i < key_length; i++)
+        ipad[i] ^= 0x36;
+    memset(ipad + key_length, 0x36, block_size - key_length);
+
+    /* Copy the key material from ipad to opad, flipping the requisite bits,
+     * and filling the rest of opad with the requisite constant. */
+    for (i = 0; i < key_length; i++)
+        hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
+    memset(hmac->opad + key_length, 0x5C, block_size - key_length);
+
+    status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+
+    status = psa_hash_update(&hmac->hash_ctx, ipad, block_size);
+
+cleanup:
+    mbedtls_platform_zeroize(ipad, sizeof(ipad));
+
+    return (status);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+
+static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
+                                  mbedtls_svc_key_id_t key,
+                                  psa_algorithm_t alg,
+                                  int is_sign) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+    psa_key_usage_t usage =
+        is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH;
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->alg != 0) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    status = psa_mac_init(operation, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+    if (is_sign)
+        operation->is_sign = 1;
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 key, &slot, usage, alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* Validate the combination of key type and algorithm */
+    status = psa_mac_key_can_do(alg, slot->attr.type);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* Get the output length for the algorithm and key combination. None of the
+     * currently supported algorithms have an output length dependent on actual
+     * key size, so setting it to a bogus value is currently OK. */
+    operation->mac_size = PSA_MAC_LENGTH(slot->attr.type, 0, alg);
+
+    if (operation->mac_size < 4) {
+        /* A very short MAC is too short for security since it can be
+         * brute-forced. Ancient protocols with 32-bit MACs do exist,
+         * so we make this our minimum, even though 32 bits is still
+         * too small for security. */
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+
+    if (operation->mac_size >
+            PSA_MAC_LENGTH(slot->attr.type, 0, PSA_ALG_FULL_LENGTH_MAC(alg))) {
+        /* It's impossible to "truncate" to a larger length than the full length
+         * of the algorithm. */
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_CMAC_C)
+    if (PSA_ALG_FULL_LENGTH_MAC(alg) == PSA_ALG_CMAC) {
+        status = psa_cmac_setup(operation, slot);
+    } else
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+        if (PSA_ALG_IS_HMAC(alg)) {
+            /* Sanity check. This shouldn't fail on a valid configuration. */
+            if (operation->mac_size > sizeof(operation->ctx.hmac.opad)) {
+                status = PSA_ERROR_NOT_SUPPORTED;
+                goto exit;
+            }
+
+            if (slot->attr.type != PSA_KEY_TYPE_HMAC) {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                goto exit;
+            }
+
+            status = psa_hmac_setup_internal(&operation->ctx.hmac,
+                                             slot->key.data,
+                                             slot->key.bytes,
+                                             PSA_ALG_HMAC_GET_HASH(alg));
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+        {
+            status = PSA_ERROR_NOT_SUPPORTED;
+        }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_mac_abort(operation);
+    } else {
+        operation->key_set = 1;
+    }
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
+                                mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg) {
+    return (psa_mac_setup(operation, key, alg, 1));
+}
+
+psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
+                                  mbedtls_svc_key_id_t key,
+                                  psa_algorithm_t alg) {
+    return (psa_mac_setup(operation, key, alg, 0));
+}
+
+psa_status_t psa_mac_update(psa_mac_operation_t *operation,
+                            const uint8_t *input,
+                            size_t input_length) {
+    psa_status_t status = PSA_ERROR_BAD_STATE;
+    if (! operation->key_set)
+        return (PSA_ERROR_BAD_STATE);
+    if (operation->iv_required && ! operation->iv_set)
+        return (PSA_ERROR_BAD_STATE);
+    operation->has_input = 1;
+
+#if defined(MBEDTLS_CMAC_C)
+    if (operation->alg == PSA_ALG_CMAC) {
+        int ret = mbedtls_cipher_cmac_update(&operation->ctx.cmac,
+                                             input, input_length);
+        status = mbedtls_to_psa_error(ret);
+    } else
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+        if (PSA_ALG_IS_HMAC(operation->alg)) {
+            status = psa_hash_update(&operation->ctx.hmac.hash_ctx, input,
+                                     input_length);
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+        {
+            /* This shouldn't happen if `operation` was initialized by
+             * a setup function. */
+            return (PSA_ERROR_BAD_STATE);
+        }
+
+    if (status != PSA_SUCCESS)
+        psa_mac_abort(operation);
+    return (status);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+static psa_status_t psa_hmac_finish_internal(psa_hmac_internal_data *hmac,
+                                             uint8_t *mac,
+                                             size_t mac_size) {
+    uint8_t tmp[MBEDTLS_MD_MAX_SIZE];
+    psa_algorithm_t hash_alg = hmac->hash_ctx.alg;
+    size_t hash_size = 0;
+    size_t block_size = psa_get_hash_block_size(hash_alg);
+    psa_status_t status;
+
+    status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
+    if (status != PSA_SUCCESS)
+        return (status);
+    /* From here on, tmp needs to be wiped. */
+
+    status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_hash_update(&hmac->hash_ctx, hmac->opad, block_size);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_hash_update(&hmac->hash_ctx, tmp, hash_size);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    memcpy(mac, tmp, mac_size);
+
+exit:
+    mbedtls_platform_zeroize(tmp, hash_size);
+    return (status);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+
+static psa_status_t psa_mac_finish_internal(psa_mac_operation_t *operation,
+                                            uint8_t *mac,
+                                            size_t mac_size) {
+    if (! operation->key_set)
+        return (PSA_ERROR_BAD_STATE);
+    if (operation->iv_required && ! operation->iv_set)
+        return (PSA_ERROR_BAD_STATE);
+
+    if (mac_size < operation->mac_size)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+
+#if defined(MBEDTLS_CMAC_C)
+    if (operation->alg == PSA_ALG_CMAC) {
+        uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
+        int ret = mbedtls_cipher_cmac_finish(&operation->ctx.cmac, tmp);
+        if (ret == 0)
+            memcpy(mac, tmp, operation->mac_size);
+        mbedtls_platform_zeroize(tmp, sizeof(tmp));
+        return (mbedtls_to_psa_error(ret));
+    } else
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+        if (PSA_ALG_IS_HMAC(operation->alg)) {
+            return (psa_hmac_finish_internal(&operation->ctx.hmac,
+                                             mac, operation->mac_size));
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+        {
+            /* This shouldn't happen if `operation` was initialized by
+             * a setup function. */
+            return (PSA_ERROR_BAD_STATE);
+        }
+}
+
+psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
+                                 uint8_t *mac,
+                                 size_t mac_size,
+                                 size_t *mac_length) {
+    psa_status_t status;
+
+    if (operation->alg == 0) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    /* Fill the output buffer with something that isn't a valid mac
+     * (barring an attack on the mac and deliberately-crafted input),
+     * in case the caller doesn't check the return status properly. */
+    *mac_length = mac_size;
+    /* If mac_size is 0 then mac may be NULL and then the
+     * call to memset would have undefined behavior. */
+    if (mac_size != 0)
+        memset(mac, '!', mac_size);
+
+    if (! operation->is_sign) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    status = psa_mac_finish_internal(operation, mac, mac_size);
+
+    if (status == PSA_SUCCESS) {
+        status = psa_mac_abort(operation);
+        if (status == PSA_SUCCESS)
+            *mac_length = operation->mac_size;
+        else
+            memset(mac, '!', mac_size);
+    } else
+        psa_mac_abort(operation);
+    return (status);
+}
+
+psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
+                                   const uint8_t *mac,
+                                   size_t mac_length) {
+    uint8_t actual_mac[PSA_MAC_MAX_SIZE];
+    psa_status_t status;
+
+    if (operation->alg == 0) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (operation->is_sign) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+    if (operation->mac_size != mac_length) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto cleanup;
+    }
+
+    status = psa_mac_finish_internal(operation,
+                                     actual_mac, sizeof(actual_mac));
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+
+    if (safer_memcmp(mac, actual_mac, mac_length) != 0)
+        status = PSA_ERROR_INVALID_SIGNATURE;
+
+cleanup:
+    if (status == PSA_SUCCESS)
+        status = psa_mac_abort(operation);
+    else
+        psa_mac_abort(operation);
+
+    mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
+
+    return (status);
+}
+
+
+
+/****************************************************************/
+/* Asymmetric cryptography */
+/****************************************************************/
+
+psa_status_t psa_sign_hash_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+    if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        return (mbedtls_psa_rsa_sign_hash(
+                    attributes,
+                    key_buffer, key_buffer_size,
+                    alg, hash, hash_length,
+                    signature, signature_size, signature_length));
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+        if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+            if (PSA_ALG_IS_ECDSA(alg)) {
+                return (mbedtls_psa_ecdsa_sign_hash(
+                            attributes,
+                            key_buffer, key_buffer_size,
+                            alg, hash, hash_length,
+                            signature, signature_size, signature_length));
+            } else {
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            }
+        } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+        {
+            (void)attributes;
+            (void)key_buffer;
+            (void)key_buffer_size;
+            (void)alg;
+            (void)hash;
+            (void)hash_length;
+            (void)signature;
+            (void)signature_size;
+            (void)signature_length;
+
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+}
+
+psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
+                           psa_algorithm_t alg,
+                           const uint8_t *hash,
+                           size_t hash_length,
+                           uint8_t *signature,
+                           size_t signature_size,
+                           size_t *signature_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    *signature_length = signature_size;
+    /* Immediately reject a zero-length signature buffer. This guarantees
+     * that signature must be a valid pointer. (On the other hand, the hash
+     * buffer can in principle be empty since it doesn't actually have
+     * to be a hash.) */
+    if (signature_size == 0)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_SIGN_HASH,
+                                                   alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    if (! PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    status = psa_driver_wrapper_sign_hash(
+                 &attributes, slot->key.data, slot->key.bytes,
+                 alg, hash, hash_length,
+                 signature, signature_size, signature_length);
+
+exit:
+    /* Fill the unused part of the output buffer (the whole buffer on error,
+     * the trailing part on success) with something that isn't a valid mac
+     * (barring an attack on the mac and deliberately-crafted input),
+     * in case the caller doesn't check the return status properly. */
+    if (status == PSA_SUCCESS)
+        memset(signature + *signature_length, '!',
+               signature_size - *signature_length);
+    else
+        memset(signature, '!', signature_size);
+    /* If signature_size is 0 then we have nothing to do. We must not call
+     * memset because signature may be NULL in this case. */
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+psa_status_t psa_verify_hash_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+    if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) {
+        return (mbedtls_psa_rsa_verify_hash(
+                    attributes,
+                    key_buffer, key_buffer_size,
+                    alg, hash, hash_length,
+                    signature, signature_length));
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+        if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+            if (PSA_ALG_IS_ECDSA(alg)) {
+                return (mbedtls_psa_ecdsa_verify_hash(
+                            attributes,
+                            key_buffer, key_buffer_size,
+                            alg, hash, hash_length,
+                            signature, signature_length));
+            } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+            {
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            }
+        } else {
+            (void)key_buffer;
+            (void)key_buffer_size;
+            (void)alg;
+            (void)hash;
+            (void)hash_length;
+            (void)signature;
+            (void)signature_length;
+
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+}
+
+psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *hash,
+                             size_t hash_length,
+                             const uint8_t *signature,
+                             size_t signature_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_VERIFY_HASH,
+                                                   alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    status = psa_driver_wrapper_verify_hash(
+                 &attributes, slot->key.data, slot->key.bytes,
+                 alg, hash, hash_length,
+                 signature, signature_length);
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+static void psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,
+                                          mbedtls_rsa_context *rsa) {
+    psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH(alg);
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa(hash_alg);
+    mbedtls_md_type_t md_alg = mbedtls_md_get_type(md_info);
+    mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+
+psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input,
+                                    size_t input_length,
+                                    const uint8_t *salt,
+                                    size_t salt_length,
+                                    uint8_t *output,
+                                    size_t output_size,
+                                    size_t *output_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    (void) input;
+    (void) input_length;
+    (void) salt;
+    (void) output;
+    (void) output_size;
+
+    *output_length = 0;
+
+    if (! PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+    if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
+            PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+    if (PSA_KEY_TYPE_IS_RSA(slot->attr.type)) {
+        mbedtls_rsa_context *rsa = NULL;
+        status = mbedtls_psa_rsa_load_representation(slot->attr.type,
+                                                     slot->key.data,
+                                                     slot->key.bytes,
+                                                     &rsa);
+        if (status != PSA_SUCCESS)
+            goto rsa_exit;
+
+        if (output_size < mbedtls_rsa_get_len(rsa)) {
+            status = PSA_ERROR_BUFFER_TOO_SMALL;
+            goto rsa_exit;
+        }
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
+        if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+            status = mbedtls_to_psa_error(
+                         mbedtls_rsa_pkcs1_encrypt(rsa,
+                                                   mbedtls_psa_get_random,
+                                                   MBEDTLS_PSA_RANDOM_STATE,
+                                                   MBEDTLS_RSA_PUBLIC,
+                                                   input_length,
+                                                   input,
+                                                   output));
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+            if (PSA_ALG_IS_RSA_OAEP(alg)) {
+                psa_rsa_oaep_set_padding_mode(alg, rsa);
+                status = mbedtls_to_psa_error(
+                             mbedtls_rsa_rsaes_oaep_encrypt(rsa,
+                                                            mbedtls_psa_get_random,
+                                                            MBEDTLS_PSA_RANDOM_STATE,
+                                                            MBEDTLS_RSA_PUBLIC,
+                                                            salt, salt_length,
+                                                            input_length,
+                                                            input,
+                                                            output));
+            } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
+            {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                goto rsa_exit;
+            }
+rsa_exit:
+        if (status == PSA_SUCCESS)
+            *output_length = mbedtls_rsa_get_len(rsa);
+
+        mbedtls_rsa_free(rsa);
+        mbedtls_free(rsa);
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+    {
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+exit:
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input,
+                                    size_t input_length,
+                                    const uint8_t *salt,
+                                    size_t salt_length,
+                                    uint8_t *output,
+                                    size_t output_size,
+                                    size_t *output_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    (void) input;
+    (void) input_length;
+    (void) salt;
+    (void) output;
+    (void) output_size;
+
+    *output_length = 0;
+
+    if (! PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+    if (! PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+    if (slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        mbedtls_rsa_context *rsa = NULL;
+        status = mbedtls_psa_rsa_load_representation(slot->attr.type,
+                                                     slot->key.data,
+                                                     slot->key.bytes,
+                                                     &rsa);
+        if (status != PSA_SUCCESS)
+            goto exit;
+
+        if (input_length != mbedtls_rsa_get_len(rsa)) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto rsa_exit;
+        }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
+        if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+            status = mbedtls_to_psa_error(
+                         mbedtls_rsa_pkcs1_decrypt(rsa,
+                                                   mbedtls_psa_get_random,
+                                                   MBEDTLS_PSA_RANDOM_STATE,
+                                                   MBEDTLS_RSA_PRIVATE,
+                                                   output_length,
+                                                   input,
+                                                   output,
+                                                   output_size));
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+            if (PSA_ALG_IS_RSA_OAEP(alg)) {
+                psa_rsa_oaep_set_padding_mode(alg, rsa);
+                status = mbedtls_to_psa_error(
+                             mbedtls_rsa_rsaes_oaep_decrypt(rsa,
+                                                            mbedtls_psa_get_random,
+                                                            MBEDTLS_PSA_RANDOM_STATE,
+                                                            MBEDTLS_RSA_PRIVATE,
+                                                            salt, salt_length,
+                                                            output_length,
+                                                            input,
+                                                            output,
+                                                            output_size));
+            } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
+            {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+            }
+
+rsa_exit:
+        mbedtls_rsa_free(rsa);
+        mbedtls_free(rsa);
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+    {
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+exit:
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+
+
+/****************************************************************/
+/* Symmetric cryptography */
+/****************************************************************/
+
+static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
+                                     mbedtls_svc_key_id_t key,
+                                     psa_algorithm_t alg,
+                                     mbedtls_operation_t cipher_operation) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    int ret = 0;
+    psa_key_slot_t *slot;
+    size_t key_bits;
+    const mbedtls_cipher_info_t *cipher_info = NULL;
+    psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
+                             PSA_KEY_USAGE_ENCRYPT :
+                             PSA_KEY_USAGE_DECRYPT);
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->alg != 0)
+        return (PSA_ERROR_BAD_STATE);
+
+    /* The requested algorithm must be one that can be processed by cipher. */
+    if (! PSA_ALG_IS_CIPHER(alg))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    /* Fetch key material from key storage. */
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* Initialize the operation struct members, except for alg. The alg member
+     * is used to indicate to psa_cipher_abort that there are resources to free,
+     * so we only set it after resources have been allocated/initialized. */
+    operation->key_set = 0;
+    operation->iv_set = 0;
+    operation->mbedtls_in_use = 0;
+    operation->iv_size = 0;
+    operation->block_size = 0;
+    if (alg == PSA_ALG_ECB_NO_PADDING)
+        operation->iv_required = 0;
+    else
+        operation->iv_required = 1;
+
+    /* Try doing the operation through a driver before using software fallback. */
+    if (cipher_operation == MBEDTLS_ENCRYPT)
+        status = psa_driver_wrapper_cipher_encrypt_setup(&operation->ctx.driver,
+                                                         slot,
+                                                         alg);
+    else
+        status = psa_driver_wrapper_cipher_decrypt_setup(&operation->ctx.driver,
+                                                         slot,
+                                                         alg);
+
+    if (status == PSA_SUCCESS) {
+        /* Once the driver context is initialised, it needs to be freed using
+        * psa_cipher_abort. Indicate this through setting alg. */
+        operation->alg = alg;
+    }
+
+    if (status != PSA_ERROR_NOT_SUPPORTED ||
+            psa_key_lifetime_is_external(slot->attr.lifetime))
+        goto exit;
+
+    /* Proceed with initializing an mbed TLS cipher context if no driver is
+     * available for the given algorithm & key. */
+    mbedtls_cipher_init(&operation->ctx.cipher);
+
+    /* Once the cipher context is initialised, it needs to be freed using
+     * psa_cipher_abort. Indicate there is something to be freed through setting
+     * alg, and indicate the operation is being done using mbedtls crypto through
+     * setting mbedtls_in_use. */
+    operation->alg = alg;
+    operation->mbedtls_in_use = 1;
+
+    key_bits = psa_get_key_slot_bits(slot);
+    cipher_info = mbedtls_cipher_info_from_psa(alg, slot->attr.type, key_bits, NULL);
+    if (cipher_info == NULL) {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+
+    ret = mbedtls_cipher_setup(&operation->ctx.cipher, cipher_info);
+    if (ret != 0)
+        goto exit;
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+    if (slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128) {
+        /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
+        uint8_t keys[24];
+        memcpy(keys, slot->key.data, 16);
+        memcpy(keys + 16, slot->key.data, 8);
+        ret = mbedtls_cipher_setkey(&operation->ctx.cipher,
+                                    keys,
+                                    192, cipher_operation);
+    } else
+#endif
+    {
+        ret = mbedtls_cipher_setkey(&operation->ctx.cipher,
+                                    slot->key.data,
+                                    (int) key_bits, cipher_operation);
+    }
+    if (ret != 0)
+        goto exit;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
+    switch (alg) {
+        case PSA_ALG_CBC_NO_PADDING:
+            ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
+                                                  MBEDTLS_PADDING_NONE);
+            break;
+        case PSA_ALG_CBC_PKCS7:
+            ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
+                                                  MBEDTLS_PADDING_PKCS7);
+            break;
+        default:
+            /* The algorithm doesn't involve padding. */
+            ret = 0;
+            break;
+    }
+    if (ret != 0)
+        goto exit;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */
+
+    operation->block_size = (PSA_ALG_IS_STREAM_CIPHER(alg) ? 1 :
+                             PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type));
+    if ((alg & PSA_ALG_CIPHER_FROM_BLOCK_FLAG) != 0 &&
+            alg != PSA_ALG_ECB_NO_PADDING) {
+        operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type);
+    }
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20)
+    else if (alg == PSA_ALG_STREAM_CIPHER && slot->attr.type == PSA_KEY_TYPE_CHACHA20)
+        operation->iv_size = 12;
+#endif
+
+    status = PSA_SUCCESS;
+
+exit:
+    if (ret != 0)
+        status = mbedtls_to_psa_error(ret);
+    if (status == PSA_SUCCESS) {
+        /* Update operation flags for both driver and software implementations */
+        operation->key_set = 1;
+    } else
+        psa_cipher_abort(operation);
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg) {
+    return (psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT));
+}
+
+psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg) {
+    return (psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT));
+}
+
+psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
+                                    uint8_t *iv,
+                                    size_t iv_size,
+                                    size_t *iv_length) {
+    psa_status_t status;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    if (operation->iv_set || ! operation->iv_required) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (operation->mbedtls_in_use == 0) {
+        status = psa_driver_wrapper_cipher_generate_iv(&operation->ctx.driver,
+                                                       iv,
+                                                       iv_size,
+                                                       iv_length);
+        goto exit;
+    }
+
+    if (iv_size < operation->iv_size) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+    ret = mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE,
+                                 iv, operation->iv_size);
+    if (ret != 0) {
+        status = mbedtls_to_psa_error(ret);
+        goto exit;
+    }
+
+    *iv_length = operation->iv_size;
+    status = psa_cipher_set_iv(operation, iv, *iv_length);
+
+exit:
+    if (status == PSA_SUCCESS)
+        operation->iv_set = 1;
+    else
+        psa_cipher_abort(operation);
+    return (status);
+}
+
+psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
+                               const uint8_t *iv,
+                               size_t iv_length) {
+    psa_status_t status;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    if (operation->iv_set || ! operation->iv_required) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (operation->mbedtls_in_use == 0) {
+        status = psa_driver_wrapper_cipher_set_iv(&operation->ctx.driver,
+                                                  iv,
+                                                  iv_length);
+        goto exit;
+    }
+
+    if (iv_length != operation->iv_size) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+    ret = mbedtls_cipher_set_iv(&operation->ctx.cipher, iv, iv_length);
+    status = mbedtls_to_psa_error(ret);
+exit:
+    if (status == PSA_SUCCESS)
+        operation->iv_set = 1;
+    else
+        psa_cipher_abort(operation);
+    return (status);
+}
+
+/* Process input for which the algorithm is set to ECB mode. This requires
+ * manual processing, since the PSA API is defined as being able to process
+ * arbitrary-length calls to psa_cipher_update() with ECB mode, but the
+ * underlying mbedtls_cipher_update only takes full blocks. */
+static psa_status_t psa_cipher_update_ecb_internal(
+    mbedtls_cipher_context_t *ctx,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t block_size = ctx->cipher_info->block_size;
+    size_t internal_output_length = 0;
+    *output_length = 0;
+
+    if (input_length == 0) {
+        status = PSA_SUCCESS;
+        goto exit;
+    }
+
+    if (ctx->unprocessed_len > 0) {
+        /* Fill up to block size, and run the block if there's a full one. */
+        size_t bytes_to_copy = block_size - ctx->unprocessed_len;
+
+        if (input_length < bytes_to_copy)
+            bytes_to_copy = input_length;
+
+        memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
+               input, bytes_to_copy);
+        input_length -= bytes_to_copy;
+        input += bytes_to_copy;
+        ctx->unprocessed_len += bytes_to_copy;
+
+        if (ctx->unprocessed_len == block_size) {
+            status = mbedtls_to_psa_error(
+                         mbedtls_cipher_update(ctx,
+                                               ctx->unprocessed_data,
+                                               block_size,
+                                               output, &internal_output_length));
+
+            if (status != PSA_SUCCESS)
+                goto exit;
+
+            output += internal_output_length;
+            output_size -= internal_output_length;
+            *output_length += internal_output_length;
+            ctx->unprocessed_len = 0;
+        }
+    }
+
+    while (input_length >= block_size) {
+        /* Run all full blocks we have, one by one */
+        status = mbedtls_to_psa_error(
+                     mbedtls_cipher_update(ctx, input,
+                                           block_size,
+                                           output, &internal_output_length));
+
+        if (status != PSA_SUCCESS)
+            goto exit;
+
+        input_length -= block_size;
+        input += block_size;
+
+        output += internal_output_length;
+        output_size -= internal_output_length;
+        *output_length += internal_output_length;
+    }
+
+    if (input_length > 0) {
+        /* Save unprocessed bytes for later processing */
+        memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
+               input, input_length);
+        ctx->unprocessed_len += input_length;
+    }
+
+    status = PSA_SUCCESS;
+
+exit:
+    return (status);
+}
+
+psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
+                               const uint8_t *input,
+                               size_t input_length,
+                               uint8_t *output,
+                               size_t output_size,
+                               size_t *output_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t expected_output_size;
+    if (operation->alg == 0) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+    if (operation->iv_required && ! operation->iv_set) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (operation->mbedtls_in_use == 0) {
+        status = psa_driver_wrapper_cipher_update(&operation->ctx.driver,
+                                                  input,
+                                                  input_length,
+                                                  output,
+                                                  output_size,
+                                                  output_length);
+        goto exit;
+    }
+
+    if (! PSA_ALG_IS_STREAM_CIPHER(operation->alg)) {
+        /* Take the unprocessed partial block left over from previous
+         * update calls, if any, plus the input to this call. Remove
+         * the last partial block, if any. You get the data that will be
+         * output in this call. */
+        expected_output_size =
+            (operation->ctx.cipher.unprocessed_len + input_length)
+            / operation->block_size * operation->block_size;
+    } else {
+        expected_output_size = input_length;
+    }
+
+    if (output_size < expected_output_size) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    if (operation->alg == PSA_ALG_ECB_NO_PADDING) {
+        /* mbedtls_cipher_update has an API inconsistency: it will only
+        * process a single block at a time in ECB mode. Abstract away that
+        * inconsistency here to match the PSA API behaviour. */
+        status = psa_cipher_update_ecb_internal(&operation->ctx.cipher,
+                                                input,
+                                                input_length,
+                                                output,
+                                                output_size,
+                                                output_length);
+    } else {
+        status = mbedtls_to_psa_error(
+                     mbedtls_cipher_update(&operation->ctx.cipher, input,
+                                           input_length, output, output_length));
+    }
+exit:
+    if (status != PSA_SUCCESS)
+        psa_cipher_abort(operation);
+    return (status);
+}
+
+psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
+                               uint8_t *output,
+                               size_t output_size,
+                               size_t *output_length) {
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+    uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
+    if (operation->alg == 0) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+    if (operation->iv_required && ! operation->iv_set) {
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (operation->mbedtls_in_use == 0) {
+        status = psa_driver_wrapper_cipher_finish(&operation->ctx.driver,
+                                                  output,
+                                                  output_size,
+                                                  output_length);
+        goto exit;
+    }
+
+    if (operation->ctx.cipher.unprocessed_len != 0) {
+        if (operation->alg == PSA_ALG_ECB_NO_PADDING ||
+                operation->alg == PSA_ALG_CBC_NO_PADDING) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+    }
+
+    status = mbedtls_to_psa_error(
+                 mbedtls_cipher_finish(&operation->ctx.cipher,
+                                       temp_output_buffer,
+                                       output_length));
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    if (*output_length == 0)
+        ; /* Nothing to copy. Note that output may be NULL in this case. */
+    else if (output_size >= *output_length)
+        memcpy(output, temp_output_buffer, *output_length);
+    else
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+
+exit:
+    if (operation->mbedtls_in_use == 1)
+        mbedtls_platform_zeroize(temp_output_buffer, sizeof(temp_output_buffer));
+
+    if (status == PSA_SUCCESS)
+        return (psa_cipher_abort(operation));
+    else {
+        *output_length = 0;
+        (void) psa_cipher_abort(operation);
+
+        return (status);
+    }
+}
+
+psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation) {
+    if (operation->alg == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return (PSA_SUCCESS);
+    }
+
+    /* Sanity check (shouldn't happen: operation->alg should
+     * always have been initialized to a valid value). */
+    if (! PSA_ALG_IS_CIPHER(operation->alg))
+        return (PSA_ERROR_BAD_STATE);
+
+    if (operation->mbedtls_in_use == 0)
+        psa_driver_wrapper_cipher_abort(&operation->ctx.driver);
+    else
+        mbedtls_cipher_free(&operation->ctx.cipher);
+
+    operation->alg = 0;
+    operation->key_set = 0;
+    operation->iv_set = 0;
+    operation->mbedtls_in_use = 0;
+    operation->iv_size = 0;
+    operation->block_size = 0;
+    operation->iv_required = 0;
+
+    return (PSA_SUCCESS);
+}
+
+
+
+
+/****************************************************************/
+/* AEAD */
+/****************************************************************/
+
+typedef struct {
+    psa_key_slot_t *slot;
+    const mbedtls_cipher_info_t *cipher_info;
+    union {
+        unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
+#if defined(MBEDTLS_CCM_C)
+        mbedtls_ccm_context ccm;
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_GCM_C)
+        mbedtls_gcm_context gcm;
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+        mbedtls_chachapoly_context chachapoly;
+#endif /* MBEDTLS_CHACHAPOLY_C */
+    } ctx;
+    psa_algorithm_t core_alg;
+    uint8_t full_tag_length;
+    uint8_t tag_length;
+} aead_operation_t;
+
+#define AEAD_OPERATION_INIT {0, 0, {0}, 0, 0, 0}
+
+static void psa_aead_abort_internal(aead_operation_t *operation) {
+    switch (operation->core_alg) {
+#if defined(MBEDTLS_CCM_C)
+        case PSA_ALG_CCM:
+            mbedtls_ccm_free(&operation->ctx.ccm);
+            break;
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_GCM_C)
+        case PSA_ALG_GCM:
+            mbedtls_gcm_free(&operation->ctx.gcm);
+            break;
+#endif /* MBEDTLS_GCM_C */
+    }
+
+    psa_unlock_key_slot(operation->slot);
+}
+
+static psa_status_t psa_aead_setup(aead_operation_t *operation,
+                                   mbedtls_svc_key_id_t key,
+                                   psa_key_usage_t usage,
+                                   psa_algorithm_t alg) {
+    psa_status_t status;
+    size_t key_bits;
+    mbedtls_cipher_id_t cipher_id;
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 key, &operation->slot, usage, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    key_bits = psa_get_key_slot_bits(operation->slot);
+
+    operation->cipher_info =
+        mbedtls_cipher_info_from_psa(alg, operation->slot->attr.type, key_bits,
+                                     &cipher_id);
+    if (operation->cipher_info == NULL) {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto cleanup;
+    }
+
+    switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
+#if defined(MBEDTLS_CCM_C)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+            operation->core_alg = PSA_ALG_CCM;
+            operation->full_tag_length = 16;
+            /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
+             * The call to mbedtls_ccm_encrypt_and_tag or
+             * mbedtls_ccm_auth_decrypt will validate the tag length. */
+            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(operation->slot->attr.type) != 16) {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                goto cleanup;
+            }
+            mbedtls_ccm_init(&operation->ctx.ccm);
+            status = mbedtls_to_psa_error(
+                         mbedtls_ccm_setkey(&operation->ctx.ccm, cipher_id,
+                                            operation->slot->key.data,
+                                            (unsigned int) key_bits));
+            if (status != 0)
+                goto cleanup;
+            break;
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_GCM_C)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+            operation->core_alg = PSA_ALG_GCM;
+            operation->full_tag_length = 16;
+            /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
+             * The call to mbedtls_gcm_crypt_and_tag or
+             * mbedtls_gcm_auth_decrypt will validate the tag length. */
+            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(operation->slot->attr.type) != 16) {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                goto cleanup;
+            }
+            mbedtls_gcm_init(&operation->ctx.gcm);
+            status = mbedtls_to_psa_error(
+                         mbedtls_gcm_setkey(&operation->ctx.gcm, cipher_id,
+                                            operation->slot->key.data,
+                                            (unsigned int) key_bits));
+            if (status != 0)
+                goto cleanup;
+            break;
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+            operation->core_alg = PSA_ALG_CHACHA20_POLY1305;
+            operation->full_tag_length = 16;
+            /* We only support the default tag length. */
+            if (alg != PSA_ALG_CHACHA20_POLY1305) {
+                status = PSA_ERROR_NOT_SUPPORTED;
+                goto cleanup;
+            }
+            mbedtls_chachapoly_init(&operation->ctx.chachapoly);
+            status = mbedtls_to_psa_error(
+                         mbedtls_chachapoly_setkey(&operation->ctx.chachapoly,
+                                                   operation->slot->key.data));
+            if (status != 0)
+                goto cleanup;
+            break;
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+        default:
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto cleanup;
+    }
+
+    if (PSA_AEAD_TAG_LENGTH(alg) > operation->full_tag_length) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto cleanup;
+    }
+    operation->tag_length = PSA_AEAD_TAG_LENGTH(alg);
+
+    return (PSA_SUCCESS);
+
+cleanup:
+    psa_aead_abort_internal(operation);
+    return (status);
+}
+
+psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce,
+                              size_t nonce_length,
+                              const uint8_t *additional_data,
+                              size_t additional_data_length,
+                              const uint8_t *plaintext,
+                              size_t plaintext_length,
+                              uint8_t *ciphertext,
+                              size_t ciphertext_size,
+                              size_t *ciphertext_length) {
+    psa_status_t status;
+    aead_operation_t operation = AEAD_OPERATION_INIT;
+    uint8_t *tag;
+
+    *ciphertext_length = 0;
+
+    status = psa_aead_setup(&operation, key, PSA_KEY_USAGE_ENCRYPT, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    /* For all currently supported modes, the tag is at the end of the
+     * ciphertext. */
+    if (ciphertext_size < (plaintext_length + operation.tag_length)) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+    tag = ciphertext + plaintext_length;
+
+#if defined(MBEDTLS_GCM_C)
+    if (operation.core_alg == PSA_ALG_GCM) {
+        status = mbedtls_to_psa_error(
+                     mbedtls_gcm_crypt_and_tag(&operation.ctx.gcm,
+                                               MBEDTLS_GCM_ENCRYPT,
+                                               plaintext_length,
+                                               nonce, nonce_length,
+                                               additional_data, additional_data_length,
+                                               plaintext, ciphertext,
+                                               operation.tag_length, tag));
+    } else
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+        if (operation.core_alg == PSA_ALG_CCM) {
+            status = mbedtls_to_psa_error(
+                         mbedtls_ccm_encrypt_and_tag(&operation.ctx.ccm,
+                                                     plaintext_length,
+                                                     nonce, nonce_length,
+                                                     additional_data,
+                                                     additional_data_length,
+                                                     plaintext, ciphertext,
+                                                     tag, operation.tag_length));
+        } else
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+            if (operation.core_alg == PSA_ALG_CHACHA20_POLY1305) {
+                if (nonce_length != 12 || operation.tag_length != 16) {
+                    status = PSA_ERROR_NOT_SUPPORTED;
+                    goto exit;
+                }
+                status = mbedtls_to_psa_error(
+                             mbedtls_chachapoly_encrypt_and_tag(&operation.ctx.chachapoly,
+                                                                plaintext_length,
+                                                                nonce,
+                                                                additional_data,
+                                                                additional_data_length,
+                                                                plaintext,
+                                                                ciphertext,
+                                                                tag));
+            } else
+#endif /* MBEDTLS_CHACHAPOLY_C */
+            {
+                (void) tag;
+                return (PSA_ERROR_NOT_SUPPORTED);
+            }
+
+    if (status != PSA_SUCCESS && ciphertext_size != 0)
+        memset(ciphertext, 0, ciphertext_size);
+
+exit:
+    psa_aead_abort_internal(&operation);
+    if (status == PSA_SUCCESS)
+        *ciphertext_length = plaintext_length + operation.tag_length;
+    return (status);
+}
+
+/* Locate the tag in a ciphertext buffer containing the encrypted data
+ * followed by the tag. Return the length of the part preceding the tag in
+ * *plaintext_length. This is the size of the plaintext in modes where
+ * the encrypted data has the same size as the plaintext, such as
+ * CCM and GCM. */
+static psa_status_t psa_aead_unpadded_locate_tag(size_t tag_length,
+                                                 const uint8_t *ciphertext,
+                                                 size_t ciphertext_length,
+                                                 size_t plaintext_size,
+                                                 const uint8_t **p_tag) {
+    size_t payload_length;
+    if (tag_length > ciphertext_length)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    payload_length = ciphertext_length - tag_length;
+    if (payload_length > plaintext_size)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+    *p_tag = ciphertext + payload_length;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce,
+                              size_t nonce_length,
+                              const uint8_t *additional_data,
+                              size_t additional_data_length,
+                              const uint8_t *ciphertext,
+                              size_t ciphertext_length,
+                              uint8_t *plaintext,
+                              size_t plaintext_size,
+                              size_t *plaintext_length) {
+    psa_status_t status;
+    aead_operation_t operation = AEAD_OPERATION_INIT;
+    const uint8_t *tag = NULL;
+
+    *plaintext_length = 0;
+
+    status = psa_aead_setup(&operation, key, PSA_KEY_USAGE_DECRYPT, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    status = psa_aead_unpadded_locate_tag(operation.tag_length,
+                                          ciphertext, ciphertext_length,
+                                          plaintext_size, &tag);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+#if defined(MBEDTLS_GCM_C)
+    if (operation.core_alg == PSA_ALG_GCM) {
+        status = mbedtls_to_psa_error(
+                     mbedtls_gcm_auth_decrypt(&operation.ctx.gcm,
+                                              ciphertext_length - operation.tag_length,
+                                              nonce, nonce_length,
+                                              additional_data,
+                                              additional_data_length,
+                                              tag, operation.tag_length,
+                                              ciphertext, plaintext));
+    } else
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+        if (operation.core_alg == PSA_ALG_CCM) {
+            status = mbedtls_to_psa_error(
+                         mbedtls_ccm_auth_decrypt(&operation.ctx.ccm,
+                                                  ciphertext_length - operation.tag_length,
+                                                  nonce, nonce_length,
+                                                  additional_data,
+                                                  additional_data_length,
+                                                  ciphertext, plaintext,
+                                                  tag, operation.tag_length));
+        } else
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+            if (operation.core_alg == PSA_ALG_CHACHA20_POLY1305) {
+                if (nonce_length != 12 || operation.tag_length != 16) {
+                    status = PSA_ERROR_NOT_SUPPORTED;
+                    goto exit;
+                }
+                status = mbedtls_to_psa_error(
+                             mbedtls_chachapoly_auth_decrypt(&operation.ctx.chachapoly,
+                                                             ciphertext_length - operation.tag_length,
+                                                             nonce,
+                                                             additional_data,
+                                                             additional_data_length,
+                                                             tag,
+                                                             ciphertext,
+                                                             plaintext));
+            } else
+#endif /* MBEDTLS_CHACHAPOLY_C */
+            {
+                return (PSA_ERROR_NOT_SUPPORTED);
+            }
+
+    if (status != PSA_SUCCESS && plaintext_size != 0)
+        memset(plaintext, 0, plaintext_size);
+
+exit:
+    psa_aead_abort_internal(&operation);
+    if (status == PSA_SUCCESS)
+        *plaintext_length = ciphertext_length - operation.tag_length;
+    return (status);
+}
+
+
+
+/****************************************************************/
+/* Generators */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+#define AT_LEAST_ONE_BUILTIN_KDF
+#endif
+
+#define HKDF_STATE_INIT 0 /* no input yet */
+#define HKDF_STATE_STARTED 1 /* got salt */
+#define HKDF_STATE_KEYED 2 /* got key */
+#define HKDF_STATE_OUTPUT 3 /* output started */
+
+static psa_algorithm_t psa_key_derivation_get_kdf_alg(
+    const psa_key_derivation_operation_t *operation) {
+    if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg))
+        return (PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg));
+    else
+        return (operation->alg);
+}
+
+psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation) {
+    psa_status_t status = PSA_SUCCESS;
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+    if (kdf_alg == 0) {
+        /* The object has (apparently) been initialized but it is not
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+    } else
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+        if (PSA_ALG_IS_HKDF(kdf_alg)) {
+            mbedtls_free(operation->ctx.hkdf.info);
+            status = psa_hmac_abort_internal(&operation->ctx.hkdf.hmac);
+        } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+            if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+                    /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
+                    PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+                if (operation->ctx.tls12_prf.seed != NULL) {
+                    mbedtls_platform_zeroize(operation->ctx.tls12_prf.seed,
+                                             operation->ctx.tls12_prf.seed_length);
+                    mbedtls_free(operation->ctx.tls12_prf.seed);
+                }
+
+                if (operation->ctx.tls12_prf.label != NULL) {
+                    mbedtls_platform_zeroize(operation->ctx.tls12_prf.label,
+                                             operation->ctx.tls12_prf.label_length);
+                    mbedtls_free(operation->ctx.tls12_prf.label);
+                }
+
+                status = psa_hmac_abort_internal(&operation->ctx.tls12_prf.hmac);
+
+                /* We leave the fields Ai and output_block to be erased safely by the
+                 * mbedtls_platform_zeroize() in the end of this function. */
+            } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
+            {
+                status = PSA_ERROR_BAD_STATE;
+            }
+    mbedtls_platform_zeroize(operation, sizeof(*operation));
+    return (status);
+}
+
+psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
+                                             size_t *capacity) {
+    if (operation->alg == 0) {
+        /* This is a blank key derivation operation. */
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    *capacity = operation->capacity;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
+                                             size_t capacity) {
+    if (operation->alg == 0)
+        return (PSA_ERROR_BAD_STATE);
+    if (capacity > operation->capacity)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    operation->capacity = capacity;
+    return (PSA_SUCCESS);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+/* Read some bytes from an HKDF-based operation. This performs a chunk
+ * of the expand phase of the HKDF algorithm. */
+static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
+                                                 psa_algorithm_t hash_alg,
+                                                 uint8_t *output,
+                                                 size_t output_length) {
+    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+    psa_status_t status;
+
+    if (hkdf->state < HKDF_STATE_KEYED || ! hkdf->info_set)
+        return (PSA_ERROR_BAD_STATE);
+    hkdf->state = HKDF_STATE_OUTPUT;
+
+    while (output_length != 0) {
+        /* Copy what remains of the current block */
+        uint8_t n = hash_length - hkdf->offset_in_block;
+        if (n > output_length)
+            n = (uint8_t) output_length;
+        memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
+        output += n;
+        output_length -= n;
+        hkdf->offset_in_block += n;
+        if (output_length == 0)
+            break;
+        /* We can't be wanting more output after block 0xff, otherwise
+         * the capacity check in psa_key_derivation_output_bytes() would have
+         * prevented this call. It could happen only if the operation
+         * object was corrupted or if this function is called directly
+         * inside the library. */
+        if (hkdf->block_number == 0xff)
+            return (PSA_ERROR_BAD_STATE);
+
+        /* We need a new block */
+        ++hkdf->block_number;
+        hkdf->offset_in_block = 0;
+        status = psa_hmac_setup_internal(&hkdf->hmac,
+                                         hkdf->prk, hash_length,
+                                         hash_alg);
+        if (status != PSA_SUCCESS)
+            return (status);
+        if (hkdf->block_number != 1) {
+            status = psa_hash_update(&hkdf->hmac.hash_ctx,
+                                     hkdf->output_block,
+                                     hash_length);
+            if (status != PSA_SUCCESS)
+                return (status);
+        }
+        status = psa_hash_update(&hkdf->hmac.hash_ctx,
+                                 hkdf->info,
+                                 hkdf->info_length);
+        if (status != PSA_SUCCESS)
+            return (status);
+        status = psa_hash_update(&hkdf->hmac.hash_ctx,
+                                 &hkdf->block_number, 1);
+        if (status != PSA_SUCCESS)
+            return (status);
+        status = psa_hmac_finish_internal(&hkdf->hmac,
+                                          hkdf->output_block,
+                                          sizeof(hkdf->output_block));
+        if (status != PSA_SUCCESS)
+            return (status);
+    }
+
+    return (PSA_SUCCESS);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
+    psa_tls12_prf_key_derivation_t *tls12_prf,
+    psa_algorithm_t alg) {
+    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
+    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+    psa_hash_operation_t backup = PSA_HASH_OPERATION_INIT;
+    psa_status_t status, cleanup_status;
+
+    /* We can't be wanting more output after block 0xff, otherwise
+     * the capacity check in psa_key_derivation_output_bytes() would have
+     * prevented this call. It could happen only if the operation
+     * object was corrupted or if this function is called directly
+     * inside the library. */
+    if (tls12_prf->block_number == 0xff)
+        return (PSA_ERROR_CORRUPTION_DETECTED);
+
+    /* We need a new block */
+    ++tls12_prf->block_number;
+    tls12_prf->left_in_block = hash_length;
+
+    /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
+     *
+     * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
+     *
+     * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
+     *                        HMAC_hash(secret, A(2) + seed) +
+     *                        HMAC_hash(secret, A(3) + seed) + ...
+     *
+     * A(0) = seed
+     * A(i) = HMAC_hash(secret, A(i-1))
+     *
+     * The `psa_tls12_prf_key_derivation` structure saves the block
+     * `HMAC_hash(secret, A(i) + seed)` from which the output
+     * is currently extracted as `output_block` and where i is
+     * `block_number`.
+     */
+
+    /* Save the hash context before using it, to preserve the hash state with
+     * only the inner padding in it. We need this, because inner padding depends
+     * on the key (secret in the RFC's terminology). */
+    status = psa_hash_clone(&tls12_prf->hmac.hash_ctx, &backup);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+
+    /* Calculate A(i) where i = tls12_prf->block_number. */
+    if (tls12_prf->block_number == 1) {
+        /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
+         * the variable seed and in this instance means it in the context of the
+         * P_hash function, where seed = label + seed.) */
+        status = psa_hash_update(&tls12_prf->hmac.hash_ctx,
+                                 tls12_prf->label, tls12_prf->label_length);
+        if (status != PSA_SUCCESS)
+            goto cleanup;
+        status = psa_hash_update(&tls12_prf->hmac.hash_ctx,
+                                 tls12_prf->seed, tls12_prf->seed_length);
+        if (status != PSA_SUCCESS)
+            goto cleanup;
+    } else {
+        /* A(i) = HMAC_hash(secret, A(i-1)) */
+        status = psa_hash_update(&tls12_prf->hmac.hash_ctx,
+                                 tls12_prf->Ai, hash_length);
+        if (status != PSA_SUCCESS)
+            goto cleanup;
+    }
+
+    status = psa_hmac_finish_internal(&tls12_prf->hmac,
+                                      tls12_prf->Ai, hash_length);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+    status = psa_hash_clone(&backup, &tls12_prf->hmac.hash_ctx);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+
+    /* Calculate HMAC_hash(secret, A(i) + label + seed). */
+    status = psa_hash_update(&tls12_prf->hmac.hash_ctx,
+                             tls12_prf->Ai, hash_length);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+    status = psa_hash_update(&tls12_prf->hmac.hash_ctx,
+                             tls12_prf->label, tls12_prf->label_length);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+    status = psa_hash_update(&tls12_prf->hmac.hash_ctx,
+                             tls12_prf->seed, tls12_prf->seed_length);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+    status = psa_hmac_finish_internal(&tls12_prf->hmac,
+                                      tls12_prf->output_block, hash_length);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+    status = psa_hash_clone(&backup, &tls12_prf->hmac.hash_ctx);
+    if (status != PSA_SUCCESS)
+        goto cleanup;
+
+
+cleanup:
+
+    cleanup_status = psa_hash_abort(&backup);
+    if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS)
+        status = cleanup_status;
+
+    return (status);
+}
+
+static psa_status_t psa_key_derivation_tls12_prf_read(
+    psa_tls12_prf_key_derivation_t *tls12_prf,
+    psa_algorithm_t alg,
+    uint8_t *output,
+    size_t output_length) {
+    psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
+    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+    psa_status_t status;
+    uint8_t offset, length;
+
+    while (output_length != 0) {
+        /* Check if we have fully processed the current block. */
+        if (tls12_prf->left_in_block == 0) {
+            status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
+                                                                      alg);
+            if (status != PSA_SUCCESS)
+                return (status);
+
+            continue;
+        }
+
+        if (tls12_prf->left_in_block > output_length)
+            length = (uint8_t) output_length;
+        else
+            length = tls12_prf->left_in_block;
+
+        offset = hash_length - tls12_prf->left_in_block;
+        memcpy(output, tls12_prf->output_block + offset, length);
+        output += length;
+        output_length -= length;
+        tls12_prf->left_in_block -= length;
+    }
+
+    return (PSA_SUCCESS);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+psa_status_t psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *operation,
+    uint8_t *output,
+    size_t output_length) {
+    psa_status_t status;
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+    if (operation->alg == 0) {
+        /* This is a blank operation. */
+        return (PSA_ERROR_BAD_STATE);
+    }
+
+    if (output_length > operation->capacity) {
+        operation->capacity = 0;
+        /* Go through the error path to wipe all confidential data now
+         * that the operation object is useless. */
+        status = PSA_ERROR_INSUFFICIENT_DATA;
+        goto exit;
+    }
+    if (output_length == 0 && operation->capacity == 0) {
+        /* Edge case: this is a finished operation, and 0 bytes
+         * were requested. The right error in this case could
+         * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
+         * INSUFFICIENT_CAPACITY, which is right for a finished
+         * operation, for consistency with the case when
+         * output_length > 0. */
+        return (PSA_ERROR_INSUFFICIENT_DATA);
+    }
+    operation->capacity -= output_length;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+    if (PSA_ALG_IS_HKDF(kdf_alg)) {
+        psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
+        status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, hash_alg,
+                                              output, output_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+        if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+                PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+            status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
+                                                       kdf_alg, output,
+                                                       output_length);
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+        {
+            (void) kdf_alg;
+            return (PSA_ERROR_BAD_STATE);
+        }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        /* Preserve the algorithm upon errors, but clear all sensitive state.
+         * This allows us to differentiate between exhausted operations and
+         * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
+         * operations. */
+        psa_algorithm_t alg = operation->alg;
+        psa_key_derivation_abort(operation);
+        operation->alg = alg;
+        memset(output, '!', output_length);
+    }
+    return (status);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+static void psa_des_set_key_parity(uint8_t *data, size_t data_size) {
+    if (data_size >= 8)
+        mbedtls_des_key_set_parity(data);
+    if (data_size >= 16)
+        mbedtls_des_key_set_parity(data + 8);
+    if (data_size >= 24)
+        mbedtls_des_key_set_parity(data + 16);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+
+static psa_status_t psa_generate_derived_key_internal(
+    psa_key_slot_t *slot,
+    size_t bits,
+    psa_key_derivation_operation_t *operation) {
+    uint8_t *data = NULL;
+    size_t bytes = PSA_BITS_TO_BYTES(bits);
+    psa_status_t status;
+
+    if (! key_type_is_raw_bytes(slot->attr.type))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    if (bits % 8 != 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    data = mbedtls_calloc(1, bytes);
+    if (data == NULL)
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+    status = psa_key_derivation_output_bytes(operation, data, bytes);
+    if (status != PSA_SUCCESS)
+        goto exit;
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+    if (slot->attr.type == PSA_KEY_TYPE_DES)
+        psa_des_set_key_parity(data, bytes);
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+
+    status = psa_allocate_buffer_to_slot(slot, bytes);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    slot->attr.bits = (psa_key_bits_t) bits;
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    status = psa_driver_wrapper_import_key(&attributes,
+                                           data, bytes,
+                                           slot->key.data,
+                                           slot->key.bytes,
+                                           &slot->key.bytes, &bits);
+    if (bits != slot->attr.bits)
+        status = PSA_ERROR_INVALID_ARGUMENT;
+
+exit:
+    mbedtls_free(data);
+    return (status);
+}
+
+psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t *attributes,
+                                           psa_key_derivation_operation_t *operation,
+                                           mbedtls_svc_key_id_t *key) {
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Reject any attempt to create a zero-length key so that we don't
+     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+    if (psa_get_key_bits(attributes) == 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    if (! operation->can_output_key)
+        return (PSA_ERROR_NOT_PERMITTED);
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
+                                    &slot, &driver);
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (driver != NULL) {
+        /* Deriving a key in a secure element is not implemented yet. */
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+    if (status == PSA_SUCCESS) {
+        status = psa_generate_derived_key_internal(slot,
+                                                   attributes->core.bits,
+                                                   operation);
+    }
+    if (status == PSA_SUCCESS)
+        status = psa_finish_key_creation(slot, driver, key);
+    if (status != PSA_SUCCESS)
+        psa_fail_key_creation(slot, driver);
+
+    return (status);
+}
+
+
+
+/****************************************************************/
+/* Key derivation */
+/****************************************************************/
+
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+static psa_status_t psa_key_derivation_setup_kdf(
+    psa_key_derivation_operation_t *operation,
+    psa_algorithm_t kdf_alg) {
+    int is_kdf_alg_supported;
+
+    /* Make sure that operation->ctx is properly zero-initialised. (Macro
+     * initialisers for this union leave some bytes unspecified.) */
+    memset(&operation->ctx, 0, sizeof(operation->ctx));
+
+    /* Make sure that kdf_alg is a supported key derivation algorithm. */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+    if (PSA_ALG_IS_HKDF(kdf_alg))
+        is_kdf_alg_supported = 1;
+    else
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+        if (PSA_ALG_IS_TLS12_PRF(kdf_alg))
+            is_kdf_alg_supported = 1;
+        else
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+            if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg))
+                is_kdf_alg_supported = 1;
+            else
+#endif
+                is_kdf_alg_supported = 0;
+
+    if (is_kdf_alg_supported) {
+        psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
+        size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+        if (hash_size == 0)
+            return (PSA_ERROR_NOT_SUPPORTED);
+        if ((PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+                PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) &&
+                !(hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+        operation->capacity = 255 * hash_size;
+        return (PSA_SUCCESS);
+    }
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+}
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+
+psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
+                                      psa_algorithm_t alg) {
+    psa_status_t status;
+
+    if (operation->alg != 0)
+        return (PSA_ERROR_BAD_STATE);
+
+    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+        psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
+        status = psa_key_derivation_setup_kdf(operation, kdf_alg);
+#else
+        return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+    } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+        status = psa_key_derivation_setup_kdf(operation, alg);
+#else
+        return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+    } else
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    if (status == PSA_SUCCESS)
+        operation->alg = alg;
+    return (status);
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
+                                   psa_algorithm_t hash_alg,
+                                   psa_key_derivation_step_t step,
+                                   const uint8_t *data,
+                                   size_t data_length) {
+    psa_status_t status;
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SALT:
+            if (hkdf->state != HKDF_STATE_INIT)
+                return (PSA_ERROR_BAD_STATE);
+            status = psa_hmac_setup_internal(&hkdf->hmac,
+                                             data, data_length,
+                                             hash_alg);
+            if (status != PSA_SUCCESS)
+                return (status);
+            hkdf->state = HKDF_STATE_STARTED;
+            return (PSA_SUCCESS);
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+            /* If no salt was provided, use an empty salt. */
+            if (hkdf->state == HKDF_STATE_INIT) {
+                status = psa_hmac_setup_internal(&hkdf->hmac,
+                                                 NULL, 0,
+                                                 hash_alg);
+                if (status != PSA_SUCCESS)
+                    return (status);
+                hkdf->state = HKDF_STATE_STARTED;
+            }
+            if (hkdf->state != HKDF_STATE_STARTED)
+                return (PSA_ERROR_BAD_STATE);
+            status = psa_hash_update(&hkdf->hmac.hash_ctx,
+                                     data, data_length);
+            if (status != PSA_SUCCESS)
+                return (status);
+            status = psa_hmac_finish_internal(&hkdf->hmac,
+                                              hkdf->prk,
+                                              sizeof(hkdf->prk));
+            if (status != PSA_SUCCESS)
+                return (status);
+            hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
+            hkdf->block_number = 0;
+            hkdf->state = HKDF_STATE_KEYED;
+            return (PSA_SUCCESS);
+        case PSA_KEY_DERIVATION_INPUT_INFO:
+            if (hkdf->state == HKDF_STATE_OUTPUT)
+                return (PSA_ERROR_BAD_STATE);
+            if (hkdf->info_set)
+                return (PSA_ERROR_BAD_STATE);
+            hkdf->info_length = data_length;
+            if (data_length != 0) {
+                hkdf->info = mbedtls_calloc(1, data_length);
+                if (hkdf->info == NULL)
+                    return (PSA_ERROR_INSUFFICIENT_MEMORY);
+                memcpy(hkdf->info, data, data_length);
+            }
+            hkdf->info_set = 1;
+            return (PSA_SUCCESS);
+        default:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
+                                           const uint8_t *data,
+                                           size_t data_length) {
+    if (prf->state != PSA_TLS12_PRF_STATE_INIT)
+        return (PSA_ERROR_BAD_STATE);
+
+    if (data_length != 0) {
+        prf->seed = mbedtls_calloc(1, data_length);
+        if (prf->seed == NULL)
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+        memcpy(prf->seed, data, data_length);
+        prf->seed_length = data_length;
+    }
+
+    prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
+
+    return (PSA_SUCCESS);
+}
+
+static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
+                                          psa_algorithm_t hash_alg,
+                                          const uint8_t *data,
+                                          size_t data_length) {
+    psa_status_t status;
+    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET)
+        return (PSA_ERROR_BAD_STATE);
+
+    status = psa_hmac_setup_internal(&prf->hmac, data, data_length, hash_alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
+
+    return (PSA_SUCCESS);
+}
+
+static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
+                                            const uint8_t *data,
+                                            size_t data_length) {
+    if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET)
+        return (PSA_ERROR_BAD_STATE);
+
+    if (data_length != 0) {
+        prf->label = mbedtls_calloc(1, data_length);
+        if (prf->label == NULL)
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+        memcpy(prf->label, data, data_length);
+        prf->label_length = data_length;
+    }
+
+    prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
+
+    return (PSA_SUCCESS);
+}
+
+static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
+                                        psa_algorithm_t hash_alg,
+                                        psa_key_derivation_step_t step,
+                                        const uint8_t *data,
+                                        size_t data_length) {
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SEED:
+            return (psa_tls12_prf_set_seed(prf, data, data_length));
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+            return (psa_tls12_prf_set_key(prf, hash_alg, data, data_length));
+        case PSA_KEY_DERIVATION_INPUT_LABEL:
+            return (psa_tls12_prf_set_label(prf, data, data_length));
+        default:
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
+    psa_tls12_prf_key_derivation_t *prf,
+    psa_algorithm_t hash_alg,
+    const uint8_t *data,
+    size_t data_length) {
+    psa_status_t status;
+    uint8_t pms[ 4 + 2 * PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE ];
+    uint8_t *cur = pms;
+
+    if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    /* Quoting RFC 4279, Section 2:
+     *
+     * The premaster secret is formed as follows: if the PSK is N octets
+     * long, concatenate a uint16 with the value N, N zero octets, a second
+     * uint16 with the value N, and the PSK itself.
+     */
+
+    *cur++ = (data_length >> 8) & 0xff;
+    *cur++ = (data_length >> 0) & 0xff;
+    memset(cur, 0, data_length);
+    cur += data_length;
+    *cur++ = pms[0];
+    *cur++ = pms[1];
+    memcpy(cur, data, data_length);
+    cur += data_length;
+
+    status = psa_tls12_prf_set_key(prf, hash_alg, pms, cur - pms);
+
+    mbedtls_platform_zeroize(pms, sizeof(pms));
+    return (status);
+}
+
+static psa_status_t psa_tls12_prf_psk_to_ms_input(
+    psa_tls12_prf_key_derivation_t *prf,
+    psa_algorithm_t hash_alg,
+    psa_key_derivation_step_t step,
+    const uint8_t *data,
+    size_t data_length) {
+    if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
+        return (psa_tls12_prf_psk_to_ms_set_key(prf, hash_alg,
+                                                data, data_length));
+    }
+
+    return (psa_tls12_prf_input(prf, hash_alg, step, data, data_length));
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+/** Check whether the given key type is acceptable for the given
+ * input step of a key derivation.
+ *
+ * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
+ * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
+ * Both secret and non-secret inputs can alternatively have the type
+ * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
+ * that the input was passed as a buffer rather than via a key object.
+ */
+static int psa_key_derivation_check_input_type(
+    psa_key_derivation_step_t step,
+    psa_key_type_t key_type) {
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+            if (key_type == PSA_KEY_TYPE_DERIVE)
+                return (PSA_SUCCESS);
+            if (key_type == PSA_KEY_TYPE_NONE)
+                return (PSA_SUCCESS);
+            break;
+        case PSA_KEY_DERIVATION_INPUT_LABEL:
+        case PSA_KEY_DERIVATION_INPUT_SALT:
+        case PSA_KEY_DERIVATION_INPUT_INFO:
+        case PSA_KEY_DERIVATION_INPUT_SEED:
+            if (key_type == PSA_KEY_TYPE_RAW_DATA)
+                return (PSA_SUCCESS);
+            if (key_type == PSA_KEY_TYPE_NONE)
+                return (PSA_SUCCESS);
+            break;
+    }
+    return (PSA_ERROR_INVALID_ARGUMENT);
+}
+
+static psa_status_t psa_key_derivation_input_internal(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    psa_key_type_t key_type,
+    const uint8_t *data,
+    size_t data_length) {
+    psa_status_t status;
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+    status = psa_key_derivation_check_input_type(step, key_type);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+    if (PSA_ALG_IS_HKDF(kdf_alg)) {
+        status = psa_hkdf_input(&operation->ctx.hkdf,
+                                PSA_ALG_HKDF_GET_HASH(kdf_alg),
+                                step, data, data_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+        if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
+            status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
+                                         PSA_ALG_HKDF_GET_HASH(kdf_alg),
+                                         step, data, data_length);
+        } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+            if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+                status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
+                                                       PSA_ALG_HKDF_GET_HASH(kdf_alg),
+                                                       step, data, data_length);
+            } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+            {
+                /* This can't happen unless the operation object was not initialized */
+                (void) data;
+                (void) data_length;
+                (void) kdf_alg;
+                return (PSA_ERROR_BAD_STATE);
+            }
+
+exit:
+    if (status != PSA_SUCCESS)
+        psa_key_derivation_abort(operation);
+    return (status);
+}
+
+psa_status_t psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    const uint8_t *data,
+    size_t data_length) {
+    return (psa_key_derivation_input_internal(operation, step,
+                                              PSA_KEY_TYPE_NONE,
+                                              data, data_length));
+}
+
+psa_status_t psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t key) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(operation);
+        return (status);
+    }
+
+    /* Passing a key object as a SECRET input unlocks the permission
+     * to output to a key object. */
+    if (step == PSA_KEY_DERIVATION_INPUT_SECRET)
+        operation->can_output_key = 1;
+
+    status = psa_key_derivation_input_internal(operation,
+                                               step, slot->attr.type,
+                                               slot->key.data,
+                                               slot->key.bytes);
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+
+
+/****************************************************************/
+/* Key agreement */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+static psa_status_t psa_key_agreement_ecdh(const uint8_t *peer_key,
+                                           size_t peer_key_length,
+                                           const mbedtls_ecp_keypair *our_key,
+                                           uint8_t *shared_secret,
+                                           size_t shared_secret_size,
+                                           size_t *shared_secret_length) {
+    mbedtls_ecp_keypair *their_key = NULL;
+    mbedtls_ecdh_context ecdh;
+    psa_status_t status;
+    size_t bits = 0;
+    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(our_key->grp.id, &bits);
+    mbedtls_ecdh_init(&ecdh);
+
+    status = mbedtls_psa_ecp_load_representation(
+                 PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
+                 bits,
+                 peer_key,
+                 peer_key_length,
+                 &their_key);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = mbedtls_to_psa_error(
+                 mbedtls_ecdh_get_params(&ecdh, their_key, MBEDTLS_ECDH_THEIRS));
+    if (status != PSA_SUCCESS)
+        goto exit;
+    status = mbedtls_to_psa_error(
+                 mbedtls_ecdh_get_params(&ecdh, our_key, MBEDTLS_ECDH_OURS));
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = mbedtls_to_psa_error(
+                 mbedtls_ecdh_calc_secret(&ecdh,
+                                          shared_secret_length,
+                                          shared_secret, shared_secret_size,
+                                          mbedtls_psa_get_random,
+                                          MBEDTLS_PSA_RANDOM_STATE));
+    if (status != PSA_SUCCESS)
+        goto exit;
+    if (PSA_BITS_TO_BYTES(bits) != *shared_secret_length)
+        status = PSA_ERROR_CORRUPTION_DETECTED;
+
+exit:
+    if (status != PSA_SUCCESS)
+        mbedtls_platform_zeroize(shared_secret, shared_secret_size);
+    mbedtls_ecdh_free(&ecdh);
+    mbedtls_ecp_keypair_free(their_key);
+    mbedtls_free(their_key);
+
+    return (status);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+
+#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
+
+static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
+                                                   psa_key_slot_t *private_key,
+                                                   const uint8_t *peer_key,
+                                                   size_t peer_key_length,
+                                                   uint8_t *shared_secret,
+                                                   size_t shared_secret_size,
+                                                   size_t *shared_secret_length) {
+    switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+        case PSA_ALG_ECDH:
+            if (! PSA_KEY_TYPE_IS_ECC_KEY_PAIR(private_key->attr.type))
+                return (PSA_ERROR_INVALID_ARGUMENT);
+            mbedtls_ecp_keypair *ecp = NULL;
+            psa_status_t status = mbedtls_psa_ecp_load_representation(
+                                      private_key->attr.type,
+                                      private_key->attr.bits,
+                                      private_key->key.data,
+                                      private_key->key.bytes,
+                                      &ecp);
+            if (status != PSA_SUCCESS)
+                return (status);
+            status = psa_key_agreement_ecdh(peer_key, peer_key_length,
+                                            ecp,
+                                            shared_secret, shared_secret_size,
+                                            shared_secret_length);
+            mbedtls_ecp_keypair_free(ecp);
+            mbedtls_free(ecp);
+            return (status);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+        default:
+            (void) private_key;
+            (void) peer_key;
+            (void) peer_key_length;
+            (void) shared_secret;
+            (void) shared_secret_size;
+            (void) shared_secret_length;
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+}
+
+/* Note that if this function fails, you must call psa_key_derivation_abort()
+ * to potentially free embedded data structures and wipe confidential data.
+ */
+static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
+                                               psa_key_derivation_step_t step,
+                                               psa_key_slot_t *private_key,
+                                               const uint8_t *peer_key,
+                                               size_t peer_key_length) {
+    psa_status_t status;
+    uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE];
+    size_t shared_secret_length = 0;
+    psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
+
+    /* Step 1: run the secret agreement algorithm to generate the shared
+     * secret. */
+    status = psa_key_agreement_raw_internal(ka_alg,
+                                            private_key,
+                                            peer_key, peer_key_length,
+                                            shared_secret,
+                                            sizeof(shared_secret),
+                                            &shared_secret_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* Step 2: set up the key derivation to generate key material from
+     * the shared secret. A shared secret is permitted wherever a key
+     * of type DERIVE is permitted. */
+    status = psa_key_derivation_input_internal(operation, step,
+                                               PSA_KEY_TYPE_DERIVE,
+                                               shared_secret,
+                                               shared_secret_length);
+exit:
+    mbedtls_platform_zeroize(shared_secret, shared_secret_length);
+    return (status);
+}
+
+psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
+                                              psa_key_derivation_step_t step,
+                                              mbedtls_svc_key_id_t private_key,
+                                              const uint8_t *peer_key,
+                                              size_t peer_key_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    if (! PSA_ALG_IS_KEY_AGREEMENT(operation->alg))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+    status = psa_key_agreement_internal(operation, step,
+                                        slot,
+                                        peer_key, peer_key_length);
+    if (status != PSA_SUCCESS)
+        psa_key_derivation_abort(operation);
+    else {
+        /* If a private key has been added as SECRET, we allow the derived
+         * key material to be used as a key in PSA Crypto. */
+        if (step == PSA_KEY_DERIVATION_INPUT_SECRET)
+            operation->can_output_key = 1;
+    }
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
+                                   mbedtls_svc_key_id_t private_key,
+                                   const uint8_t *peer_key,
+                                   size_t peer_key_length,
+                                   uint8_t *output,
+                                   size_t output_size,
+                                   size_t *output_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+
+    if (! PSA_ALG_IS_KEY_AGREEMENT(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+                 private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_key_agreement_raw_internal(alg, slot,
+                                            peer_key, peer_key_length,
+                                            output, output_size,
+                                            output_length);
+
+exit:
+    if (status != PSA_SUCCESS) {
+        /* If an error happens and is not handled properly, the output
+         * may be used as a key to protect sensitive data. Arrange for such
+         * a key to be random, which is likely to result in decryption or
+         * verification errors. This is better than filling the buffer with
+         * some constant data such as zeros, which would result in the data
+         * being protected with a reproducible, easily knowable key.
+         */
+        psa_generate_random(output, output_size);
+        *output_length = output_size;
+    }
+
+    unlock_status = psa_unlock_key_slot(slot);
+
+    return ((status == PSA_SUCCESS) ? unlock_status : status);
+}
+
+
+
+/****************************************************************/
+/* Random generation */
+/****************************************************************/
+
+/** Initialize the PSA random generator.
+ */
+static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng) {
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    memset(rng, 0, sizeof(*rng));
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+    /* Set default configuration if
+     * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
+    if (rng->entropy_init == NULL)
+        rng->entropy_init = mbedtls_entropy_init;
+    if (rng->entropy_free == NULL)
+        rng->entropy_free = mbedtls_entropy_free;
+
+    rng->entropy_init(&rng->entropy);
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
+    defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    /* The PSA entropy injection feature depends on using NV seed as an entropy
+     * source. Add NV seed as an entropy source for PSA entropy injection. */
+    mbedtls_entropy_add_source(&rng->entropy,
+                               mbedtls_nv_seed_poll, NULL,
+                               MBEDTLS_ENTROPY_BLOCK_SIZE,
+                               MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+
+    mbedtls_psa_drbg_init(MBEDTLS_PSA_RANDOM_STATE);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/** Deinitialize the PSA random generator.
+ */
+static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng) {
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    memset(rng, 0, sizeof(*rng));
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+    mbedtls_psa_drbg_free(MBEDTLS_PSA_RANDOM_STATE);
+    rng->entropy_free(&rng->entropy);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/** Seed the PSA random generator.
+ */
+static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng) {
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    /* Do nothing: the external RNG seeds itself. */
+    (void) rng;
+    return (PSA_SUCCESS);
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+    const unsigned char drbg_seed[] = "PSA";
+    int ret = mbedtls_psa_drbg_seed(&rng->entropy,
+                                    drbg_seed, sizeof(drbg_seed) - 1);
+    return mbedtls_to_psa_error(ret);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+psa_status_t psa_generate_random(uint8_t *output,
+                                 size_t output_size) {
+    GUARD_MODULE_INITIALIZED;
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+    size_t output_length = 0;
+    psa_status_t status = mbedtls_psa_external_get_random(&global_data.rng,
+                                                          output, output_size,
+                                                          &output_length);
+    if (status != PSA_SUCCESS)
+        return (status);
+    /* Breaking up a request into smaller chunks is currently not supported
+     * for the extrernal RNG interface. */
+    if (output_length != output_size)
+        return (PSA_ERROR_INSUFFICIENT_ENTROPY);
+    return (PSA_SUCCESS);
+
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+    while (output_size > 0) {
+        size_t request_size =
+            (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
+             MBEDTLS_PSA_RANDOM_MAX_REQUEST :
+             output_size);
+        int ret = mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE,
+                                         output, request_size);
+        if (ret != 0)
+            return (mbedtls_to_psa_error(ret));
+        output_size -= request_size;
+        output += request_size;
+    }
+    return (PSA_SUCCESS);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/* Wrapper function allowing the classic API to use the PSA RNG.
+ *
+ * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
+ * `psa_generate_random(...)`. The state parameter is ignored since the
+ * PSA API doesn't support passing an explicit state.
+ *
+ * In the non-external case, psa_generate_random() calls an
+ * `mbedtls_xxx_drbg_random` function which has exactly the same signature
+ * and semantics as mbedtls_psa_get_random(). As an optimization,
+ * instead of doing this back-and-forth between the PSA API and the
+ * classic API, psa_crypto_random_impl.h defines `mbedtls_psa_get_random`
+ * as a constant function pointer to `mbedtls_xxx_drbg_random`.
+ */
+#if defined (MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+int mbedtls_psa_get_random(void *p_rng,
+                           unsigned char *output,
+                           size_t output_size) {
+    /* This function takes a pointer to the RNG state because that's what
+     * classic mbedtls functions using an RNG expect. The PSA RNG manages
+     * its own state internally and doesn't let the caller access that state.
+     * So we just ignore the state parameter, and in practice we'll pass
+     * NULL. */
+    (void) p_rng;
+    psa_status_t status = psa_generate_random(output, output_size);
+    if (status == PSA_SUCCESS)
+        return (0);
+    else
+        return (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+#include "mbedtls/entropy_poll.h"
+
+psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
+                                        size_t seed_size) {
+    if (global_data.initialized)
+        return (PSA_ERROR_NOT_PERMITTED);
+
+    if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
+            (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
+            (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    return (mbedtls_psa_storage_inject_entropy(seed, seed_size));
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+/** Validate the key type and size for key generation
+ *
+ * \param  type  The key type
+ * \param  bits  The number of bits of the key
+ *
+ * \retval #PSA_SUCCESS
+ *         The key type and size are valid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size in bits of the key is not valid.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The type and/or the size in bits of the key or the combination of
+ *         the two is not supported.
+ */
+static psa_status_t psa_validate_key_type_and_size_for_key_generation(
+    psa_key_type_t type, size_t bits) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (key_type_is_raw_bytes(type)) {
+        status = validate_unstructured_key_bit_size(type, bits);
+        if (status != PSA_SUCCESS)
+            return (status);
+    } else
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
+        if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+            if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS)
+                return (PSA_ERROR_NOT_SUPPORTED);
+
+            /* Accept only byte-aligned keys, for the same reasons as
+             * in psa_import_rsa_key(). */
+            if (bits % 8 != 0)
+                return (PSA_ERROR_NOT_SUPPORTED);
+        } else
+#endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
+            if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+                /* To avoid empty block, return successfully here. */
+                return (PSA_SUCCESS);
+            } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) */
+            {
+                return (PSA_ERROR_NOT_SUPPORTED);
+            }
+
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_generate_key_internal(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_type_t type = attributes->core.type;
+
+    if ((attributes->domain_parameters == NULL) &&
+            (attributes->domain_parameters_size != 0))
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    if (key_type_is_raw_bytes(type)) {
+        status = psa_generate_random(key_buffer, key_buffer_size);
+        if (status != PSA_SUCCESS)
+            return (status);
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+        if (type == PSA_KEY_TYPE_DES)
+            psa_des_set_key_parity(key_buffer, key_buffer_size);
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+    } else
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+        if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+            return (mbedtls_psa_rsa_generate_key(attributes,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 key_buffer_length));
+        } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
+            if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+                return (mbedtls_psa_ecp_generate_key(attributes,
+                                                     key_buffer,
+                                                     key_buffer_size,
+                                                     key_buffer_length));
+            } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
+            {
+                (void)key_buffer_length;
+                return (PSA_ERROR_NOT_SUPPORTED);
+            }
+
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
+                              mbedtls_svc_key_id_t *key) {
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    size_t key_buffer_size;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Reject any attempt to create a zero-length key so that we don't
+     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+    if (psa_get_key_bits(attributes) == 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
+                                    &slot, &driver);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* In the case of a transparent key or an opaque key stored in local
+     * storage (thus not in the case of generating a key in a secure element
+     * or cryptoprocessor with storage), we have to allocate a buffer to
+     * hold the generated key material. */
+    if (slot->key.data == NULL) {
+        if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime) ==
+                PSA_KEY_LOCATION_LOCAL_STORAGE) {
+            status = psa_validate_key_type_and_size_for_key_generation(
+                         attributes->core.type, attributes->core.bits);
+            if (status != PSA_SUCCESS)
+                goto exit;
+
+            key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
+                                  attributes->core.type,
+                                  attributes->core.bits);
+        } else {
+            status = psa_driver_wrapper_get_key_buffer_size(
+                         attributes, &key_buffer_size);
+            if (status != PSA_SUCCESS)
+                goto exit;
+        }
+
+        status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
+        if (status != PSA_SUCCESS)
+            goto exit;
+    }
+
+    status = psa_driver_wrapper_generate_key(attributes,
+                                             slot->key.data, slot->key.bytes, &slot->key.bytes);
+
+    if (status != PSA_SUCCESS)
+        psa_remove_key_data_from_memory(slot);
+
+exit:
+    if (status == PSA_SUCCESS)
+        status = psa_finish_key_creation(slot, driver, key);
+    if (status != PSA_SUCCESS)
+        psa_fail_key_creation(slot, driver);
+
+    return (status);
+}
+
+/****************************************************************/
+/* Module setup */
+/****************************************************************/
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
+    void (* entropy_init)(mbedtls_entropy_context *ctx),
+    void (* entropy_free)(mbedtls_entropy_context *ctx)) {
+    if (global_data.rng_state != RNG_NOT_INITIALIZED)
+        return (PSA_ERROR_BAD_STATE);
+    global_data.rng.entropy_init = entropy_init;
+    global_data.rng.entropy_free = entropy_free;
+    return (PSA_SUCCESS);
+}
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+void mbedtls_psa_crypto_free(void) {
+    psa_wipe_all_key_slots();
+    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
+        mbedtls_psa_random_free(&global_data.rng);
+    }
+    /* Wipe all remaining data, including configuration.
+     * In particular, this sets all state indicator to the value
+     * indicating "uninitialized". */
+    mbedtls_platform_zeroize(&global_data, sizeof(global_data));
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* Unregister all secure element drivers, so that we restart from
+     * a pristine state. */
+    psa_unregister_all_se_drivers();
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+}
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+/** Recover a transaction that was interrupted by a power failure.
+ *
+ * This function is called during initialization, before psa_crypto_init()
+ * returns. If this function returns a failure status, the initialization
+ * fails.
+ */
+static psa_status_t psa_crypto_recover_transaction(
+    const psa_crypto_transaction_t *transaction) {
+    switch (transaction->unknown.type) {
+        case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
+        case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
+        /* TODO - fall through to the failure case until this
+         * is implemented.
+         * https://github.com/ARMmbed/mbed-crypto/issues/218
+         */
+        default:
+            /* We found an unsupported transaction in the storage.
+             * We don't know what state the storage is in. Give up. */
+            return (PSA_ERROR_DATA_INVALID);
+    }
+}
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+psa_status_t psa_crypto_init(void) {
+    psa_status_t status;
+
+    /* Double initialization is explicitly allowed. */
+    if (global_data.initialized != 0)
+        return (PSA_SUCCESS);
+
+    /* Initialize and seed the random generator. */
+    mbedtls_psa_random_init(&global_data.rng);
+    global_data.rng_state = RNG_INITIALIZED;
+    status = mbedtls_psa_random_seed(&global_data.rng);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    global_data.rng_state = RNG_SEEDED;
+
+    status = psa_initialize_key_slots();
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    status = psa_init_all_se_drivers();
+    if (status != PSA_SUCCESS)
+        goto exit;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+    status = psa_crypto_load_transaction();
+    if (status == PSA_SUCCESS) {
+        status = psa_crypto_recover_transaction(&psa_crypto_transaction);
+        if (status != PSA_SUCCESS)
+            goto exit;
+        status = psa_crypto_stop_transaction();
+    } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
+        /* There's no transaction to complete. It's all good. */
+        status = PSA_SUCCESS;
+    }
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+    /* All done. */
+    global_data.initialized = 1;
+
+exit:
+    if (status != PSA_SUCCESS)
+        mbedtls_psa_crypto_free();
+    return (status);
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/common/mbedtls/psa_crypto_client.c b/common/mbedtls/psa_crypto_client.c
new file mode 100644
index 000000000..df35a96a7
--- /dev/null
+++ b/common/mbedtls/psa_crypto_client.c
@@ -0,0 +1,78 @@
+/*
+ *  PSA crypto client code
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+#include "psa_crypto_service_integration.h"
+#include "psa/crypto.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#include <string.h>
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+void psa_reset_key_attributes(psa_key_attributes_t *attributes) {
+    mbedtls_free(attributes->domain_parameters);
+    memset(attributes, 0, sizeof(*attributes));
+}
+
+psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
+                                           psa_key_type_t type,
+                                           const uint8_t *data,
+                                           size_t data_length) {
+    uint8_t *copy = NULL;
+
+    if (data_length != 0) {
+        copy = mbedtls_calloc(1, data_length);
+        if (copy == NULL)
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        memcpy(copy, data, data_length);
+    }
+    /* After this point, this function is guaranteed to succeed, so it
+     * can start modifying `*attributes`. */
+
+    if (attributes->domain_parameters != NULL) {
+        mbedtls_free(attributes->domain_parameters);
+        attributes->domain_parameters = NULL;
+        attributes->domain_parameters_size = 0;
+    }
+
+    attributes->domain_parameters = copy;
+    attributes->domain_parameters_size = data_length;
+    attributes->core.type = type;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_get_key_domain_parameters(
+    const psa_key_attributes_t *attributes,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    if (attributes->domain_parameters_size > data_size)
+        return (PSA_ERROR_BUFFER_TOO_SMALL);
+    *data_length = attributes->domain_parameters_size;
+    if (attributes->domain_parameters_size != 0)
+        memcpy(data, attributes->domain_parameters,
+               attributes->domain_parameters_size);
+    return (PSA_SUCCESS);
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/common/mbedtls/psa_crypto_core.h b/common/mbedtls/psa_crypto_core.h
new file mode 100644
index 000000000..59fb49388
--- /dev/null
+++ b/common/mbedtls/psa_crypto_core.h
@@ -0,0 +1,405 @@
+/*
+ *  PSA crypto core internal interfaces
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_CORE_H
+#define PSA_CRYPTO_CORE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+#include <mbedtls/md_internal.h>
+
+/** The data structure representing a key slot, containing key material
+ * and metadata for one key.
+ */
+typedef struct {
+    psa_core_key_attributes_t attr;
+
+    /*
+     * Number of locks on the key slot held by the library.
+     *
+     * This counter is incremented by one each time a library function
+     * retrieves through one of the dedicated internal API a pointer to the
+     * key slot.
+     *
+     * This counter is decremented by one each time a library function stops
+     * accessing the key slot and states it by calling the
+     * psa_unlock_key_slot() API.
+     *
+     * This counter is used to prevent resetting the key slot while the library
+     * may access it. For example, such control is needed in the following
+     * scenarios:
+     * . In case of key slot starvation, all key slots contain the description
+     *   of a key, and the library asks for the description of a persistent
+     *   key not present in the key slots, the key slots currently accessed by
+     *   the library cannot be reclaimed to free a key slot to load the
+     *   persistent key.
+     * . In case of a multi-threaded application where one thread asks to close
+     *   or purge or destroy a key while it is in used by the library through
+     *   another thread.
+     */
+    size_t lock_count;
+
+    /* Dynamically allocated key data buffer.
+     * Format as specified in psa_export_key(). */
+    struct key_data {
+        uint8_t *data;
+        size_t bytes;
+    } key;
+} psa_key_slot_t;
+
+/* A mask of key attribute flags used only internally.
+ * Currently there aren't any. */
+#define PSA_KA_MASK_INTERNAL_ONLY (     \
+        0 )
+
+/** Test whether a key slot is occupied.
+ *
+ * A key slot is occupied iff the key type is nonzero. This works because
+ * no valid key can have 0 as its key type.
+ *
+ * \param[in] slot      The key slot to test.
+ *
+ * \return 1 if the slot is occupied, 0 otherwise.
+ */
+static inline int psa_is_key_slot_occupied(const psa_key_slot_t *slot) {
+    return (slot->attr.type != 0);
+}
+
+/** Test whether a key slot is locked.
+ *
+ * A key slot is locked iff its lock counter is strictly greater than 0.
+ *
+ * \param[in] slot  The key slot to test.
+ *
+ * \return 1 if the slot is locked, 0 otherwise.
+ */
+static inline int psa_is_key_slot_locked(const psa_key_slot_t *slot) {
+    return (slot->lock_count > 0);
+}
+
+/** Retrieve flags from psa_key_slot_t::attr::core::flags.
+ *
+ * \param[in] slot      The key slot to query.
+ * \param mask          The mask of bits to extract.
+ *
+ * \return The key attribute flags in the given slot,
+ *         bitwise-anded with \p mask.
+ */
+static inline uint16_t psa_key_slot_get_flags(const psa_key_slot_t *slot,
+                                              uint16_t mask) {
+    return (slot->attr.flags & mask);
+}
+
+/** Set flags in psa_key_slot_t::attr::core::flags.
+ *
+ * \param[in,out] slot  The key slot to modify.
+ * \param mask          The mask of bits to modify.
+ * \param value         The new value of the selected bits.
+ */
+static inline void psa_key_slot_set_flags(psa_key_slot_t *slot,
+                                          uint16_t mask,
+                                          uint16_t value) {
+    slot->attr.flags = ((~mask & slot->attr.flags) |
+                        (mask & value));
+}
+
+/** Turn on flags in psa_key_slot_t::attr::core::flags.
+ *
+ * \param[in,out] slot  The key slot to modify.
+ * \param mask          The mask of bits to set.
+ */
+static inline void psa_key_slot_set_bits_in_flags(psa_key_slot_t *slot,
+                                                  uint16_t mask) {
+    slot->attr.flags |= mask;
+}
+
+/** Turn off flags in psa_key_slot_t::attr::core::flags.
+ *
+ * \param[in,out] slot  The key slot to modify.
+ * \param mask          The mask of bits to clear.
+ */
+static inline void psa_key_slot_clear_bits(psa_key_slot_t *slot,
+                                           uint16_t mask) {
+    slot->attr.flags &= ~mask;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/** Get the SE slot number of a key from the key slot storing its description.
+ *
+ * \param[in]  slot  The key slot to query. This must be a key slot storing
+ *                   the description of a key of a dynamically registered
+ *                   secure element, otherwise the behaviour is undefined.
+ */
+static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
+    const psa_key_slot_t *slot) {
+    return (*((psa_key_slot_number_t *)(slot->key.data)));
+}
+#endif
+
+/** Completely wipe a slot in memory, including its policy.
+ *
+ * Persistent storage is not affected.
+ *
+ * \param[in,out] slot  The key slot to wipe.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success. This includes the case of a key slot that was
+ *         already fully wiped.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
+
+/** Copy key data (in export format) into an empty key slot.
+ *
+ * This function assumes that the slot does not contain
+ * any key material yet. On failure, the slot content is unchanged.
+ *
+ * \param[in,out] slot          Key slot to copy the key into.
+ * \param[in] data              Buffer containing the key material.
+ * \param data_length           Size of the key buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key has been copied successfully.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         Not enough memory was available for allocation of the
+ *         copy buffer.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         There was other key material already present in the slot.
+ */
+psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
+                                             const uint8_t *data,
+                                             size_t data_length);
+
+/** Convert an mbed TLS error code to a PSA error code
+ *
+ * \note This function is provided solely for the convenience of
+ *       Mbed TLS and may be removed at any time without notice.
+ *
+ * \param ret           An mbed TLS-thrown error code
+ *
+ * \return              The corresponding PSA error code
+ */
+psa_status_t mbedtls_to_psa_error(int ret);
+
+/** Get Mbed TLS MD information of a hash algorithm given its PSA identifier
+ *
+ * \param[in] alg  PSA hash algorithm identifier
+ *
+ * \return  The Mbed TLS MD information of the hash algorithm. \c NULL if the
+ *          PSA hash algorithm is not supported.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_psa(psa_algorithm_t alg);
+
+/** Import a key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       import_key entry point. This function behaves as an import_key
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer to contain the key data in output
+ *                              format upon successful return.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS  The key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t psa_import_key_into_slot(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+/** Export a key in binary format
+ *
+ * \note The signature of this function is that of a PSA driver export_key
+ *       entry point. This function behaves as an export_key entry point as
+ *       defined in the PSA driver interface specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t psa_export_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/** Export a public key or the public part of a key pair in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       export_public_key entry point. This function behaves as an
+ *       export_public_key entry point as defined in the PSA driver interface
+ *       specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t psa_export_public_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate a key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the key to generate.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was generated successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key size in bits or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
+                                       uint8_t *key_buffer,
+                                       size_t key_buffer_size,
+                                       size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with a private key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash entry point. This function behaves as a sign_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  hash             The hash or message to sign.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of the key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ */
+psa_status_t psa_sign_hash_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a public key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash entry point. This function behaves as a verify_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  hash             The hash or message whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t psa_verify_hash_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+#endif /* PSA_CRYPTO_CORE_H */
diff --git a/common/mbedtls/psa_crypto_driver_wrappers.c b/common/mbedtls/psa_crypto_driver_wrappers.c
new file mode 100644
index 000000000..33a62c1e9
--- /dev/null
+++ b/common/mbedtls/psa_crypto_driver_wrappers.c
@@ -0,0 +1,1016 @@
+/*
+ *  Functions to delegate cryptographic operations to an available
+ *  and appropriate accelerator.
+ *  Warning: This file will be auto-generated in the future.
+ */
+/*  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_driver_wrappers.h"
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+
+/* Include test driver definition when running tests */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#endif
+#include "test/drivers/test_driver.h"
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+/* Repeat above block for each JSON-declared driver during autogeneration */
+
+/* Auto-generated values depending on which drivers are registered. ID 0 is
+ * reserved for unallocated operations. */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#define PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID (1)
+#define PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID (2)
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+
+/* Support the 'old' SE interface when asked to */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* PSA_CRYPTO_DRIVER_PRESENT is defined when either a new-style or old-style
+ * SE driver is present, to avoid unused argument errors at compile time. */
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#include "psa_crypto_se.h"
+#endif
+
+/* Start delegation functions */
+psa_status_t psa_driver_wrapper_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if (psa_get_se_driver(attributes->core.lifetime, &drv, &drv_context)) {
+        if (drv->asymmetric == NULL ||
+                drv->asymmetric->p_sign == NULL) {
+            /* Key is defined in SE, but we have no way to exercise it */
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+        return (drv->asymmetric->p_sign(
+                    drv_context, *((psa_key_slot_number_t *)key_buffer),
+                    alg, hash, hash_length,
+                    signature, signature_size, signature_length));
+    }
+#endif /* PSA_CRYPTO_SE_C */
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_location_t location =
+        PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            status = test_transparent_signature_sign_hash(attributes,
+                                                          key_buffer,
+                                                          key_buffer_size,
+                                                          alg,
+                                                          hash,
+                                                          hash_length,
+                                                          signature,
+                                                          signature_size,
+                                                          signature_length);
+            /* Declared with fallback == true */
+            if (status != PSA_ERROR_NOT_SUPPORTED)
+                return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (psa_sign_hash_internal(attributes,
+                                           key_buffer,
+                                           key_buffer_size,
+                                           alg,
+                                           hash,
+                                           hash_length,
+                                           signature,
+                                           signature_size,
+                                           signature_length));
+
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            return (test_opaque_signature_sign_hash(attributes,
+                                                    key_buffer,
+                                                    key_buffer_size,
+                                                    alg,
+                                                    hash,
+                                                    hash_length,
+                                                    signature,
+                                                    signature_size,
+                                                    signature_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            (void)status;
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+}
+
+psa_status_t psa_driver_wrapper_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if (psa_get_se_driver(attributes->core.lifetime, &drv, &drv_context)) {
+        if (drv->asymmetric == NULL ||
+                drv->asymmetric->p_verify == NULL) {
+            /* Key is defined in SE, but we have no way to exercise it */
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+        return (drv->asymmetric->p_verify(
+                    drv_context, *((psa_key_slot_number_t *)key_buffer),
+                    alg, hash, hash_length,
+                    signature, signature_length));
+    }
+#endif /* PSA_CRYPTO_SE_C */
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_location_t location =
+        PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            status = test_transparent_signature_verify_hash(attributes,
+                                                            key_buffer,
+                                                            key_buffer_size,
+                                                            alg,
+                                                            hash,
+                                                            hash_length,
+                                                            signature,
+                                                            signature_length);
+            /* Declared with fallback == true */
+            if (status != PSA_ERROR_NOT_SUPPORTED)
+                return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+            return (psa_verify_hash_internal(attributes,
+                                             key_buffer,
+                                             key_buffer_size,
+                                             alg,
+                                             hash,
+                                             hash_length,
+                                             signature,
+                                             signature_length));
+
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            return (test_opaque_signature_verify_hash(attributes,
+                                                      key_buffer,
+                                                      key_buffer_size,
+                                                      alg,
+                                                      hash,
+                                                      hash_length,
+                                                      signature,
+                                                      signature_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            (void)status;
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+}
+
+/** Get the key buffer size for the key material of a generated key in the
+ *  case of an opaque driver without storage.
+ *
+ * \param[in] attributes  The key attributes.
+ * \param[out] key_buffer_size  Minimum buffer size to contain the key material
+ *
+ * \retval #PSA_SUCCESS
+ *         The minimum size for a buffer to contain the key material has been
+ *         returned successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size in bits of the key is not valid.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The type and/or the size in bits of the key or the combination of
+ *         the two is not supported.
+ */
+psa_status_t psa_driver_wrapper_get_key_buffer_size(
+    const psa_key_attributes_t *attributes,
+    size_t *key_buffer_size) {
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
+    psa_key_type_t key_type = attributes->core.type;
+    size_t key_bits = attributes->core.bits;
+
+    *key_buffer_size = 0;
+    switch (location) {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+#ifdef TEST_DRIVER_KEY_CONTEXT_SIZE_FUNCTION
+            *key_buffer_size = test_size_function(key_type, key_bits);
+            return (PSA_SUCCESS);
+#else /* TEST_DRIVER_KEY_CONTEXT_SIZE_FUNCTION */
+            if (PSA_KEY_TYPE_IS_KEY_PAIR(key_type)) {
+                int public_key_overhead =
+                    ((TEST_DRIVER_KEY_CONTEXT_STORE_PUBLIC_KEY == 1) ?
+                     PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits) : 0);
+                *key_buffer_size = TEST_DRIVER_KEY_CONTEXT_BASE_SIZE
+                                   + TEST_DRIVER_KEY_CONTEXT_PUBLIC_KEY_SIZE
+                                   + public_key_overhead;
+            } else if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) {
+                *key_buffer_size = TEST_DRIVER_KEY_CONTEXT_BASE_SIZE
+                                   + TEST_DRIVER_KEY_CONTEXT_PUBLIC_KEY_SIZE;
+            } else if (!PSA_KEY_TYPE_IS_KEY_PAIR(key_type) &&
+                       !PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) {
+                *key_buffer_size = TEST_DRIVER_KEY_CONTEXT_BASE_SIZE
+                                   + TEST_DRIVER_KEY_CONTEXT_SYMMETRIC_FACTOR
+                                   * ((key_bits + 7) / 8);
+            } else {
+                return (PSA_ERROR_NOT_SUPPORTED);
+            }
+            return (PSA_SUCCESS);
+#endif /* TEST_DRIVER_KEY_CONTEXT_SIZE_FUNCTION */
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+        default:
+            (void)key_type;
+            (void)key_bits;
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+}
+
+psa_status_t psa_driver_wrapper_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_location_t location =
+        PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
+
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if (psa_get_se_driver(attributes->core.lifetime, &drv, &drv_context)) {
+        size_t pubkey_length = 0; /* We don't support this feature yet */
+        if (drv->key_management == NULL ||
+                drv->key_management->p_generate == NULL) {
+            /* Key is defined as being in SE, but we have no way to generate it */
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+        return (drv->key_management->p_generate(
+                    drv_context,
+                    *((psa_key_slot_number_t *)key_buffer),
+                    attributes, NULL, 0, &pubkey_length));
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+            /* Transparent drivers are limited to generating asymmetric keys */
+            if (PSA_KEY_TYPE_IS_ASYMMETRIC(attributes->core.type)) {
+                /* Cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+                status = test_transparent_generate_key(
+                             attributes, key_buffer, key_buffer_size,
+                             key_buffer_length);
+                /* Declared with fallback == true */
+                if (status != PSA_ERROR_NOT_SUPPORTED)
+                    break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+            }
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+            /* Software fallback */
+            status = psa_generate_key_internal(
+                         attributes, key_buffer, key_buffer_size, key_buffer_length);
+            break;
+
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            status = test_opaque_generate_key(
+                         attributes, key_buffer, key_buffer_size, key_buffer_length);
+            break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+        default:
+            /* Key is declared with a lifetime not known to us */
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            break;
+    }
+
+    return (status);
+}
+
+psa_status_t psa_driver_wrapper_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data,
+    size_t data_length,
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length,
+    size_t *bits) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+                                      psa_get_key_lifetime(attributes));
+
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if (psa_get_se_driver(attributes->core.lifetime, &drv, &drv_context)) {
+        if (drv->key_management == NULL ||
+                drv->key_management->p_import == NULL)
+            return (PSA_ERROR_NOT_SUPPORTED);
+
+        /* The driver should set the number of key bits, however in
+         * case it doesn't, we initialize bits to an invalid value. */
+        *bits = PSA_MAX_KEY_BITS + 1;
+        status = drv->key_management->p_import(
+                     drv_context,
+                     *((psa_key_slot_number_t *)key_buffer),
+                     attributes, data, data_length, bits);
+
+        if (status != PSA_SUCCESS)
+            return (status);
+
+        if ((*bits) > PSA_MAX_KEY_BITS)
+            return (PSA_ERROR_NOT_SUPPORTED);
+
+        return (PSA_SUCCESS);
+    }
+#endif /* PSA_CRYPTO_SE_C */
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            status = test_transparent_import_key(attributes,
+                                                 data, data_length,
+                                                 key_buffer, key_buffer_size,
+                                                 key_buffer_length, bits);
+            /* Declared with fallback == true */
+            if (status != PSA_ERROR_NOT_SUPPORTED)
+                return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (psa_import_key_into_slot(attributes,
+                                             data, data_length,
+                                             key_buffer, key_buffer_size,
+                                             key_buffer_length, bits));
+
+        default:
+            /* Importing a key with external storage in not yet supported.
+             * Return in error indicating that the lifetime is not valid. */
+            (void)status;
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+
+}
+
+psa_status_t psa_driver_wrapper_export_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length)
+
+{
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+                                      psa_get_key_lifetime(attributes));
+
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if (psa_get_se_driver(attributes->core.lifetime, &drv, &drv_context)) {
+        if ((drv->key_management == NULL) ||
+                (drv->key_management->p_export == NULL)) {
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+
+        return (drv->key_management->p_export(
+                    drv_context,
+                    *((psa_key_slot_number_t *)key_buffer),
+                    data, data_size, data_length));
+    }
+#endif /* PSA_CRYPTO_SE_C */
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            return (psa_export_key_internal(attributes,
+                                            key_buffer,
+                                            key_buffer_size,
+                                            data,
+                                            data_size,
+                                            data_length));
+
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            return (test_opaque_export_key(attributes,
+                                           key_buffer,
+                                           key_buffer_size,
+                                           data,
+                                           data_size,
+                                           data_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            return (status);
+    }
+}
+
+psa_status_t psa_driver_wrapper_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length)
+
+{
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+                                      psa_get_key_lifetime(attributes));
+
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if (psa_get_se_driver(attributes->core.lifetime, &drv, &drv_context)) {
+        if ((drv->key_management == NULL) ||
+                (drv->key_management->p_export_public == NULL)) {
+            return (PSA_ERROR_NOT_SUPPORTED);
+        }
+
+        return (drv->key_management->p_export_public(
+                    drv_context,
+                    *((psa_key_slot_number_t *)key_buffer),
+                    data, data_size, data_length));
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            status = test_transparent_export_public_key(attributes,
+                                                        key_buffer,
+                                                        key_buffer_size,
+                                                        data,
+                                                        data_size,
+                                                        data_length);
+            /* Declared with fallback == true */
+            if (status != PSA_ERROR_NOT_SUPPORTED)
+                return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (psa_export_public_key_internal(attributes,
+                                                   key_buffer,
+                                                   key_buffer_size,
+                                                   data,
+                                                   data_size,
+                                                   data_length));
+
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            return (test_opaque_export_public_key(attributes,
+                                                  key_buffer,
+                                                  key_buffer_size,
+                                                  data,
+                                                  data_size,
+                                                  data_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            return (status);
+    }
+}
+
+/*
+ * Cipher functions
+ */
+psa_status_t psa_driver_wrapper_cipher_encrypt(
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            status = test_transparent_cipher_encrypt(&attributes,
+                                                     slot->key.data,
+                                                     slot->key.bytes,
+                                                     alg,
+                                                     input,
+                                                     input_length,
+                                                     output,
+                                                     output_size,
+                                                     output_length);
+            /* Declared with fallback == true */
+            if (status != PSA_ERROR_NOT_SUPPORTED)
+                return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (PSA_ERROR_NOT_SUPPORTED);
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            return (test_opaque_cipher_encrypt(&attributes,
+                                               slot->key.data,
+                                               slot->key.bytes,
+                                               alg,
+                                               input,
+                                               input_length,
+                                               output,
+                                               output_size,
+                                               output_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            return (status);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void) slot;
+    (void) alg;
+    (void) input;
+    (void) input_length;
+    (void) output;
+    (void) output_size;
+    (void) output_length;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_decrypt(
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            status = test_transparent_cipher_decrypt(&attributes,
+                                                     slot->key.data,
+                                                     slot->key.bytes,
+                                                     alg,
+                                                     input,
+                                                     input_length,
+                                                     output,
+                                                     output_size,
+                                                     output_length);
+            /* Declared with fallback == true */
+            if (status != PSA_ERROR_NOT_SUPPORTED)
+                return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (PSA_ERROR_NOT_SUPPORTED);
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            return (test_opaque_cipher_decrypt(&attributes,
+                                               slot->key.data,
+                                               slot->key.bytes,
+                                               alg,
+                                               input,
+                                               input_length,
+                                               output,
+                                               output_size,
+                                               output_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            return (status);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void) slot;
+    (void) alg;
+    (void) input;
+    (void) input_length;
+    (void) output;
+    (void) output_size;
+    (void) output_length;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
+    psa_operation_driver_context_t *operation,
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            operation->ctx = mbedtls_calloc(1, sizeof(test_transparent_cipher_operation_t));
+            if (operation->ctx == NULL)
+                return PSA_ERROR_INSUFFICIENT_MEMORY;
+
+            status = test_transparent_cipher_encrypt_setup(operation->ctx,
+                                                           &attributes,
+                                                           slot->key.data,
+                                                           slot->key.bytes,
+                                                           alg);
+            /* Declared with fallback == true */
+            if (status == PSA_SUCCESS)
+                operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID;
+            else {
+                mbedtls_platform_zeroize(
+                    operation->ctx,
+                    sizeof(test_transparent_cipher_operation_t));
+                mbedtls_free(operation->ctx);
+                operation->ctx = NULL;
+            }
+
+            return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (PSA_ERROR_NOT_SUPPORTED);
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            operation->ctx = mbedtls_calloc(1, sizeof(test_opaque_cipher_operation_t));
+            if (operation->ctx == NULL)
+                return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+            status = test_opaque_cipher_encrypt_setup(operation->ctx,
+                                                      &attributes,
+                                                      slot->key.data,
+                                                      slot->key.bytes,
+                                                      alg);
+            if (status == PSA_SUCCESS)
+                operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID;
+            else {
+                mbedtls_platform_zeroize(
+                    operation->ctx,
+                    sizeof(test_opaque_cipher_operation_t));
+                mbedtls_free(operation->ctx);
+                operation->ctx = NULL;
+            }
+
+            return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void)slot;
+    (void)alg;
+    (void)operation;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
+    psa_operation_driver_context_t *operation,
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+    psa_key_attributes_t attributes = {
+        .core = slot->attr
+    };
+
+    switch (location) {
+        case PSA_KEY_LOCATION_LOCAL_STORAGE:
+            /* Key is stored in the slot in export representation, so
+             * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+            operation->ctx = mbedtls_calloc(1, sizeof(test_transparent_cipher_operation_t));
+            if (operation->ctx == NULL)
+                return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+            status = test_transparent_cipher_decrypt_setup(operation->ctx,
+                                                           &attributes,
+                                                           slot->key.data,
+                                                           slot->key.bytes,
+                                                           alg);
+            /* Declared with fallback == true */
+            if (status == PSA_SUCCESS)
+                operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID;
+            else {
+                mbedtls_platform_zeroize(
+                    operation->ctx,
+                    sizeof(test_transparent_cipher_operation_t));
+                mbedtls_free(operation->ctx);
+                operation->ctx = NULL;
+            }
+
+            return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+            /* Fell through, meaning no accelerator supports this operation */
+            return (PSA_ERROR_NOT_SUPPORTED);
+            /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+            operation->ctx = mbedtls_calloc(1, sizeof(test_opaque_cipher_operation_t));
+            if (operation->ctx == NULL)
+                return PSA_ERROR_INSUFFICIENT_MEMORY;
+
+            status = test_opaque_cipher_decrypt_setup(operation->ctx,
+                                                      &attributes,
+                                                      slot->key.data,
+                                                      slot->key.bytes,
+                                                      alg);
+            if (status == PSA_SUCCESS)
+                operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID;
+            else {
+                mbedtls_platform_zeroize(
+                    operation->ctx,
+                    sizeof(test_opaque_cipher_operation_t));
+                mbedtls_free(operation->ctx);
+                operation->ctx = NULL;
+            }
+
+            return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is declared with a lifetime not known to us */
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void)slot;
+    (void)alg;
+    (void)operation;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_generate_iv(
+    psa_operation_driver_context_t *operation,
+    uint8_t *iv,
+    size_t iv_size,
+    size_t *iv_length) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    switch (operation->id) {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID:
+            return (test_transparent_cipher_generate_iv(operation->ctx,
+                                                        iv,
+                                                        iv_size,
+                                                        iv_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID:
+            return (test_opaque_cipher_generate_iv(operation->ctx,
+                                                   iv,
+                                                   iv_size,
+                                                   iv_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is attached to a driver not known to us */
+            return (PSA_ERROR_BAD_STATE);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void) operation;
+    (void) iv;
+    (void) iv_size;
+    (void) iv_length;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_set_iv(
+    psa_operation_driver_context_t *operation,
+    const uint8_t *iv,
+    size_t iv_length) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    switch (operation->id) {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID:
+            return (test_transparent_cipher_set_iv(operation->ctx,
+                                                   iv,
+                                                   iv_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID:
+            return (test_opaque_cipher_set_iv(operation->ctx,
+                                              iv,
+                                              iv_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is attached to a driver not known to us */
+            return (PSA_ERROR_BAD_STATE);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void) operation;
+    (void) iv;
+    (void) iv_length;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_update(
+    psa_operation_driver_context_t *operation,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    switch (operation->id) {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID:
+            return (test_transparent_cipher_update(operation->ctx,
+                                                   input,
+                                                   input_length,
+                                                   output,
+                                                   output_size,
+                                                   output_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID:
+            return (test_opaque_cipher_update(operation->ctx,
+                                              input,
+                                              input_length,
+                                              output,
+                                              output_size,
+                                              output_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is attached to a driver not known to us */
+            return (PSA_ERROR_BAD_STATE);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void) operation;
+    (void) input;
+    (void) input_length;
+    (void) output;
+    (void) output_length;
+    (void) output_size;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_finish(
+    psa_operation_driver_context_t *operation,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    switch (operation->id) {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID:
+            return (test_transparent_cipher_finish(operation->ctx,
+                                                   output,
+                                                   output_size,
+                                                   output_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID:
+            return (test_opaque_cipher_finish(operation->ctx,
+                                              output,
+                                              output_size,
+                                              output_length));
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Key is attached to a driver not known to us */
+            return (PSA_ERROR_BAD_STATE);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void) operation;
+    (void) output;
+    (void) output_size;
+    (void) output_length;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_cipher_abort(
+    psa_operation_driver_context_t *operation) {
+#if defined(PSA_CRYPTO_DRIVER_PRESENT) && defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+
+    /* The object has (apparently) been initialized but it is not in use. It's
+     * ok to call abort on such an object, and there's nothing to do. */
+    if (operation->ctx == NULL && operation->id == 0)
+        return (PSA_SUCCESS);
+
+    switch (operation->id) {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID:
+            status = test_transparent_cipher_abort(operation->ctx);
+            mbedtls_platform_zeroize(
+                operation->ctx,
+                sizeof(test_transparent_cipher_operation_t));
+            mbedtls_free(operation->ctx);
+            operation->ctx = NULL;
+            operation->id = 0;
+
+            return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+        case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID:
+            status = test_opaque_cipher_abort(operation->ctx);
+            mbedtls_platform_zeroize(
+                operation->ctx,
+                sizeof(test_opaque_cipher_operation_t));
+            mbedtls_free(operation->ctx);
+            operation->ctx = NULL;
+            operation->id = 0;
+
+            return (status);
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+        default:
+            /* Operation is attached to a driver not known to us */
+            return (PSA_ERROR_BAD_STATE);
+    }
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+    (void)operation;
+
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+/* End of automatically generated file. */
diff --git a/common/mbedtls/psa_crypto_driver_wrappers.h b/common/mbedtls/psa_crypto_driver_wrappers.h
new file mode 100644
index 000000000..d4cdf5f5a
--- /dev/null
+++ b/common/mbedtls/psa_crypto_driver_wrappers.h
@@ -0,0 +1,132 @@
+/*
+ *  Function signatures for functionality that can be provided by
+ *  cryptographic accelerators.
+ *  Warning: This file will be auto-generated in the future.
+ */
+/*  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_WRAPPERS_H
+#define PSA_CRYPTO_DRIVER_WRAPPERS_H
+
+#include "psa/crypto.h"
+#include "psa/crypto_driver_common.h"
+
+/*
+ * Signature functions
+ */
+psa_status_t psa_driver_wrapper_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+psa_status_t psa_driver_wrapper_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/*
+ * Key handling functions
+ */
+
+psa_status_t psa_driver_wrapper_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+psa_status_t psa_driver_wrapper_export_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+psa_status_t psa_driver_wrapper_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+psa_status_t psa_driver_wrapper_get_key_buffer_size(
+    const psa_key_attributes_t *attributes,
+    size_t *key_buffer_size);
+
+psa_status_t psa_driver_wrapper_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/*
+ * Cipher functions
+ */
+psa_status_t psa_driver_wrapper_cipher_encrypt(
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length);
+
+psa_status_t psa_driver_wrapper_cipher_decrypt(
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length);
+
+psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
+    psa_operation_driver_context_t *operation,
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg);
+
+psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
+    psa_operation_driver_context_t *operation,
+    psa_key_slot_t *slot,
+    psa_algorithm_t alg);
+
+psa_status_t psa_driver_wrapper_cipher_generate_iv(
+    psa_operation_driver_context_t *operation,
+    uint8_t *iv,
+    size_t iv_size,
+    size_t *iv_length);
+
+psa_status_t psa_driver_wrapper_cipher_set_iv(
+    psa_operation_driver_context_t *operation,
+    const uint8_t *iv,
+    size_t iv_length);
+
+psa_status_t psa_driver_wrapper_cipher_update(
+    psa_operation_driver_context_t *operation,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length);
+
+psa_status_t psa_driver_wrapper_cipher_finish(
+    psa_operation_driver_context_t *operation,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length);
+
+psa_status_t psa_driver_wrapper_cipher_abort(
+    psa_operation_driver_context_t *operation);
+
+#endif /* PSA_CRYPTO_DRIVER_WRAPPERS_H */
+
+/* End of automatically generated file. */
diff --git a/common/mbedtls/psa_crypto_ecp.c b/common/mbedtls/psa_crypto_ecp.c
new file mode 100644
index 000000000..e8fa4c6a4
--- /dev/null
+++ b/common/mbedtls/psa_crypto_ecp.c
@@ -0,0 +1,630 @@
+/*
+ *  PSA ECP layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_ecp.h"
+#include "psa_crypto_random_impl.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#include <mbedtls/ecdsa.h>
+#include <mbedtls/ecp.h>
+#include <mbedtls/error.h>
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
+        defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ) )
+#define BUILTIN_KEY_TYPE_ECC_KEY_PAIR    1
+#endif
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
+        defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) ) )
+#define BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY  1
+#endif
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&       \
+        defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) &&  \
+        defined(MBEDTLS_ECDSA_C) ) )
+#define BUILTIN_ALG_ECDSA 1
+#endif
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                     \
+        defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) &&  \
+        defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) ) )
+#define BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#endif
+
+#if defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(BUILTIN_ALG_ECDSA) || \
+    defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+psa_status_t mbedtls_psa_ecp_load_representation(
+    psa_key_type_t type, size_t curve_bits,
+    const uint8_t *data, size_t data_length,
+    mbedtls_ecp_keypair **p_ecp) {
+    mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
+    psa_status_t status;
+    mbedtls_ecp_keypair *ecp = NULL;
+    size_t curve_bytes = data_length;
+    int explicit_bits = (curve_bits != 0);
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
+            PSA_KEY_TYPE_ECC_GET_FAMILY(type) != PSA_ECC_FAMILY_MONTGOMERY) {
+        /* A Weierstrass public key is represented as:
+         * - The byte 0x04;
+         * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+         * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
+         * So its data length is 2m+1 where m is the curve size in bits.
+         */
+        if ((data_length & 1) == 0)
+            return (PSA_ERROR_INVALID_ARGUMENT);
+        curve_bytes = data_length / 2;
+
+        /* Montgomery public keys are represented in compressed format, meaning
+         * their curve_bytes is equal to the amount of input. */
+
+        /* Private keys are represented in uncompressed private random integer
+         * format, meaning their curve_bytes is equal to the amount of input. */
+    }
+
+    if (explicit_bits) {
+        /* With an explicit bit-size, the data must have the matching length. */
+        if (curve_bytes != PSA_BITS_TO_BYTES(curve_bits))
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    } else {
+        /* We need to infer the bit-size from the data. Since the only
+         * information we have is the length in bytes, the value of curve_bits
+         * at this stage is rounded up to the nearest multiple of 8. */
+        curve_bits = PSA_BYTES_TO_BITS(curve_bytes);
+    }
+
+    /* Allocate and initialize a key representation. */
+    ecp = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
+    if (ecp == NULL)
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+    mbedtls_ecp_keypair_init(ecp);
+
+    /* Load the group. */
+    grp_id = mbedtls_ecc_group_of_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
+                                      curve_bits, !explicit_bits);
+    if (grp_id == MBEDTLS_ECP_DP_NONE) {
+        /* We can't distinguish between a nonsensical family/size combination
+         * (which would warrant PSA_ERROR_INVALID_ARGUMENT) and a
+         * well-regarded curve that Mbed TLS just doesn't know about (which
+         * would warrant PSA_ERROR_NOT_SUPPORTED). For uniformity with how
+         * curves that Mbed TLS knows about but for which support is disabled
+         * at build time, return NOT_SUPPORTED. */
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+
+    status = mbedtls_to_psa_error(
+                 mbedtls_ecp_group_load(&ecp->grp, grp_id));
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* Load the key material. */
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+        /* Load the public value. */
+        status = mbedtls_to_psa_error(
+                     mbedtls_ecp_point_read_binary(&ecp->grp, &ecp->Q,
+                                                   data,
+                                                   data_length));
+        if (status != PSA_SUCCESS)
+            goto exit;
+
+        /* Check that the point is on the curve. */
+        status = mbedtls_to_psa_error(
+                     mbedtls_ecp_check_pubkey(&ecp->grp, &ecp->Q));
+        if (status != PSA_SUCCESS)
+            goto exit;
+    } else {
+        /* Load and validate the secret value. */
+        status = mbedtls_to_psa_error(
+                     mbedtls_ecp_read_key(ecp->grp.id,
+                                          ecp,
+                                          data,
+                                          data_length));
+        if (status != PSA_SUCCESS)
+            goto exit;
+    }
+
+    *p_ecp = ecp;
+exit:
+    if (status != PSA_SUCCESS) {
+        mbedtls_ecp_keypair_free(ecp);
+        mbedtls_free(ecp);
+    }
+
+    return (status);
+}
+#endif /* defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
+        * defined(BUILTIN_ALG_ECDSA) ||
+        * defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
+
+#if defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+
+static psa_status_t ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    psa_status_t status;
+    mbedtls_ecp_keypair *ecp = NULL;
+
+    /* Parse input */
+    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                 attributes->core.bits,
+                                                 data,
+                                                 data_length,
+                                                 &ecp);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) ==
+            PSA_ECC_FAMILY_MONTGOMERY)
+        *bits = ecp->grp.nbits + 1;
+    else
+        *bits = ecp->grp.nbits;
+
+    /* Re-export the data to PSA export format. There is currently no support
+     * for other input formats then the export format, so this is a 1-1
+     * copy operation. */
+    status = mbedtls_psa_ecp_export_key(attributes->core.type,
+                                        ecp,
+                                        key_buffer,
+                                        key_buffer_size,
+                                        key_buffer_length);
+exit:
+    /* Always free the PK object (will also free contained ECP context) */
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return (status);
+}
+
+psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
+                                        mbedtls_ecp_keypair *ecp,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length) {
+    psa_status_t status;
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+        /* Check whether the public part is loaded */
+        if (mbedtls_ecp_is_zero(&ecp->Q)) {
+            /* Calculate the public key */
+            status = mbedtls_to_psa_error(
+                         mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
+                                         mbedtls_psa_get_random,
+                                         MBEDTLS_PSA_RANDOM_STATE));
+            if (status != PSA_SUCCESS)
+                return (status);
+        }
+
+        status = mbedtls_to_psa_error(
+                     mbedtls_ecp_point_write_binary(&ecp->grp, &ecp->Q,
+                                                    MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                                    data_length,
+                                                    data,
+                                                    data_size));
+        if (status != PSA_SUCCESS)
+            memset(data, 0, data_size);
+
+        return (status);
+    } else {
+        if (data_size < PSA_BITS_TO_BYTES(ecp->grp.nbits))
+            return (PSA_ERROR_BUFFER_TOO_SMALL);
+
+        status = mbedtls_to_psa_error(
+                     mbedtls_ecp_write_key(ecp,
+                                           data,
+                                           PSA_BITS_TO_BYTES(ecp->grp.nbits)));
+        if (status == PSA_SUCCESS)
+            *data_length = PSA_BITS_TO_BYTES(ecp->grp.nbits);
+        else
+            memset(data, 0, data_size);
+
+        return (status);
+    }
+}
+
+static psa_status_t ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ecp = NULL;
+
+    status = mbedtls_psa_ecp_load_representation(
+                 attributes->core.type, attributes->core.bits,
+                 key_buffer, key_buffer_size, &ecp);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    status = mbedtls_psa_ecp_export_key(
+                 PSA_KEY_TYPE_ECC_PUBLIC_KEY(
+                     PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type)),
+                 ecp, data, data_size, data_length);
+
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return (status);
+}
+#endif /* defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+#if defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
+static psa_status_t ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
+                                 attributes->core.type);
+    mbedtls_ecp_group_id grp_id =
+        mbedtls_ecc_group_of_psa(curve, attributes->core.bits, 0);
+
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_grp_id(grp_id);
+    mbedtls_ecp_keypair ecp;
+
+    if (attributes->domain_parameters_size != 0)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    mbedtls_ecp_keypair_init(&ecp);
+    ret = mbedtls_ecp_gen_key(grp_id, &ecp,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE);
+    if (ret != 0) {
+        mbedtls_ecp_keypair_free(&ecp);
+        return (mbedtls_to_psa_error(ret));
+    }
+
+    status = mbedtls_to_psa_error(
+                 mbedtls_ecp_write_key(&ecp, key_buffer, key_buffer_size));
+
+    mbedtls_ecp_keypair_free(&ecp);
+
+    if (status == PSA_SUCCESS)
+        *key_buffer_length = key_buffer_size;
+
+    return (status);
+}
+#endif /* defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
+
+/****************************************************************/
+/* ECDSA sign/verify */
+/****************************************************************/
+
+#if defined(BUILTIN_ALG_ECDSA) || \
+    defined(BUILTIN_ALG_DETERMINISTIC_ECDSA)
+static psa_status_t ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ecp = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t curve_bytes;
+    mbedtls_mpi r, s;
+
+    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                 attributes->core.bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &ecp);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+    if (signature_size < 2 * curve_bytes) {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
+#if defined(BUILTIN_ALG_DETERMINISTIC_ECDSA)
+        psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa(hash_alg);
+        mbedtls_md_type_t md_alg = mbedtls_md_get_type(md_info);
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
+                            &ecp->grp, &r, &s,
+                            &ecp->d, hash,
+                            hash_length, md_alg,
+                            mbedtls_psa_get_random,
+                            MBEDTLS_PSA_RANDOM_STATE));
+#else
+        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+        goto cleanup;
+#endif /* defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+    } else {
+        (void) alg;
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ecp->grp, &r, &s, &ecp->d,
+                                           hash, hash_length,
+                                           mbedtls_psa_get_random,
+                                           MBEDTLS_PSA_RANDOM_STATE));
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&r,
+                                             signature,
+                                             curve_bytes));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&s,
+                                             signature + curve_bytes,
+                                             curve_bytes));
+cleanup:
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+    if (ret == 0)
+        *signature_length = 2 * curve_bytes;
+
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return (mbedtls_to_psa_error(ret));
+}
+
+static psa_status_t ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ecp = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t curve_bytes;
+    mbedtls_mpi r, s;
+
+    (void)alg;
+
+    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+                                                 attributes->core.bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &ecp);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+    if (signature_length != 2 * curve_bytes) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r,
+                                            signature,
+                                            curve_bytes));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&s,
+                                            signature + curve_bytes,
+                                            curve_bytes));
+
+    /* Check whether the public part is loaded. If not, load it. */
+    if (mbedtls_ecp_is_zero(&ecp->Q)) {
+        MBEDTLS_MPI_CHK(
+            mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
+                            mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+    }
+
+    ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length,
+                               &ecp->Q, &r, &s);
+
+cleanup:
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return (mbedtls_to_psa_error(ret));
+}
+
+#endif /* defined(BUILTIN_ALG_ECDSA) || \
+        * defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+
+psa_status_t mbedtls_psa_ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    return (ecp_import_key(attributes, data, data_length,
+                           key_buffer, key_buffer_size,
+                           key_buffer_length, bits));
+}
+
+psa_status_t mbedtls_psa_ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    return (ecp_export_public_key(attributes, key_buffer, key_buffer_size,
+                                  data, data_size, data_length));
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
+psa_status_t mbedtls_psa_ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    return (ecp_generate_key(attributes, key_buffer, key_buffer_size,
+                             key_buffer_length));
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
+
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+
+psa_status_t mbedtls_psa_ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+
+    return (ecdsa_sign_hash(attributes,
+                            key_buffer, key_buffer_size,
+                            alg, hash, hash_length,
+                            signature, signature_size, signature_length));
+}
+
+psa_status_t mbedtls_psa_ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+    return (ecdsa_verify_hash(attributes,
+                              key_buffer, key_buffer_size,
+                              alg, hash, hash_length,
+                              signature, signature_length));
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+
+/*
+ * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY.
+ */
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
+
+psa_status_t mbedtls_transparent_test_driver_ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    return (ecp_import_key(attributes, data, data_length,
+                           key_buffer, key_buffer_size,
+                           key_buffer_length, bits));
+}
+
+psa_status_t mbedtls_transparent_test_driver_ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    return (ecp_export_public_key(attributes, key_buffer, key_buffer_size,
+                                  data, data_size, data_length));
+}
+
+#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ||
+          defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) && \
+    defined(MBEDTLS_GENPRIME)
+psa_status_t mbedtls_transparent_test_driver_ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    return (ecp_generate_key(attributes, key_buffer, key_buffer_size,
+                             key_buffer_length));
+}
+#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) &&
+          defined(MBEDTLS_GENPRIME) */
+
+#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
+
+psa_status_t mbedtls_transparent_test_driver_ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+
+#if defined(MBEDTLS_ECDSA_C)
+    return (ecdsa_sign_hash(attributes,
+                            key_buffer, key_buffer_size,
+                            alg, hash, hash_length,
+                            signature, signature_size, signature_length));
+#else
+    (void)attributes;
+    (void)key_buffer;
+    (void)key_buffer_size;
+    (void)alg;
+    (void)hash;
+    (void)hash_length;
+    (void)signature;
+    (void)signature_size;
+    (void)signature_length;
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif
+}
+
+psa_status_t mbedtls_transparent_test_driver_ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+#if defined(MBEDTLS_ECDSA_C)
+    return (ecdsa_verify_hash(attributes,
+                              key_buffer, key_buffer_size,
+                              alg, hash, hash_length,
+                              signature, signature_length));
+#else
+    (void)attributes;
+    (void)key_buffer;
+    (void)key_buffer_size;
+    (void)alg;
+    (void)hash;
+    (void)hash_length;
+    (void)signature;
+    (void)signature_length;
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif
+}
+
+#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/common/mbedtls/psa_crypto_ecp.h b/common/mbedtls/psa_crypto_ecp.h
new file mode 100644
index 000000000..c37e7df89
--- /dev/null
+++ b/common/mbedtls/psa_crypto_ecp.h
@@ -0,0 +1,256 @@
+/*
+ *  PSA ECP layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_ECP_H
+#define PSA_CRYPTO_ECP_H
+
+#include <psa/crypto.h>
+#include <mbedtls/ecp.h>
+
+/** Load the contents of a key buffer into an internal ECP representation
+ *
+ * \param[in] type          The type of key contained in \p data.
+ * \param[in] curve_bits    The nominal bit-size of the curve.
+ *                          It must be consistent with the representation
+ *                          passed in \p data.
+ *                          This can be 0, in which case the bit-size
+ *                          is inferred from \p data_length (which is possible
+ *                          for all key types and representation formats
+ *                          formats that are currently supported or will
+ *                          be in the foreseeable future).
+ * \param[in] data          The buffer from which to load the representation.
+ * \param[in] data_length   The size in bytes of \p data.
+ * \param[out] p_ecp        Returns a pointer to an ECP context on success.
+ *                          The caller is responsible for freeing both the
+ *                          contents of the context and the context itself
+ *                          when done.
+ */
+psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
+                                                 size_t curve_bits,
+                                                 const uint8_t *data,
+                                                 size_t data_length,
+                                                 mbedtls_ecp_keypair **p_ecp);
+
+/** Import an ECP key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       import_key entry point. This function behaves as an import_key
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer containing the key data in output
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS  The ECP key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t mbedtls_psa_ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+/** Export an ECP key to export representation
+ *
+ * \param[in] type          The type of key (public/private) to export
+ * \param[in] ecp           The internal ECP representation from which to export
+ * \param[out] data         The buffer to export to
+ * \param[in] data_size     The length of the buffer to export to
+ * \param[out] data_length  The amount of bytes written to \p data
+ */
+psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
+                                        mbedtls_ecp_keypair *ecp,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length);
+
+/** Export an ECP public key or the public part of an ECP key pair in binary
+ *  format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       export_public_key entry point. This function behaves as an
+ *       export_public_key entry point as defined in the PSA driver interface
+ *       specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The ECP public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t mbedtls_psa_ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate an ECP key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the ECP key to generate.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully generated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key length or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with ECDSA.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash entry point. This function behaves as a sign_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the ECC key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the ECC key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              Randomized or deterministic ECDSA algorithm.
+ * \param[in]  hash             The hash or message to sign.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits,
+ *         \p alg) where \c key_bits is the bit-size of the ECC key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ */
+psa_status_t mbedtls_psa_ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify an ECDSA hash or short message signature.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash entry point. This function behaves as a verify_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the ECC key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the ECC key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              Randomized or deterministic ECDSA algorithm.
+ * \param[in]  hash             The hash or message whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t mbedtls_psa_ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+/*
+ * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY.
+ */
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+psa_status_t mbedtls_transparent_test_driver_ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+psa_status_t mbedtls_transparent_test_driver_ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+psa_status_t mbedtls_transparent_test_driver_ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+psa_status_t mbedtls_transparent_test_driver_ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+psa_status_t mbedtls_transparent_test_driver_ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+#endif /* PSA_CRYPTO_ECP_H */
diff --git a/common/mbedtls/psa_crypto_invasive.h b/common/mbedtls/psa_crypto_invasive.h
new file mode 100644
index 000000000..58e357e37
--- /dev/null
+++ b/common/mbedtls/psa_crypto_invasive.h
@@ -0,0 +1,86 @@
+/**
+ * \file psa_crypto_invasive.h
+ *
+ * \brief PSA cryptography module: invasive interfaces for test only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They MUST NOT be made available to clients over IPC in integrations
+ * with isolation, and they SHOULD NOT be made available in library
+ * integrations except when building the library for testing.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_INVASIVE_H
+#define PSA_CRYPTO_INVASIVE_H
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include "common.h"
+
+#include "mbedtls/entropy.h"
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/** \brief Configure entropy sources.
+ *
+ * This function may only be called before a call to psa_crypto_init(),
+ * or after a call to mbedtls_psa_crypto_free() and before any
+ * subsequent call to psa_crypto_init().
+ *
+ * This function is only intended for test purposes. The functionality
+ * it provides is also useful for system integrators, but
+ * system integrators should configure entropy drivers instead of
+ * breaking through to the Mbed TLS API.
+ *
+ * \param entropy_init  Function to initialize the entropy context
+ *                      and set up the desired entropy sources.
+ *                      It is called by psa_crypto_init().
+ *                      By default this is mbedtls_entropy_init().
+ *                      This function cannot report failures directly.
+ *                      To indicate a failure, set the entropy context
+ *                      to a state where mbedtls_entropy_func() will
+ *                      return an error.
+ * \param entropy_free  Function to free the entropy context
+ *                      and associated resources.
+ *                      It is called by mbedtls_psa_crypto_free().
+ *                      By default this is mbedtls_entropy_free().
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The caller does not have the permission to configure
+ *         entropy sources.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has already been initialized.
+ */
+psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
+    void (* entropy_init)(mbedtls_entropy_context *ctx),
+    void (* entropy_free)(mbedtls_entropy_context *ctx));
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C)
+psa_status_t psa_mac_key_can_do(
+    psa_algorithm_t algorithm,
+    psa_key_type_t key_type);
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C */
+
+#endif /* PSA_CRYPTO_INVASIVE_H */
diff --git a/common/mbedtls/psa_crypto_its.h b/common/mbedtls/psa_crypto_its.h
new file mode 100644
index 000000000..a48b43ce5
--- /dev/null
+++ b/common/mbedtls/psa_crypto_its.h
@@ -0,0 +1,148 @@
+/** \file psa_crypto_its.h
+ * \brief Interface of trusted storage that crypto is built on.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_ITS_H
+#define PSA_CRYPTO_ITS_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <psa/crypto_types.h>
+#include <psa/crypto_values.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** \brief Flags used when creating a data entry
+ */
+typedef uint32_t psa_storage_create_flags_t;
+
+/** \brief A type for UIDs used for identifying data
+ */
+typedef uint64_t psa_storage_uid_t;
+
+#define PSA_STORAGE_FLAG_NONE        0         /**< No flags to pass */
+#define PSA_STORAGE_FLAG_WRITE_ONCE (1 << 0) /**< The data associated with the uid will not be able to be modified or deleted. Intended to be used to set bits in `psa_storage_create_flags_t`*/
+
+/**
+ * \brief A container for metadata associated with a specific uid
+ */
+struct psa_storage_info_t {
+    uint32_t size;                  /**< The size of the data associated with a uid **/
+    psa_storage_create_flags_t flags;    /**< The flags set when the uid was created **/
+};
+
+/** Flag indicating that \ref psa_storage_create and \ref psa_storage_set_extended are supported */
+#define PSA_STORAGE_SUPPORT_SET_EXTENDED (1 << 0)
+
+/** \brief PSA storage specific error codes
+ */
+#define PSA_ERROR_INVALID_SIGNATURE     ((psa_status_t)-149)
+#define PSA_ERROR_DATA_CORRUPT          ((psa_status_t)-152)
+
+#define PSA_ITS_API_VERSION_MAJOR  1  /**< The major version number of the PSA ITS API. It will be incremented on significant updates that may include breaking changes */
+#define PSA_ITS_API_VERSION_MINOR  1  /**< The minor version number of the PSA ITS API. It will be incremented in small updates that are unlikely to include breaking changes */
+
+/**
+ * \brief create a new or modify an existing uid/value pair
+ *
+ * \param[in] uid           the identifier for the data
+ * \param[in] data_length   The size in bytes of the data in `p_data`
+ * \param[in] p_data        A buffer containing the data
+ * \param[in] create_flags  The flags that the data will be stored with
+ *
+ * \return      A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                     The operation completed successfully
+ * \retval      #PSA_ERROR_NOT_PERMITTED         The operation failed because the provided `uid` value was already created with PSA_STORAGE_WRITE_ONCE_FLAG
+ * \retval      #PSA_ERROR_NOT_SUPPORTED         The operation failed because one or more of the flags provided in `create_flags` is not supported or is not valid
+ * \retval      #PSA_ERROR_INSUFFICIENT_STORAGE  The operation failed because there was insufficient space on the storage medium
+ * \retval      #PSA_ERROR_STORAGE_FAILURE       The operation failed because the physical storage has failed (Fatal error)
+ * \retval      #PSA_ERROR_INVALID_ARGUMENT      The operation failed because one of the provided pointers(`p_data`)
+ *                                               is invalid, for example is `NULL` or references memory the caller cannot access
+ */
+psa_status_t psa_its_set(psa_storage_uid_t uid,
+                         uint32_t data_length,
+                         const void *p_data,
+                         psa_storage_create_flags_t create_flags);
+
+/**
+ * \brief Retrieve the value associated with a provided uid
+ *
+ * \param[in] uid               The uid value
+ * \param[in] data_offset       The starting offset of the data requested
+ * \param[in] data_length       the amount of data requested (and the minimum allocated size of the `p_data` buffer)
+ * \param[out] p_data           The buffer where the data will be placed upon successful completion
+ * \param[out] p_data_length    The amount of data returned in the p_data buffer
+ *
+ *
+ * \return      A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                 The operation completed successfully
+ * \retval      #PSA_ERROR_DOES_NOT_EXIST    The operation failed because the provided `uid` value was not found in the storage
+ * \retval      #PSA_ERROR_STORAGE_FAILURE   The operation failed because the physical storage has failed (Fatal error)
+ * \retval      #PSA_ERROR_DATA_CORRUPT      The operation failed because stored data has been corrupted
+ * \retval      #PSA_ERROR_INVALID_ARGUMENT  The operation failed because one of the provided pointers(`p_data`, `p_data_length`)
+ *                                           is invalid. For example is `NULL` or references memory the caller cannot access.
+ *                                           In addition, this can also happen if an invalid offset was provided.
+ */
+psa_status_t psa_its_get(psa_storage_uid_t uid,
+                         uint32_t data_offset,
+                         uint32_t data_length,
+                         void *p_data,
+                         size_t *p_data_length);
+
+/**
+ * \brief Retrieve the metadata about the provided uid
+ *
+ * \param[in] uid           The uid value
+ * \param[out] p_info       A pointer to the `psa_storage_info_t` struct that will be populated with the metadata
+ *
+ * \return      A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                 The operation completed successfully
+ * \retval      #PSA_ERROR_DOES_NOT_EXIST    The operation failed because the provided uid value was not found in the storage
+ * \retval      #PSA_ERROR_DATA_CORRUPT      The operation failed because stored data has been corrupted
+ * \retval      #PSA_ERROR_INVALID_ARGUMENT  The operation failed because one of the provided pointers(`p_info`)
+ *                                           is invalid, for example is `NULL` or references memory the caller cannot access
+ */
+psa_status_t psa_its_get_info(psa_storage_uid_t uid,
+                              struct psa_storage_info_t *p_info);
+
+/**
+ * \brief Remove the provided key and its associated data from the storage
+ *
+ * \param[in] uid   The uid value
+ *
+ * \return  A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                  The operation completed successfully
+ * \retval      #PSA_ERROR_DOES_NOT_EXIST     The operation failed because the provided key value was not found in the storage
+ * \retval      #PSA_ERROR_NOT_PERMITTED      The operation failed because the provided key value was created with PSA_STORAGE_WRITE_ONCE_FLAG
+ * \retval      #PSA_ERROR_STORAGE_FAILURE    The operation failed because the physical storage has failed (Fatal error)
+ */
+psa_status_t psa_its_remove(psa_storage_uid_t uid);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_ITS_H */
diff --git a/common/mbedtls/psa_crypto_random_impl.h b/common/mbedtls/psa_crypto_random_impl.h
new file mode 100644
index 000000000..985a1468b
--- /dev/null
+++ b/common/mbedtls/psa_crypto_random_impl.h
@@ -0,0 +1,201 @@
+/** \file psa_crypto_random_impl.h
+ *
+ * \brief PSA crypto random generator implementation abstraction.
+ *
+ * The definitions here need to be consistent with the declarations
+ * in include/mbedtls/psa_util.h. This file contains some redundant
+ * declarations to increase the chance that a compiler will detect
+ * inconsistencies if one file is changed without updating the other,
+ * but not all potential inconsistencies can be enforced, so make sure
+ * to check the public declarations and contracts in
+ * include/mbedtls/psa_util.h if you modify this file.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_RANDOM_IMPL_H
+#define PSA_CRYPTO_RANDOM_IMPL_H
+
+#include <mbedtls/psa_util.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+#include <string.h>
+#include <mbedtls/entropy.h> // only for error codes
+#include <psa/crypto.h>
+
+typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
+
+/* Trivial wrapper around psa_generate_random(). */
+int mbedtls_psa_get_random(void *p_rng,
+                           unsigned char *output,
+                           size_t output_size);
+
+/* The PSA RNG API doesn't need any externally maintained state. */
+#define MBEDTLS_PSA_RANDOM_STATE NULL
+
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+/* Choose a DRBG based on configuration and availability */
+#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
+
+#include "mbedtls/hmac_drbg.h"
+
+#elif defined(MBEDTLS_CTR_DRBG_C)
+
+#include "mbedtls/ctr_drbg.h"
+
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_SHA256_C)
+#include <limits.h>
+#if SIZE_MAX > 0xffffffff
+/* Looks like a 64-bit system, so prefer SHA-512. */
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
+#else
+/* Looks like a 32-bit system, so prefer SHA-256. */
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+#endif
+#elif defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
+#elif defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+#else
+#error "No hash algorithm available for HMAC_DBRG."
+#endif
+
+#else
+#error "No DRBG module available for the psa_crypto module."
+#endif
+
+#include "mbedtls/entropy.h"
+
+/** Initialize the PSA DRBG.
+ *
+ * \param p_rng        Pointer to the Mbed TLS DRBG state.
+ */
+static inline void mbedtls_psa_drbg_init(mbedtls_psa_drbg_context_t *p_rng) {
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_init(p_rng);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_init(p_rng);
+#endif
+}
+
+/** Deinitialize the PSA DRBG.
+ *
+ * \param p_rng        Pointer to the Mbed TLS DRBG state.
+ */
+static inline void mbedtls_psa_drbg_free(mbedtls_psa_drbg_context_t *p_rng) {
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_free(p_rng);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_free(p_rng);
+#endif
+}
+
+/** The type of the PSA random generator context.
+ *
+ * The random generator context is composed of an entropy context and
+ * a DRBG context.
+ */
+typedef struct {
+    void (* entropy_init)(mbedtls_entropy_context *ctx);
+    void (* entropy_free)(mbedtls_entropy_context *ctx);
+    mbedtls_entropy_context entropy;
+    mbedtls_psa_drbg_context_t drbg;
+} mbedtls_psa_random_context_t;
+
+/* Defined in include/mbedtls/psa_util.h so that it's visible to
+ * application code. The declaration here is redundant, but included
+ * as a safety net to make it more likely that a future change that
+ * accidentally causes the implementation to diverge from the interface
+ * will be noticed. */
+/* Do not include the declaration under MSVC because it doesn't accept it
+ * ("error C2370: 'mbedtls_psa_get_random' : redefinition; different storage class").
+ * Observed with Visual Studio 2013. A known bug apparently:
+ * https://stackoverflow.com/questions/8146541/duplicate-external-static-declarations-not-allowed-in-visual-studio
+ */
+#if !defined(_MSC_VER)
+static mbedtls_f_rng_t *const mbedtls_psa_get_random;
+#endif
+
+/** The maximum number of bytes that mbedtls_psa_get_random() is expected to
+ * return.
+ */
+#if defined(MBEDTLS_CTR_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+
+/** A pointer to the PSA DRBG state.
+ *
+ * This variable is only intended to be used through the macro
+ * #MBEDTLS_PSA_RANDOM_STATE.
+ */
+/* psa_crypto.c sets this variable to a pointer to the DRBG state in the
+ * global PSA crypto state. */
+/* The type `mbedtls_psa_drbg_context_t` is defined in
+ * include/mbedtls/psa_util.h so that `mbedtls_psa_random_state` can be
+ * declared there and be visible to application code. */
+extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
+
+/** A pointer to the PSA DRBG state.
+ *
+ * This macro expands to an expression that is suitable as the \c p_rng
+ * parameter to pass to mbedtls_psa_get_random().
+ *
+ * This macro exists in all configurations where the psa_crypto module is
+ * enabled. Its expansion depends on the configuration.
+ */
+#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
+
+/** Seed the PSA DRBG.
+ *
+ * \param entropy       An entropy context to read the seed from.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *
+ * \return              \c 0 on success.
+ * \return              An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure.
+ */
+static inline int mbedtls_psa_drbg_seed(
+    mbedtls_entropy_context *entropy,
+    const unsigned char *custom, size_t len) {
+#if defined(MBEDTLS_CTR_DRBG_C)
+    return (mbedtls_ctr_drbg_seed(MBEDTLS_PSA_RANDOM_STATE,
+                                  mbedtls_entropy_func,
+                                  entropy,
+                                  custom, len));
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    const mbedtls_md_info_t *md_info =
+        mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE);
+    return (mbedtls_hmac_drbg_seed(MBEDTLS_PSA_RANDOM_STATE,
+                                   md_info,
+                                   mbedtls_entropy_func,
+                                   entropy,
+                                   custom, len));
+#endif
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#endif /* PSA_CRYPTO_RANDOM_IMPL_H */
diff --git a/common/mbedtls/psa_crypto_rsa.c b/common/mbedtls/psa_crypto_rsa.c
new file mode 100644
index 000000000..54c44b0ec
--- /dev/null
+++ b/common/mbedtls/psa_crypto_rsa.c
@@ -0,0 +1,668 @@
+/*
+ *  PSA RSA layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_random_impl.h"
+#include "psa_crypto_rsa.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#include <mbedtls/rsa.h>
+#include <mbedtls/error.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/pk_internal.h>
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
+        defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ) )
+#define BUILTIN_KEY_TYPE_RSA_KEY_PAIR    1
+#endif
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
+        defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) ) )
+#define BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY  1
+#endif
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
+        defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) &&  \
+        defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V15) ) )
+#define BUILTIN_ALG_RSA_PKCS1V15_SIGN  1
+#endif
+
+#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||  \
+      ( defined(PSA_CRYPTO_DRIVER_TEST) &&         \
+        defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) &&  \
+        defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) ) )
+#define BUILTIN_ALG_RSA_PSS 1
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(BUILTIN_ALG_RSA_PSS) || \
+    defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+
+/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
+ * that are not a multiple of 8) well. For example, there is only
+ * mbedtls_rsa_get_len(), which returns a number of bytes, and no
+ * way to return the exact bit size of a key.
+ * To keep things simple, reject non-byte-aligned key sizes. */
+static psa_status_t psa_check_rsa_key_byte_aligned(
+    const mbedtls_rsa_context *rsa) {
+    mbedtls_mpi n;
+    psa_status_t status;
+    mbedtls_mpi_init(&n);
+    status = mbedtls_to_psa_error(
+                 mbedtls_rsa_export(rsa, &n, NULL, NULL, NULL, NULL));
+    if (status == PSA_SUCCESS) {
+        if (mbedtls_mpi_bitlen(&n) % 8 != 0)
+            status = PSA_ERROR_NOT_SUPPORTED;
+    }
+    mbedtls_mpi_free(&n);
+    return (status);
+}
+
+psa_status_t mbedtls_psa_rsa_load_representation(
+    psa_key_type_t type, const uint8_t *data, size_t data_length,
+    mbedtls_rsa_context **p_rsa) {
+    psa_status_t status;
+    mbedtls_pk_context ctx;
+    size_t bits;
+    mbedtls_pk_init(&ctx);
+
+    /* Parse the data. */
+    if (PSA_KEY_TYPE_IS_KEY_PAIR(type))
+        status = mbedtls_to_psa_error(
+                     mbedtls_pk_parse_key(&ctx, data, data_length, NULL, 0));
+    else
+        status = mbedtls_to_psa_error(
+                     mbedtls_pk_parse_public_key(&ctx, data, data_length));
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* We have something that the pkparse module recognizes. If it is a
+     * valid RSA key, store it. */
+    if (mbedtls_pk_get_type(&ctx) != MBEDTLS_PK_RSA) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
+     * supports non-byte-aligned key sizes, but not well. For example,
+     * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
+    bits = PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(mbedtls_pk_rsa(ctx)));
+    if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+    status = psa_check_rsa_key_byte_aligned(mbedtls_pk_rsa(ctx));
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    /* Copy out the pointer to the RSA context, and reset the PK context
+     * such that pk_free doesn't free the RSA context we just grabbed. */
+    *p_rsa = mbedtls_pk_rsa(ctx);
+    ctx.pk_info = NULL;
+
+exit:
+    mbedtls_pk_free(&ctx);
+    return (status);
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(BUILTIN_ALG_RSA_PSS) ||
+        * defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+
+static psa_status_t rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    psa_status_t status;
+    mbedtls_rsa_context *rsa = NULL;
+
+    /* Parse input */
+    status = mbedtls_psa_rsa_load_representation(attributes->core.type,
+                                                 data,
+                                                 data_length,
+                                                 &rsa);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    *bits = (psa_key_bits_t) PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(rsa));
+
+    /* Re-export the data to PSA export format, such that we can store export
+     * representation in the key slot. Export representation in case of RSA is
+     * the smallest representation that's allowed as input, so a straight-up
+     * allocation of the same size as the input buffer will be large enough. */
+    status = mbedtls_psa_rsa_export_key(attributes->core.type,
+                                        rsa,
+                                        key_buffer,
+                                        key_buffer_size,
+                                        key_buffer_length);
+exit:
+    /* Always free the RSA object */
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return (status);
+}
+
+psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
+                                        mbedtls_rsa_context *rsa,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length) {
+#if defined(MBEDTLS_PK_WRITE_C)
+    int ret;
+    mbedtls_pk_context pk;
+    uint8_t *pos = data + data_size;
+
+    mbedtls_pk_init(&pk);
+    pk.pk_info = &mbedtls_rsa_info;
+    pk.pk_ctx = rsa;
+
+    /* PSA Crypto API defines the format of an RSA key as a DER-encoded
+     * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
+     * private key and of the RFC3279 RSAPublicKey for a public key. */
+    if (PSA_KEY_TYPE_IS_KEY_PAIR(type))
+        ret = mbedtls_pk_write_key_der(&pk, data, data_size);
+    else
+        ret = mbedtls_pk_write_pubkey(&pos, data, &pk);
+
+    if (ret < 0) {
+        /* Clean up in case pk_write failed halfway through. */
+        memset(data, 0, data_size);
+        return (mbedtls_to_psa_error(ret));
+    }
+
+    /* The mbedtls_pk_xxx functions write to the end of the buffer.
+     * Move the data to the beginning and erase remaining data
+     * at the original location. */
+    if (2 * (size_t) ret <= data_size) {
+        memcpy(data, data + data_size - ret, ret);
+        memset(data + data_size - ret, 0, ret);
+    } else if ((size_t) ret < data_size) {
+        memmove(data, data + data_size - ret, ret);
+        memset(data + ret, 0, data_size - ret);
+    }
+
+    *data_length = ret;
+    return (PSA_SUCCESS);
+#else
+    (void) type;
+    (void) rsa;
+    (void) data;
+    (void) data_size;
+    (void) data_length;
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* MBEDTLS_PK_WRITE_C */
+}
+
+static psa_status_t rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = NULL;
+
+    status = mbedtls_psa_rsa_load_representation(
+                 attributes->core.type, key_buffer, key_buffer_size, &rsa);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
+                                        rsa,
+                                        data,
+                                        data_size,
+                                        data_length);
+
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return (status);
+}
+#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters,
+                                          size_t domain_parameters_size,
+                                          int *exponent) {
+    size_t i;
+    uint32_t acc = 0;
+
+    if (domain_parameters_size == 0) {
+        *exponent = 65537;
+        return (PSA_SUCCESS);
+    }
+
+    /* Mbed TLS encodes the public exponent as an int. For simplicity, only
+     * support values that fit in a 32-bit integer, which is larger than
+     * int on just about every platform anyway. */
+    if (domain_parameters_size > sizeof(acc))
+        return (PSA_ERROR_NOT_SUPPORTED);
+    for (i = 0; i < domain_parameters_size; i++)
+        acc = (acc << 8) | domain_parameters[i];
+    if (acc > INT_MAX)
+        return (PSA_ERROR_NOT_SUPPORTED);
+    *exponent = acc;
+    return (PSA_SUCCESS);
+}
+
+static psa_status_t rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    psa_status_t status;
+    mbedtls_rsa_context rsa;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int exponent;
+
+    status = psa_rsa_read_exponent(attributes->domain_parameters,
+                                   attributes->domain_parameters_size,
+                                   &exponent);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE);
+    ret = mbedtls_rsa_gen_key(&rsa,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE,
+                              (unsigned int)attributes->core.bits,
+                              exponent);
+    if (ret != 0)
+        return (mbedtls_to_psa_error(ret));
+
+    status = mbedtls_psa_rsa_export_key(attributes->core.type,
+                                        &rsa, key_buffer, key_buffer_size,
+                                        key_buffer_length);
+    mbedtls_rsa_free(&rsa);
+
+    return (status);
+}
+#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+
+/****************************************************************/
+/* Sign/verify hashes */
+/****************************************************************/
+
+#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(BUILTIN_ALG_RSA_PSS)
+
+/* Decode the hash algorithm from alg and store the mbedtls encoding in
+ * md_alg. Verify that the hash length is acceptable. */
+static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
+                                           size_t hash_length,
+                                           mbedtls_md_type_t *md_alg) {
+    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa(hash_alg);
+    *md_alg = mbedtls_md_get_type(md_info);
+
+    /* The Mbed TLS RSA module uses an unsigned int for hash length
+     * parameters. Validate that it fits so that we don't risk an
+     * overflow later. */
+#if SIZE_MAX > UINT_MAX
+    if (hash_length > UINT_MAX)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+#endif
+
+#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    /* For PKCS#1 v1.5 signature, if using a hash, the hash length
+     * must be correct. */
+    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) &&
+            alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW) {
+        if (md_info == NULL)
+            return (PSA_ERROR_NOT_SUPPORTED);
+        if (mbedtls_md_get_size(md_info) != hash_length)
+            return (PSA_ERROR_INVALID_ARGUMENT);
+    }
+#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+
+#if defined(BUILTIN_ALG_RSA_PSS)
+    /* PSS requires a hash internally. */
+    if (PSA_ALG_IS_RSA_PSS(alg)) {
+        if (md_info == NULL)
+            return (PSA_ERROR_NOT_SUPPORTED);
+    }
+#endif /* BUILTIN_ALG_RSA_PSS */
+
+    return (PSA_SUCCESS);
+}
+
+static psa_status_t rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md_type_t md_alg;
+
+    status = mbedtls_psa_rsa_load_representation(attributes->core.type,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &rsa);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    if (signature_size < mbedtls_rsa_get_len(rsa)) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+        mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
+                                MBEDTLS_MD_NONE);
+        ret = mbedtls_rsa_pkcs1_sign(rsa,
+                                     mbedtls_psa_get_random,
+                                     MBEDTLS_PSA_RANDOM_STATE,
+                                     MBEDTLS_RSA_PRIVATE,
+                                     md_alg,
+                                     (unsigned int) hash_length,
+                                     hash,
+                                     signature);
+    } else
+#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(BUILTIN_ALG_RSA_PSS)
+        if (PSA_ALG_IS_RSA_PSS(alg)) {
+            mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+            ret = mbedtls_rsa_rsassa_pss_sign(rsa,
+                                              mbedtls_psa_get_random,
+                                              MBEDTLS_PSA_RANDOM_STATE,
+                                              MBEDTLS_RSA_PRIVATE,
+                                              MBEDTLS_MD_NONE,
+                                              (unsigned int) hash_length,
+                                              hash,
+                                              signature);
+        } else
+#endif /* BUILTIN_ALG_RSA_PSS */
+        {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+
+    if (ret == 0)
+        *signature_length = mbedtls_rsa_get_len(rsa);
+    status = mbedtls_to_psa_error(ret);
+
+exit:
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return (status);
+}
+
+static psa_status_t rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md_type_t md_alg;
+
+    status = mbedtls_psa_rsa_load_representation(attributes->core.type,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &rsa);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    if (signature_length != mbedtls_rsa_get_len(rsa)) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+        mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
+                                MBEDTLS_MD_NONE);
+        ret = mbedtls_rsa_pkcs1_verify(rsa,
+                                       mbedtls_psa_get_random,
+                                       MBEDTLS_PSA_RANDOM_STATE,
+                                       MBEDTLS_RSA_PUBLIC,
+                                       md_alg,
+                                       (unsigned int) hash_length,
+                                       hash,
+                                       signature);
+    } else
+#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(BUILTIN_ALG_RSA_PSS)
+        if (PSA_ALG_IS_RSA_PSS(alg)) {
+            mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+            ret = mbedtls_rsa_rsassa_pss_verify(rsa,
+                                                mbedtls_psa_get_random,
+                                                MBEDTLS_PSA_RANDOM_STATE,
+                                                MBEDTLS_RSA_PUBLIC,
+                                                MBEDTLS_MD_NONE,
+                                                (unsigned int) hash_length,
+                                                hash,
+                                                signature);
+        } else
+#endif /* BUILTIN_ALG_RSA_PSS */
+        {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+
+    /* Mbed TLS distinguishes "invalid padding" from "valid padding but
+     * the rest of the signature is invalid". This has little use in
+     * practice and PSA doesn't report this distinction. */
+    status = (ret == MBEDTLS_ERR_RSA_INVALID_PADDING) ?
+             PSA_ERROR_INVALID_SIGNATURE :
+             mbedtls_to_psa_error(ret);
+
+exit:
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return (status);
+}
+
+#endif /* defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(BUILTIN_ALG_RSA_PSS) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+
+psa_status_t mbedtls_psa_rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    return (rsa_import_key(attributes, data, data_length,
+                           key_buffer, key_buffer_size,
+                           key_buffer_length, bits));
+}
+
+psa_status_t mbedtls_psa_rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    return (rsa_export_public_key(attributes, key_buffer, key_buffer_size,
+                                  data, data_size, data_length));
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+psa_status_t mbedtls_psa_rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    return (rsa_generate_key(attributes, key_buffer, key_buffer_size,
+                             key_buffer_length));
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+psa_status_t mbedtls_psa_rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+    return (rsa_sign_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_size, signature_length));
+}
+
+psa_status_t mbedtls_psa_rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+    return (rsa_verify_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_length));
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+
+/*
+ * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY.
+ */
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
+
+psa_status_t mbedtls_transparent_test_driver_rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits) {
+    return (rsa_import_key(attributes, data, data_length,
+                           key_buffer, key_buffer_size,
+                           key_buffer_length, bits));
+}
+
+psa_status_t mbedtls_transparent_test_driver_rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length) {
+    return (rsa_export_public_key(attributes, key_buffer, key_buffer_size,
+                                  data, data_size, data_length));
+}
+
+#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ||
+          defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
+psa_status_t mbedtls_transparent_test_driver_rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) {
+    return (rsa_generate_key(attributes, key_buffer, key_buffer_size,
+                             key_buffer_length));
+}
+#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) */
+
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+psa_status_t mbedtls_transparent_test_driver_rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length) {
+#if defined(MBEDTLS_RSA_C) && \
+    (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21))
+    return (rsa_sign_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_size, signature_length));
+#else
+    (void)attributes;
+    (void)key_buffer;
+    (void)key_buffer_size;
+    (void)alg;
+    (void)hash;
+    (void)hash_length;
+    (void)signature;
+    (void)signature_size;
+    (void)signature_length;
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif
+}
+
+psa_status_t mbedtls_transparent_test_driver_rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length) {
+#if defined(MBEDTLS_RSA_C) && \
+    (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21))
+    return (rsa_verify_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_length));
+#else
+    (void)attributes;
+    (void)key_buffer;
+    (void)key_buffer_size;
+    (void)alg;
+    (void)hash;
+    (void)hash_length;
+    (void)signature;
+    (void)signature_length;
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif
+}
+#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/common/mbedtls/psa_crypto_rsa.h b/common/mbedtls/psa_crypto_rsa.h
new file mode 100644
index 000000000..407b29700
--- /dev/null
+++ b/common/mbedtls/psa_crypto_rsa.h
@@ -0,0 +1,250 @@
+/*
+ *  PSA RSA layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_RSA_H
+#define PSA_CRYPTO_RSA_H
+
+#include <psa/crypto.h>
+#include <mbedtls/rsa.h>
+
+/** Load the contents of a key buffer into an internal RSA representation
+ *
+ * \param[in] type          The type of key contained in \p data.
+ * \param[in] data          The buffer from which to load the representation.
+ * \param[in] data_length   The size in bytes of \p data.
+ * \param[out] p_rsa        Returns a pointer to an RSA context on success.
+ *                          The caller is responsible for freeing both the
+ *                          contents of the context and the context itself
+ *                          when done.
+ */
+psa_status_t mbedtls_psa_rsa_load_representation(psa_key_type_t type,
+                                                 const uint8_t *data,
+                                                 size_t data_length,
+                                                 mbedtls_rsa_context **p_rsa);
+
+/** Import an RSA key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       import_key entry point. This function behaves as an import_key
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer containing the key data in output
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS  The RSA key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t mbedtls_psa_rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+/** Export an RSA key to export representation
+ *
+ * \param[in] type          The type of key (public/private) to export
+ * \param[in] rsa           The internal RSA representation from which to export
+ * \param[out] data         The buffer to export to
+ * \param[in] data_size     The length of the buffer to export to
+ * \param[out] data_length  The amount of bytes written to \p data
+ */
+psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
+                                        mbedtls_rsa_context *rsa,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length);
+
+/** Export a public RSA key or the public part of an RSA key pair in binary
+ *  format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       export_public_key entry point. This function behaves as an
+ *       export_public_key entry point as defined in the PSA driver interface
+ *       specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data.
+ *
+ * \retval #PSA_SUCCESS  The RSA public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t mbedtls_psa_rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate an RSA key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the RSA key to generate.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully generated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key length or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with an RSA private key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash entry point. This function behaves as a sign_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the RSA key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the RSA key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              an RSA key.
+ * \param[in]  hash             The hash or message to sign.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits,
+ *         \p alg) where \c key_bits is the bit-size of the RSA key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ */
+psa_status_t mbedtls_psa_rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a public RSA key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash entry point. This function behaves as a verify_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the RSA key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the RSA key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              an RSA key.
+ * \param[in]  hash             The hash or message whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t mbedtls_psa_rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/*
+ * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY.
+ */
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+psa_status_t mbedtls_transparent_test_driver_rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+psa_status_t mbedtls_transparent_test_driver_rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+psa_status_t mbedtls_transparent_test_driver_rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key, size_t key_size, size_t *key_length);
+
+psa_status_t mbedtls_transparent_test_driver_rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+psa_status_t mbedtls_transparent_test_driver_rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+#endif /* PSA_CRYPTO_RSA_H */
diff --git a/common/mbedtls/psa_crypto_se.c b/common/mbedtls/psa_crypto_se.c
new file mode 100644
index 000000000..61075697d
--- /dev/null
+++ b/common/mbedtls/psa_crypto_se.c
@@ -0,0 +1,355 @@
+/*
+ *  PSA crypto support for secure element drivers
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+
+#include <assert.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "psa/crypto_se_driver.h"
+
+#include "psa_crypto_se.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+#include "psa_crypto_its.h"
+#else /* Native ITS implementation */
+#include "psa/error.h"
+#include "psa/internal_trusted_storage.h"
+#endif
+
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+
+
+/****************************************************************/
+/* Driver lookup */
+/****************************************************************/
+
+/* This structure is identical to psa_drv_se_context_t declared in
+ * `crypto_se_driver.h`, except that some parts are writable here
+ * (non-const, or pointer to non-const). */
+typedef struct {
+    void *persistent_data;
+    size_t persistent_data_size;
+    uintptr_t transient_data;
+} psa_drv_se_internal_context_t;
+
+struct psa_se_drv_table_entry_s {
+    psa_key_location_t location;
+    const psa_drv_se_t *methods;
+    union {
+        psa_drv_se_internal_context_t internal;
+        psa_drv_se_context_t context;
+    } u;
+};
+
+static psa_se_drv_table_entry_t driver_table[PSA_MAX_SE_DRIVERS];
+
+psa_se_drv_table_entry_t *psa_get_se_driver_entry(
+    psa_key_lifetime_t lifetime) {
+    size_t i;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(lifetime);
+    /* In the driver table, location=0 means an entry that isn't used.
+     * No driver has a location of 0 because it's a reserved value
+     * (which designates transparent keys). Make sure we never return
+     * a driver entry for location 0. */
+    if (location == 0)
+        return (NULL);
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        if (driver_table[i].location == location)
+            return (&driver_table[i]);
+    }
+    return (NULL);
+}
+
+const psa_drv_se_t *psa_get_se_driver_methods(
+    const psa_se_drv_table_entry_t *driver) {
+    return (driver->methods);
+}
+
+psa_drv_se_context_t *psa_get_se_driver_context(
+    psa_se_drv_table_entry_t *driver) {
+    return (&driver->u.context);
+}
+
+int psa_get_se_driver(psa_key_lifetime_t lifetime,
+                      const psa_drv_se_t **p_methods,
+                      psa_drv_se_context_t **p_drv_context) {
+    psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
+    if (p_methods != NULL)
+        *p_methods = (driver ? driver->methods : NULL);
+    if (p_drv_context != NULL)
+        *p_drv_context = (driver ? &driver->u.context : NULL);
+    return (driver != NULL);
+}
+
+
+
+/****************************************************************/
+/* Persistent data management */
+/****************************************************************/
+
+static psa_status_t psa_get_se_driver_its_file_uid(
+    const psa_se_drv_table_entry_t *driver,
+    psa_storage_uid_t *uid) {
+    if (driver->location > PSA_MAX_SE_LOCATION)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+#if SIZE_MAX > UINT32_MAX
+    /* ITS file sizes are limited to 32 bits. */
+    if (driver->u.internal.persistent_data_size > UINT32_MAX)
+        return (PSA_ERROR_NOT_SUPPORTED);
+#endif
+
+    /* See the documentation of PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE. */
+    *uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + driver->location;
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_load_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver) {
+    psa_status_t status;
+    psa_storage_uid_t uid;
+    size_t length;
+
+    status = psa_get_se_driver_its_file_uid(driver, &uid);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    /* Read the amount of persistent data that the driver requests.
+     * If the data in storage is larger, it is truncated. If the data
+     * in storage is smaller, silently keep what is already at the end
+     * of the output buffer. */
+    /* psa_get_se_driver_its_file_uid ensures that the size_t
+     * persistent_data_size is in range, but compilers don't know that,
+     * so cast to reassure them. */
+    return (psa_its_get(uid, 0,
+                        (uint32_t) driver->u.internal.persistent_data_size,
+                        driver->u.internal.persistent_data,
+                        &length));
+}
+
+psa_status_t psa_save_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver) {
+    psa_status_t status;
+    psa_storage_uid_t uid;
+
+    status = psa_get_se_driver_its_file_uid(driver, &uid);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    /* psa_get_se_driver_its_file_uid ensures that the size_t
+     * persistent_data_size is in range, but compilers don't know that,
+     * so cast to reassure them. */
+    return (psa_its_set(uid,
+                        (uint32_t) driver->u.internal.persistent_data_size,
+                        driver->u.internal.persistent_data,
+                        0));
+}
+
+psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location) {
+    psa_storage_uid_t uid;
+    if (location > PSA_MAX_SE_LOCATION)
+        return (PSA_ERROR_NOT_SUPPORTED);
+    uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + location;
+    return (psa_its_remove(uid));
+}
+
+psa_status_t psa_find_se_slot_for_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_se_drv_table_entry_t *driver,
+    psa_key_slot_number_t *slot_number) {
+    psa_status_t status;
+    psa_key_location_t key_location =
+        PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
+
+    /* If the location is wrong, it's a bug in the library. */
+    if (driver->location != key_location)
+        return (PSA_ERROR_CORRUPTION_DETECTED);
+
+    /* If the driver doesn't support key creation in any way, give up now. */
+    if (driver->methods->key_management == NULL)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    if (psa_get_key_slot_number(attributes, slot_number) == PSA_SUCCESS) {
+        /* The application wants to use a specific slot. Allow it if
+         * the driver supports it. On a system with isolation,
+         * the crypto service must check that the application is
+         * permitted to request this slot. */
+        psa_drv_se_validate_slot_number_t p_validate_slot_number =
+            driver->methods->key_management->p_validate_slot_number;
+        if (p_validate_slot_number == NULL)
+            return (PSA_ERROR_NOT_SUPPORTED);
+        status = p_validate_slot_number(&driver->u.context,
+                                        driver->u.internal.persistent_data,
+                                        attributes, method,
+                                        *slot_number);
+    } else if (method == PSA_KEY_CREATION_REGISTER) {
+        /* The application didn't specify a slot number. This doesn't
+         * make sense when registering a slot. */
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    } else {
+        /* The application didn't tell us which slot to use. Let the driver
+         * choose. This is the normal case. */
+        psa_drv_se_allocate_key_t p_allocate =
+            driver->methods->key_management->p_allocate;
+        if (p_allocate == NULL)
+            return (PSA_ERROR_NOT_SUPPORTED);
+        status = p_allocate(&driver->u.context,
+                            driver->u.internal.persistent_data,
+                            attributes, method,
+                            slot_number);
+    }
+    return (status);
+}
+
+psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
+                                psa_key_slot_number_t slot_number) {
+    psa_status_t status;
+    psa_status_t storage_status;
+    /* Normally a missing method would mean that the action is not
+     * supported. But psa_destroy_key() is not supposed to return
+     * PSA_ERROR_NOT_SUPPORTED: if you can create a key, you should
+     * be able to destroy it. The only use case for a driver that
+     * does not have a way to destroy keys at all is if the keys are
+     * locked in a read-only state: we can use the keys but not
+     * destroy them. Hence, if the driver doesn't support destroying
+     * keys, it's really a lack of permission. */
+    if (driver->methods->key_management == NULL ||
+            driver->methods->key_management->p_destroy == NULL)
+        return (PSA_ERROR_NOT_PERMITTED);
+    status = driver->methods->key_management->p_destroy(
+                 &driver->u.context,
+                 driver->u.internal.persistent_data,
+                 slot_number);
+    storage_status = psa_save_se_persistent_data(driver);
+    return (status == PSA_SUCCESS ? storage_status : status);
+}
+
+psa_status_t psa_init_all_se_drivers(void) {
+    size_t i;
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        psa_se_drv_table_entry_t *driver = &driver_table[i];
+        if (driver->location == 0)
+            continue; /* skipping unused entry */
+        const psa_drv_se_t *methods = psa_get_se_driver_methods(driver);
+        if (methods->p_init != NULL) {
+            psa_status_t status = methods->p_init(
+                                      &driver->u.context,
+                                      driver->u.internal.persistent_data,
+                                      driver->location);
+            if (status != PSA_SUCCESS)
+                return (status);
+            status = psa_save_se_persistent_data(driver);
+            if (status != PSA_SUCCESS)
+                return (status);
+        }
+    }
+    return (PSA_SUCCESS);
+}
+
+
+
+/****************************************************************/
+/* Driver registration */
+/****************************************************************/
+
+psa_status_t psa_register_se_driver(
+    psa_key_location_t location,
+    const psa_drv_se_t *methods) {
+    size_t i;
+    psa_status_t status;
+
+    if (methods->hal_version != PSA_DRV_SE_HAL_VERSION)
+        return (PSA_ERROR_NOT_SUPPORTED);
+    /* Driver table entries are 0-initialized. 0 is not a valid driver
+     * location because it means a transparent key. */
+#if defined(static_assert)
+    static_assert(PSA_KEY_LOCATION_LOCAL_STORAGE == 0,
+                  "Secure element support requires 0 to mean a local key");
+#endif
+    if (location == PSA_KEY_LOCATION_LOCAL_STORAGE)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+    if (location > PSA_MAX_SE_LOCATION)
+        return (PSA_ERROR_NOT_SUPPORTED);
+
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        if (driver_table[i].location == 0)
+            break;
+        /* Check that location isn't already in use up to the first free
+         * entry. Since entries are created in order and never deleted,
+         * there can't be a used entry after the first free entry. */
+        if (driver_table[i].location == location)
+            return (PSA_ERROR_ALREADY_EXISTS);
+    }
+    if (i == PSA_MAX_SE_DRIVERS)
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+    driver_table[i].location = location;
+    driver_table[i].methods = methods;
+    driver_table[i].u.internal.persistent_data_size =
+        methods->persistent_data_size;
+
+    if (methods->persistent_data_size != 0) {
+        driver_table[i].u.internal.persistent_data =
+            mbedtls_calloc(1, methods->persistent_data_size);
+        if (driver_table[i].u.internal.persistent_data == NULL) {
+            status = PSA_ERROR_INSUFFICIENT_MEMORY;
+            goto error;
+        }
+        /* Load the driver's persistent data. On first use, the persistent
+         * data does not exist in storage, and is initialized to
+         * all-bits-zero by the calloc call just above. */
+        status = psa_load_se_persistent_data(&driver_table[i]);
+        if (status != PSA_SUCCESS && status != PSA_ERROR_DOES_NOT_EXIST)
+            goto error;
+    }
+
+    return (PSA_SUCCESS);
+
+error:
+    memset(&driver_table[i], 0, sizeof(driver_table[i]));
+    return (status);
+}
+
+void psa_unregister_all_se_drivers(void) {
+    size_t i;
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        if (driver_table[i].u.internal.persistent_data != NULL)
+            mbedtls_free(driver_table[i].u.internal.persistent_data);
+    }
+    memset(driver_table, 0, sizeof(driver_table));
+}
+
+
+
+/****************************************************************/
+/* The end */
+/****************************************************************/
+
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
diff --git a/common/mbedtls/psa_crypto_se.h b/common/mbedtls/psa_crypto_se.h
new file mode 100644
index 000000000..edf8989fe
--- /dev/null
+++ b/common/mbedtls/psa_crypto_se.h
@@ -0,0 +1,201 @@
+/*
+ *  PSA crypto support for secure element drivers
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_SE_H
+#define PSA_CRYPTO_SE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+/** The maximum location value that this implementation supports
+ * for a secure element.
+ *
+ * This is not a characteristic that each PSA implementation has, but a
+ * limitation of the current implementation due to the constraints imposed
+ * by storage. See #PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE.
+ *
+ * The minimum location value for a secure element is 1, like on any
+ * PSA implementation (0 means a transparent key).
+ */
+#define PSA_MAX_SE_LOCATION 255
+
+/** The base of the range of ITS file identifiers for secure element
+ * driver persistent data.
+ *
+ * We use a slice of the implementation reserved range 0xffff0000..0xffffffff,
+ * specifically the range 0xfffffe00..0xfffffeff. The length of this range
+ * drives the value of #PSA_MAX_SE_LOCATION. The identifier 0xfffffe00 is
+ * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE
+ * which doesn't have a driver.
+ */
+#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ( (psa_key_id_t) 0xfffffe00 )
+
+/** The maximum number of registered secure element driver locations. */
+#define PSA_MAX_SE_DRIVERS 4
+
+/** Unregister all secure element drivers.
+ *
+ * \warning Do not call this function while the library is in the initialized
+ *          state. This function is only intended to be called at the end
+ *          of mbedtls_psa_crypto_free().
+ */
+void psa_unregister_all_se_drivers(void);
+
+/** Initialize all secure element drivers.
+ *
+ * Called from psa_crypto_init().
+ */
+psa_status_t psa_init_all_se_drivers(void);
+
+/** A structure that describes a registered secure element driver.
+ *
+ * A secure element driver table entry contains a pointer to the
+ * driver's method table as well as the driver context structure.
+ */
+typedef struct psa_se_drv_table_entry_s psa_se_drv_table_entry_t;
+
+/** Return the secure element driver information for a lifetime value.
+ *
+ * \param lifetime              The lifetime value to query.
+ * \param[out] p_methods        On output, if there is a driver,
+ *                              \c *methods points to its method table.
+ *                              Otherwise \c *methods is \c NULL.
+ * \param[out] p_drv_context    On output, if there is a driver,
+ *                              \c *drv_context points to its context
+ *                              structure.
+ *                              Otherwise \c *drv_context is \c NULL.
+ *
+ * \retval 1
+ *         \p lifetime corresponds to a registered driver.
+ * \retval 0
+ *         \p lifetime does not correspond to a registered driver.
+ */
+int psa_get_se_driver(psa_key_lifetime_t lifetime,
+                      const psa_drv_se_t **p_methods,
+                      psa_drv_se_context_t **p_drv_context);
+
+/** Return the secure element driver table entry for a lifetime value.
+ *
+ * \param lifetime      The lifetime value to query.
+ *
+ * \return The driver table entry for \p lifetime, or
+ *         \p NULL if \p lifetime does not correspond to a registered driver.
+ */
+psa_se_drv_table_entry_t *psa_get_se_driver_entry(
+    psa_key_lifetime_t lifetime);
+
+/** Return the method table for a secure element driver.
+ *
+ * \param[in] driver    The driver table entry to access, or \c NULL.
+ *
+ * \return The driver's method table.
+ *         \c NULL if \p driver is \c NULL.
+ */
+const psa_drv_se_t *psa_get_se_driver_methods(
+    const psa_se_drv_table_entry_t *driver);
+
+/** Return the context of a secure element driver.
+ *
+ * \param[in] driver    The driver table entry to access, or \c NULL.
+ *
+ * \return A pointer to the driver context.
+ *         \c NULL if \p driver is \c NULL.
+ */
+psa_drv_se_context_t *psa_get_se_driver_context(
+    psa_se_drv_table_entry_t *driver);
+
+/** Find a free slot for a key that is to be created.
+ *
+ * This function calls the relevant method in the driver to find a suitable
+ * slot for a key with the given attributes.
+ *
+ * \param[in] attributes    Metadata about the key that is about to be created.
+ * \param[in] driver        The driver table entry to query.
+ * \param[out] slot_number  On success, a slot number that is free in this
+ *                          secure element.
+ */
+psa_status_t psa_find_se_slot_for_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_se_drv_table_entry_t *driver,
+    psa_key_slot_number_t *slot_number);
+
+/** Destoy a key in a secure element.
+ *
+ * This function calls the relevant driver method to destroy a key
+ * and updates the driver's persistent data.
+ */
+psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
+                                psa_key_slot_number_t slot_number);
+
+/** Load the persistent data of a secure element driver.
+ *
+ * \param driver        The driver table entry containing the persistent
+ *                      data to load from storage.
+ *
+ * \return #PSA_SUCCESS
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_DOES_NOT_EXIST
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_DATA_CORRUPT
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_load_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver);
+
+/** Save the persistent data of a secure element driver.
+ *
+ * \param[in] driver    The driver table entry containing the persistent
+ *                      data to save to storage.
+ *
+ * \return #PSA_SUCCESS
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_NOT_PERMITTED
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_save_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver);
+
+/** Destroy the persistent data of a secure element driver.
+ *
+ * This is currently only used for testing.
+ *
+ * \param[in] location  The location identifier for the driver whose
+ *                      persistent data is to be erased.
+ */
+psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location);
+
+
+/** The storage representation of a key whose data is in a secure element.
+ */
+typedef struct {
+    uint8_t slot_number[sizeof(psa_key_slot_number_t)];
+} psa_se_key_data_storage_t;
+
+#endif /* PSA_CRYPTO_SE_H */
diff --git a/common/mbedtls/psa_crypto_service_integration.h b/common/mbedtls/psa_crypto_service_integration.h
new file mode 100644
index 000000000..87889af49
--- /dev/null
+++ b/common/mbedtls/psa_crypto_service_integration.h
@@ -0,0 +1,39 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_SERVICE_INTEGRATION_H
+#define PSA_CRYPTO_SERVICE_INTEGRATION_H
+
+/*
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM
+ * (Secure Partition Manager) integration which separates the code into two
+ * parts: NSPE (Non-Secure Processing Environment) and SPE (Secure Processing
+ * Environment). When building for the SPE, an additional header file should be
+ * included.
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_SPM)
+/*
+ * PSA_CRYPTO_SECURE means that the file which included this file is being
+ * compiled for SPE. The files crypto_structs.h and crypto_types.h have
+ * different implementations for NSPE and SPE and are compiled according to this
+ * flag.
+ */
+#define PSA_CRYPTO_SECURE 1
+#include "crypto_spe.h"
+#endif // MBEDTLS_PSA_CRYPTO_SPM
+
+#endif // PSA_CRYPTO_SERVICE_INTEGRATION_H
diff --git a/common/mbedtls/psa_crypto_slot_management.c b/common/mbedtls/psa_crypto_slot_management.c
new file mode 100644
index 000000000..ed7da73d4
--- /dev/null
+++ b/common/mbedtls/psa_crypto_slot_management.c
@@ -0,0 +1,445 @@
+/*
+ *  PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa_crypto_service_integration.h"
+#include "psa/crypto.h"
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_slot_management.h"
+#include "psa_crypto_storage.h"
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#include "psa_crypto_se.h"
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
+
+typedef struct {
+    psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
+    unsigned key_slots_initialized : 1;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+psa_status_t psa_validate_key_id(
+    mbedtls_svc_key_id_t key, int vendor_ok) {
+    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+
+    if ((PSA_KEY_ID_USER_MIN <= key_id) &&
+            (key_id <= PSA_KEY_ID_USER_MAX))
+        return (PSA_SUCCESS);
+
+    if (vendor_ok &&
+            (PSA_KEY_ID_VENDOR_MIN <= key_id) &&
+            (key_id <= PSA_KEY_ID_VENDOR_MAX))
+        return (PSA_SUCCESS);
+
+    return (PSA_ERROR_INVALID_HANDLE);
+}
+
+/** Get the description in memory of a key given its identifier and lock it.
+ *
+ * The descriptions of volatile keys and loaded persistent keys are
+ * stored in key slots. This function returns a pointer to the key slot
+ * containing the description of a key given its identifier.
+ *
+ * The function searches the key slots containing the description of the key
+ * with \p key identifier. The function does only read accesses to the key
+ * slots. The function does not load any persistent key thus does not access
+ * any storage.
+ *
+ * For volatile key identifiers, only one key slot is queried as a volatile
+ * key with identifier key_id can only be stored in slot of index
+ * ( key_id - #PSA_KEY_ID_VOLATILE_MIN ).
+ *
+ * On success, the function locks the key slot. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
+ *
+ * \param key           Key identifier to query.
+ * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
+ *                      key slot containing the description of the key
+ *                      identified by \p key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The pointer to the key slot containing the description of the key
+ *         identified by \p key was returned.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no key with key identifier \p key in the key slots.
+ */
+static psa_status_t psa_get_and_lock_key_slot_in_memory(
+    mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+    size_t slot_idx;
+    psa_key_slot_t *slot = NULL;
+
+    if (psa_key_id_is_volatile(key_id)) {
+        slot = &global_data.key_slots[ key_id - PSA_KEY_ID_VOLATILE_MIN ];
+
+        /*
+         * Check if both the PSA key identifier key_id and the owner
+         * identifier of key match those of the key slot.
+         *
+         * Note that, if the key slot is not occupied, its PSA key identifier
+         * is equal to zero. This is an invalid value for a PSA key identifier
+         * and thus cannot be equal to the valid PSA key identifier key_id.
+         */
+        status = mbedtls_svc_key_id_equal(key, slot->attr.id) ?
+                 PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST;
+    } else {
+        status = psa_validate_key_id(key, 1);
+        if (status != PSA_SUCCESS)
+            return (status);
+
+        for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+            slot = &global_data.key_slots[ slot_idx ];
+            if (mbedtls_svc_key_id_equal(key, slot->attr.id))
+                break;
+        }
+        status = (slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT) ?
+                 PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST;
+    }
+
+    if (status == PSA_SUCCESS) {
+        status = psa_lock_key_slot(slot);
+        if (status == PSA_SUCCESS)
+            *p_slot = slot;
+    }
+
+    return (status);
+}
+
+psa_status_t psa_initialize_key_slots(void) {
+    /* Nothing to do: program startup and psa_wipe_all_key_slots() both
+     * guarantee that the key slots are initialized to all-zero, which
+     * means that all the key slots are in a valid, empty state. */
+    global_data.key_slots_initialized = 1;
+    return (PSA_SUCCESS);
+}
+
+void psa_wipe_all_key_slots(void) {
+    size_t slot_idx;
+
+    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+        psa_key_slot_t *slot = &global_data.key_slots[ slot_idx ];
+        slot->lock_count = 1;
+        (void) psa_wipe_key_slot(slot);
+    }
+    global_data.key_slots_initialized = 0;
+}
+
+psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
+                                    psa_key_slot_t **p_slot) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t slot_idx;
+    psa_key_slot_t *selected_slot, *unlocked_persistent_key_slot;
+
+    if (! global_data.key_slots_initialized) {
+        status = PSA_ERROR_BAD_STATE;
+        goto error;
+    }
+
+    selected_slot = unlocked_persistent_key_slot = NULL;
+    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+        psa_key_slot_t *slot = &global_data.key_slots[ slot_idx ];
+        if (! psa_is_key_slot_occupied(slot)) {
+            selected_slot = slot;
+            break;
+        }
+
+        if ((unlocked_persistent_key_slot == NULL) &&
+                (! PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
+                (! psa_is_key_slot_locked(slot)))
+            unlocked_persistent_key_slot = slot;
+    }
+
+    /*
+     * If there is no unused key slot and there is at least one unlocked key
+     * slot containing the description of a persistent key, recycle the first
+     * such key slot we encountered. If we later need to operate on the
+     * persistent key we are evicting now, we will reload its description from
+     * storage.
+     */
+    if ((selected_slot == NULL) &&
+            (unlocked_persistent_key_slot != NULL)) {
+        selected_slot = unlocked_persistent_key_slot;
+        selected_slot->lock_count = 1;
+        psa_wipe_key_slot(selected_slot);
+    }
+
+    if (selected_slot != NULL) {
+        status = psa_lock_key_slot(selected_slot);
+        if (status != PSA_SUCCESS)
+            goto error;
+
+        *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN +
+                           ((psa_key_id_t)(selected_slot - global_data.key_slots));
+        *p_slot = selected_slot;
+
+        return (PSA_SUCCESS);
+    }
+    status = PSA_ERROR_INSUFFICIENT_MEMORY;
+
+error:
+    *p_slot = NULL;
+    *volatile_key_id = 0;
+
+    return (status);
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+static psa_status_t psa_load_persistent_key_into_slot(psa_key_slot_t *slot) {
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t *key_data = NULL;
+    size_t key_data_length = 0;
+
+    status = psa_load_persistent_key(&slot->attr,
+                                     &key_data, &key_data_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* Special handling is required for loading keys associated with a
+     * dynamically registered SE interface. */
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+    if (psa_get_se_driver(slot->attr.lifetime, &drv, &drv_context)) {
+        psa_se_key_data_storage_t *data;
+
+        if (key_data_length != sizeof(*data)) {
+            status = PSA_ERROR_DATA_INVALID;
+            goto exit;
+        }
+        data = (psa_se_key_data_storage_t *) key_data;
+        status = psa_copy_key_material_into_slot(
+                     slot, data->slot_number, sizeof(data->slot_number));
+        goto exit;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    status = psa_copy_key_material_into_slot(slot, key_data, key_data_length);
+
+exit:
+    psa_free_persistent_key_data(key_data, key_data_length);
+    return (status);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+
+psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
+                                       psa_key_slot_t **p_slot) {
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    *p_slot = NULL;
+    if (! global_data.key_slots_initialized)
+        return (PSA_ERROR_BAD_STATE);
+
+    /*
+     * On success, the pointer to the slot is passed directly to the caller
+     * thus no need to unlock the key slot here.
+     */
+    status = psa_get_and_lock_key_slot_in_memory(key, p_slot);
+    if (status != PSA_ERROR_DOES_NOT_EXIST)
+        return (status);
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    psa_key_id_t volatile_key_id;
+
+    status = psa_get_empty_key_slot(&volatile_key_id, p_slot);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    (*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
+    (*p_slot)->attr.id = key;
+
+    status = psa_load_persistent_key_into_slot(*p_slot);
+    if (status != PSA_SUCCESS)
+        psa_wipe_key_slot(*p_slot);
+
+    return (status);
+#else
+    return (PSA_ERROR_DOES_NOT_EXIST);
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+}
+
+psa_status_t psa_unlock_key_slot(psa_key_slot_t *slot) {
+    if (slot == NULL)
+        return (PSA_SUCCESS);
+
+    if (slot->lock_count > 0) {
+        slot->lock_count--;
+        return (PSA_SUCCESS);
+    }
+
+    /*
+     * As the return error code may not be handled in case of multiple errors,
+     * do our best to report if the lock counter is equal to zero: if
+     * available call MBEDTLS_PARAM_FAILED that may terminate execution (if
+     * called as part of the execution of a unit test suite this will stop the
+     * test suite execution).
+     */
+#ifdef MBEDTLS_CHECK_PARAMS
+    MBEDTLS_PARAM_FAILED(slot->lock_count > 0);
+#endif
+
+    return (PSA_ERROR_CORRUPTION_DETECTED);
+}
+
+psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
+                                       psa_se_drv_table_entry_t **p_drv) {
+    if (psa_key_lifetime_is_external(lifetime)) {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        /* Check whether a driver is registered against this lifetime */
+        psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
+        if (driver != NULL) {
+            if (p_drv != NULL)
+                *p_drv = driver;
+            return (PSA_SUCCESS);
+        }
+#else /* MBEDTLS_PSA_CRYPTO_SE_C */
+        (void) p_drv;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+        /* Key location for external keys gets checked by the wrapper */
+        return (PSA_SUCCESS);
+#else /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+        /* No support for external lifetimes at all, or dynamic interface
+         * did not find driver for requested lifetime. */
+        return (PSA_ERROR_INVALID_ARGUMENT);
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+    } else
+        /* Local/internal keys are always valid */
+        return (PSA_SUCCESS);
+}
+
+psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime) {
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+        /* Volatile keys are always supported */
+        return (PSA_SUCCESS);
+    } else {
+        /* Persistent keys require storage support */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+        return (PSA_SUCCESS);
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+        return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
+    }
+}
+
+psa_status_t psa_open_key(mbedtls_svc_key_id_t key, psa_key_handle_t *handle) {
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    psa_status_t status;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_key_slot(key, &slot);
+    if (status != PSA_SUCCESS) {
+        *handle = PSA_KEY_HANDLE_INIT;
+        return (status);
+    }
+
+    *handle = key;
+
+    return (psa_unlock_key_slot(slot));
+
+#else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+    (void) key;
+    *handle = PSA_KEY_HANDLE_INIT;
+    return (PSA_ERROR_NOT_SUPPORTED);
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+}
+
+psa_status_t psa_close_key(psa_key_handle_t handle) {
+    psa_status_t status;
+    psa_key_slot_t *slot;
+
+    if (psa_key_handle_is_null(handle))
+        return (PSA_SUCCESS);
+
+    status = psa_get_and_lock_key_slot_in_memory(handle, &slot);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    if (slot->lock_count <= 1)
+        return (psa_wipe_key_slot(slot));
+    else
+        return (psa_unlock_key_slot(slot));
+}
+
+psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) {
+    psa_status_t status;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_key_slot_in_memory(key, &slot);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    if ((! PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
+            (slot->lock_count <= 1))
+        return (psa_wipe_key_slot(slot));
+    else
+        return (psa_unlock_key_slot(slot));
+}
+
+void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats) {
+    size_t slot_idx;
+
+    memset(stats, 0, sizeof(*stats));
+
+    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+        const psa_key_slot_t *slot = &global_data.key_slots[ slot_idx ];
+        if (psa_is_key_slot_locked(slot)) {
+            ++stats->locked_slots;
+        }
+        if (! psa_is_key_slot_occupied(slot)) {
+            ++stats->empty_slots;
+            continue;
+        }
+        if (slot->attr.lifetime == PSA_KEY_LIFETIME_VOLATILE)
+            ++stats->volatile_slots;
+        else if (slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT) {
+            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+            ++stats->persistent_slots;
+            if (id > stats->max_open_internal_key_id)
+                stats->max_open_internal_key_id = id;
+        } else {
+            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+            ++stats->external_slots;
+            if (id > stats->max_open_external_key_id)
+                stats->max_open_external_key_id = id;
+        }
+    }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/common/mbedtls/psa_crypto_slot_management.h b/common/mbedtls/psa_crypto_slot_management.h
new file mode 100644
index 000000000..de2eea4cd
--- /dev/null
+++ b/common/mbedtls/psa_crypto_slot_management.h
@@ -0,0 +1,222 @@
+/*
+ *  PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
+#define PSA_CRYPTO_SLOT_MANAGEMENT_H
+
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_se.h"
+
+/** Range of volatile key identifiers.
+ *
+ *  The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
+ *  range of key identifiers are reserved for volatile key identifiers.
+ *  A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
+ *  index of the key slot containing the volatile key definition.
+ */
+
+/** The minimum value for a volatile key identifier.
+ */
+#define PSA_KEY_ID_VOLATILE_MIN  ( PSA_KEY_ID_VENDOR_MAX - \
+                                   MBEDTLS_PSA_KEY_SLOT_COUNT + 1 )
+
+/** The maximum value for a volatile key identifier.
+ */
+#define PSA_KEY_ID_VOLATILE_MAX  PSA_KEY_ID_VENDOR_MAX
+
+/** Test whether a key identifier is a volatile key identifier.
+ *
+ * \param key_id  Key identifier to test.
+ *
+ * \retval 1
+ *         The key identifier is a volatile key identifier.
+ * \retval 0
+ *         The key identifier is not a volatile key identifier.
+ */
+static inline int psa_key_id_is_volatile(psa_key_id_t key_id) {
+    return ((key_id >= PSA_KEY_ID_VOLATILE_MIN) &&
+            (key_id <= PSA_KEY_ID_VOLATILE_MAX));
+}
+
+/** Get the description of a key given its identifier and lock it.
+ *
+ * The descriptions of volatile keys and loaded persistent keys are stored in
+ * key slots. This function returns a pointer to the key slot containing the
+ * description of a key given its identifier.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot is locked. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
+ *
+ * \param key           Key identifier to query.
+ * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
+ *                      key slot containing the description of the key
+ *                      identified by \p key.
+ *
+ * \retval #PSA_SUCCESS
+ *         \p *p_slot contains a pointer to the key slot containing the
+ *         description of the key identified by \p key.
+ *         The key slot counter has been incremented.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been initialized.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         \p key is a persistent key identifier. The implementation does not
+ *         have sufficient resources to load the persistent key. This can be
+ *         due to a lack of empty key slot, or available memory.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no key with key identifier \p key.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ */
+psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
+                                       psa_key_slot_t **p_slot);
+
+/** Initialize the key slot structures.
+ *
+ * \retval #PSA_SUCCESS
+ *         Currently this function always succeeds.
+ */
+psa_status_t psa_initialize_key_slots(void);
+
+/** Delete all data from key slots in memory.
+ *
+ * This does not affect persistent storage. */
+void psa_wipe_all_key_slots(void);
+
+/** Find a free key slot.
+ *
+ * This function returns a key slot that is available for use and is in its
+ * ground state (all-bits-zero). On success, the key slot is locked. It is
+ * the responsibility of the caller to unlock the key slot when it does not
+ * access it anymore.
+ *
+ * \param[out] volatile_key_id   On success, volatile key identifier
+ *                               associated to the returned slot.
+ * \param[out] p_slot            On success, a pointer to the slot.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_BAD_STATE
+ */
+psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
+                                    psa_key_slot_t **p_slot);
+
+/** Lock a key slot.
+ *
+ * This function increments the key slot lock counter by one.
+ *
+ * \param[in] slot  The key slot.
+ *
+ * \retval #PSA_SUCCESS
+               The key slot lock counter was incremented.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *             The lock counter already reached its maximum value and was not
+ *             increased.
+ */
+static inline psa_status_t psa_lock_key_slot(psa_key_slot_t *slot) {
+    if (slot->lock_count >= SIZE_MAX)
+        return (PSA_ERROR_CORRUPTION_DETECTED);
+
+    slot->lock_count++;
+
+    return (PSA_SUCCESS);
+}
+
+/** Unlock a key slot.
+ *
+ * This function decrements the key slot lock counter by one.
+ *
+ * \note To ease the handling of errors in retrieving a key slot
+ *       a NULL input pointer is valid, and the function returns
+ *       successfully without doing anything in that case.
+ *
+ * \param[in] slot  The key slot.
+ * \retval #PSA_SUCCESS
+ *             \p slot is NULL or the key slot lock counter has been
+ *             decremented successfully.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *             The lock counter was equal to 0.
+ *
+ */
+psa_status_t psa_unlock_key_slot(psa_key_slot_t *slot);
+
+/** Test whether a lifetime designates a key in an external cryptoprocessor.
+ *
+ * \param lifetime      The lifetime to test.
+ *
+ * \retval 1
+ *         The lifetime designates an external key. There should be a
+ *         registered driver for this lifetime, otherwise the key cannot
+ *         be created or manipulated.
+ * \retval 0
+ *         The lifetime designates a key that is volatile or in internal
+ *         storage.
+ */
+static inline int psa_key_lifetime_is_external(psa_key_lifetime_t lifetime) {
+    return (PSA_KEY_LIFETIME_GET_LOCATION(lifetime)
+            != PSA_KEY_LOCATION_LOCAL_STORAGE);
+}
+
+/** Validate a key's location.
+ *
+ * This function checks whether the key's attributes point to a location that
+ * is known to the PSA Core, and returns the driver function table if the key
+ * is to be found in an external location.
+ *
+ * \param[in] lifetime      The key lifetime attribute.
+ * \param[out] p_drv        On success, when a key is located in external
+ *                          storage, returns a pointer to the driver table
+ *                          associated with the key's storage location.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
+                                       psa_se_drv_table_entry_t **p_drv);
+
+/** Validate the persistence of a key.
+ *
+ * \param[in] lifetime  The key lifetime attribute.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_ARGUMENT The key is persistent but persistent
+ *         keys are not supported.
+ */
+psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime);
+
+/** Validate a key identifier.
+ *
+ * \param[in] key           The key identifier.
+ * \param[in] vendor_ok     Non-zero to indicate that key identifiers in the
+ *                          vendor range are allowed, volatile key identifiers
+ *                          excepted \c 0 otherwise.
+ *
+ * \retval #PSA_SUCCESS The identifier is valid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT The key identifier is not valid.
+ */
+psa_status_t psa_validate_key_id(mbedtls_svc_key_id_t key, int vendor_ok);
+
+#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
diff --git a/common/mbedtls/psa_crypto_storage.c b/common/mbedtls/psa_crypto_storage.c
new file mode 100644
index 000000000..c013366f8
--- /dev/null
+++ b/common/mbedtls/psa_crypto_storage.c
@@ -0,0 +1,508 @@
+/*
+ *  PSA persistent key storage
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa_crypto_service_integration.h"
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+#include "psa_crypto_its.h"
+#else /* Native ITS implementation */
+#include "psa/error.h"
+#include "psa/internal_trusted_storage.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc   calloc
+#define mbedtls_free     free
+#endif
+
+
+
+/****************************************************************/
+/* Key storage */
+/****************************************************************/
+
+/* Determine a file name (ITS file identifier) for the given key identifier.
+ * The file name must be distinct from any file that is used for a purpose
+ * other than storing a key. Currently, the only such file is the random seed
+ * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is
+ * 0xFFFFFF52. */
+static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key) {
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+    /* Encode the owner in the upper 32 bits. This means that if
+     * owner values are nonzero (as they are on a PSA platform),
+     * no key file will ever have a value less than 0x100000000, so
+     * the whole range 0..0xffffffff is available for non-key files. */
+    uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key);
+    return (((uint64_t) unsigned_owner_id << 32) |
+            MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key));
+#else
+    /* Use the key id directly as a file name.
+     * psa_is_key_id_valid() in psa_crypto_slot_management.c
+     * is responsible for ensuring that key identifiers do not have a
+     * value that is reserved for non-key files. */
+    return (key);
+#endif
+}
+
+/**
+ * \brief Load persistent data for the given key slot number.
+ *
+ * This function reads data from a storage backend and returns the data in a
+ * buffer.
+ *
+ * \param key               Persistent identifier of the key to be loaded. This
+ *                          should be an occupied storage location.
+ * \param[out] data         Buffer where the data is to be written.
+ * \param data_size         Size of the \c data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ */
+static psa_status_t psa_crypto_storage_load(
+    const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size) {
+    psa_status_t status;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+    size_t data_length = 0;
+
+    status = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (status  != PSA_SUCCESS)
+        return (status);
+
+    status = psa_its_get(data_identifier, 0, (uint32_t) data_size, data, &data_length);
+    if (data_size  != data_length)
+        return (PSA_ERROR_DATA_INVALID);
+
+    return (status);
+}
+
+int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key) {
+    psa_status_t ret;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    ret = psa_its_get_info(data_identifier, &data_identifier_info);
+
+    if (ret == PSA_ERROR_DOES_NOT_EXIST)
+        return (0);
+    return (1);
+}
+
+/**
+ * \brief Store persistent data for the given key slot number.
+ *
+ * This function stores the given data buffer to a persistent storage.
+ *
+ * \param key           Persistent identifier of the key to be stored. This
+ *                      should be an unoccupied storage location.
+ * \param[in] data      Buffer containing the data to be stored.
+ * \param data_length   The number of bytes
+ *                      that make up the data.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_INVALID
+ */
+static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
+                                             const uint8_t *data,
+                                             size_t data_length) {
+    psa_status_t status;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    if (psa_is_key_present_in_storage(key) == 1)
+        return (PSA_ERROR_ALREADY_EXISTS);
+
+    status = psa_its_set(data_identifier, (uint32_t) data_length, data, 0);
+    if (status != PSA_SUCCESS) {
+        return (PSA_ERROR_DATA_INVALID);
+    }
+
+    status = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (data_identifier_info.size != data_length) {
+        status = PSA_ERROR_DATA_INVALID;
+        goto exit;
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        /* Remove the file in case we managed to create it but something
+         * went wrong. It's ok if the file doesn't exist. If the file exists
+         * but the removal fails, we're already reporting an error so there's
+         * nothing else we can do. */
+        (void) psa_its_remove(data_identifier);
+    }
+    return (status);
+}
+
+psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key) {
+    psa_status_t ret;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    ret = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (ret == PSA_ERROR_DOES_NOT_EXIST)
+        return (PSA_SUCCESS);
+
+    if (psa_its_remove(data_identifier) != PSA_SUCCESS)
+        return (PSA_ERROR_DATA_INVALID);
+
+    ret = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (ret != PSA_ERROR_DOES_NOT_EXIST)
+        return (PSA_ERROR_DATA_INVALID);
+
+    return (PSA_SUCCESS);
+}
+
+/**
+ * \brief Get data length for given key slot number.
+ *
+ * \param key               Persistent identifier whose stored data length
+ *                          is to be obtained.
+ * \param[out] data_length  The number of bytes that make up the data.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ */
+static psa_status_t psa_crypto_storage_get_data_length(
+    const mbedtls_svc_key_id_t key,
+    size_t *data_length) {
+    psa_status_t status;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    status = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    *data_length = (size_t) data_identifier_info.size;
+
+    return (PSA_SUCCESS);
+}
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE( n, b, i )                        \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE( n, b, i )                                \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+/*
+ * 16-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT16_LE
+#define GET_UINT16_LE( n, b, i )                        \
+{                                                       \
+    (n) = ( (uint16_t) (b)[(i)    ]       )             \
+        | ( (uint16_t) (b)[(i) + 1] <<  8 );            \
+}
+#endif
+
+#ifndef PUT_UINT16_LE
+#define PUT_UINT16_LE( n, b, i )                                \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+}
+#endif
+
+/**
+ * Persistent key storage magic header.
+ */
+#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
+#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ( sizeof( PSA_KEY_STORAGE_MAGIC_HEADER ) )
+
+typedef struct {
+    uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
+    uint8_t version[4];
+    uint8_t lifetime[sizeof(psa_key_lifetime_t)];
+    uint8_t type[2];
+    uint8_t bits[2];
+    uint8_t policy[sizeof(psa_key_policy_t)];
+    uint8_t data_len[4];
+    uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage(const uint8_t *data,
+                                     const size_t data_length,
+                                     const psa_core_key_attributes_t *attr,
+                                     uint8_t *storage_data) {
+    psa_persistent_key_storage_format *storage_format =
+        (psa_persistent_key_storage_format *) storage_data;
+
+    memcpy(storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER, PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH);
+    PUT_UINT32_LE(0, storage_format->version, 0);
+    PUT_UINT32_LE(attr->lifetime, storage_format->lifetime, 0);
+    PUT_UINT16_LE((uint16_t) attr->type, storage_format->type, 0);
+    PUT_UINT16_LE((uint16_t) attr->bits, storage_format->bits, 0);
+    PUT_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
+    PUT_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
+    PUT_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
+    PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+    memcpy(storage_format->key_data, data, data_length);
+}
+
+static psa_status_t check_magic_header(const uint8_t *data) {
+    if (memcmp(data, PSA_KEY_STORAGE_MAGIC_HEADER,
+               PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH) != 0)
+        return (PSA_ERROR_DATA_INVALID);
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
+                                             size_t storage_data_length,
+                                             uint8_t **key_data,
+                                             size_t *key_data_length,
+                                             psa_core_key_attributes_t *attr) {
+    psa_status_t status;
+    const psa_persistent_key_storage_format *storage_format =
+        (const psa_persistent_key_storage_format *)storage_data;
+    uint32_t version;
+
+    if (storage_data_length < sizeof(*storage_format))
+        return (PSA_ERROR_DATA_INVALID);
+
+    status = check_magic_header(storage_data);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    GET_UINT32_LE(version, storage_format->version, 0);
+    if (version != 0)
+        return (PSA_ERROR_DATA_INVALID);
+
+    GET_UINT32_LE(*key_data_length, storage_format->data_len, 0);
+    if (*key_data_length > (storage_data_length - sizeof(*storage_format)) ||
+            *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE)
+        return (PSA_ERROR_DATA_INVALID);
+
+    if (*key_data_length == 0) {
+        *key_data = NULL;
+    } else {
+        *key_data = mbedtls_calloc(1, *key_data_length);
+        if (*key_data == NULL)
+            return (PSA_ERROR_INSUFFICIENT_MEMORY);
+        memcpy(*key_data, storage_format->key_data, *key_data_length);
+    }
+
+    GET_UINT32_LE(attr->lifetime, storage_format->lifetime, 0);
+    GET_UINT16_LE(attr->type, storage_format->type, 0);
+    GET_UINT16_LE(attr->bits, storage_format->bits, 0);
+    GET_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
+    GET_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
+    GET_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
+
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
+                                     const uint8_t *data,
+                                     const size_t data_length) {
+    size_t storage_data_length;
+    uint8_t *storage_data;
+    psa_status_t status;
+
+    /* All keys saved to persistent storage always have a key context */
+    if (data == NULL || data_length == 0)
+        return (PSA_ERROR_INVALID_ARGUMENT);
+
+    if (data_length > PSA_CRYPTO_MAX_STORAGE_SIZE)
+        return (PSA_ERROR_INSUFFICIENT_STORAGE);
+    storage_data_length = data_length + sizeof(psa_persistent_key_storage_format);
+
+    storage_data = mbedtls_calloc(1, storage_data_length);
+    if (storage_data == NULL)
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+    psa_format_key_data_for_storage(data, data_length, attr, storage_data);
+
+    status = psa_crypto_storage_store(attr->id,
+                                      storage_data, storage_data_length);
+
+    mbedtls_free(storage_data);
+
+    return (status);
+}
+
+void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length) {
+    if (key_data != NULL) {
+        mbedtls_platform_zeroize(key_data, key_data_length);
+    }
+    mbedtls_free(key_data);
+}
+
+psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
+                                     uint8_t **data,
+                                     size_t *data_length) {
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t *loaded_data;
+    size_t storage_data_length = 0;
+    mbedtls_svc_key_id_t key = attr->id;
+
+    status = psa_crypto_storage_get_data_length(key, &storage_data_length);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    loaded_data = mbedtls_calloc(1, storage_data_length);
+
+    if (loaded_data == NULL)
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+
+    status = psa_crypto_storage_load(key, loaded_data, storage_data_length);
+    if (status != PSA_SUCCESS)
+        goto exit;
+
+    status = psa_parse_key_data_from_storage(loaded_data, storage_data_length,
+                                             data, data_length, attr);
+
+    /* All keys saved to persistent storage always have a key context */
+    if (status == PSA_SUCCESS &&
+            (*data == NULL || *data_length == 0))
+        status = PSA_ERROR_STORAGE_FAILURE;
+
+exit:
+    mbedtls_free(loaded_data);
+    return (status);
+}
+
+
+
+/****************************************************************/
+/* Transactions */
+/****************************************************************/
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+
+psa_crypto_transaction_t psa_crypto_transaction;
+
+psa_status_t psa_crypto_save_transaction(void) {
+    struct psa_storage_info_t p_info;
+    psa_status_t status;
+    status = psa_its_get_info(PSA_CRYPTO_ITS_TRANSACTION_UID, &p_info);
+    if (status == PSA_SUCCESS) {
+        /* This shouldn't happen: we're trying to start a transaction while
+         * there is still a transaction that hasn't been replayed. */
+        return (PSA_ERROR_CORRUPTION_DETECTED);
+    } else if (status != PSA_ERROR_DOES_NOT_EXIST)
+        return (status);
+    return (psa_its_set(PSA_CRYPTO_ITS_TRANSACTION_UID,
+                        sizeof(psa_crypto_transaction),
+                        &psa_crypto_transaction,
+                        0));
+}
+
+psa_status_t psa_crypto_load_transaction(void) {
+    psa_status_t status;
+    size_t length;
+    status = psa_its_get(PSA_CRYPTO_ITS_TRANSACTION_UID, 0,
+                         sizeof(psa_crypto_transaction),
+                         &psa_crypto_transaction, &length);
+    if (status != PSA_SUCCESS)
+        return (status);
+    if (length != sizeof(psa_crypto_transaction))
+        return (PSA_ERROR_DATA_INVALID);
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_crypto_stop_transaction(void) {
+    psa_status_t status = psa_its_remove(PSA_CRYPTO_ITS_TRANSACTION_UID);
+    /* Whether or not updating the storage succeeded, the transaction is
+     * finished now. It's too late to go back, so zero out the in-memory
+     * data. */
+    memset(&psa_crypto_transaction, 0, sizeof(psa_crypto_transaction));
+    return (status);
+}
+
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+
+
+/****************************************************************/
+/* Random generator state */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
+                                                size_t seed_size) {
+    psa_status_t status;
+    struct psa_storage_info_t p_info;
+
+    status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info);
+
+    if (PSA_ERROR_DOES_NOT_EXIST == status) { /* No seed exists */
+        status = psa_its_set(PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0);
+    } else if (PSA_SUCCESS == status) {
+        /* You should not be here. Seed needs to be injected only once */
+        status = PSA_ERROR_NOT_PERMITTED;
+    }
+    return (status);
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+
+
+/****************************************************************/
+/* The end */
+/****************************************************************/
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/common/mbedtls/psa_crypto_storage.h b/common/mbedtls/psa_crypto_storage.h
new file mode 100644
index 000000000..52e904611
--- /dev/null
+++ b/common/mbedtls/psa_crypto_storage.h
@@ -0,0 +1,395 @@
+/**
+ * \file psa_crypto_storage.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_H
+#define PSA_CRYPTO_STORAGE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+#include <stdint.h>
+#include <string.h>
+
+/* Limit the maximum key size in storage. This should have no effect
+ * since the key size is limited in memory. */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE ( PSA_BITS_TO_BYTES( PSA_MAX_KEY_BITS ) )
+/* Sanity check: a file size must fit in 32 bits. Allow a generous
+ * 64kB of metadata. */
+#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
+#error PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
+#endif
+
+/** The maximum permitted persistent slot number.
+ *
+ * In Mbed Crypto 0.1.0b:
+ * - Using the file backend, all key ids are ok except 0.
+ * - Using the ITS backend, all key ids are ok except 0xFFFFFF52
+ *   (#PSA_CRYPTO_ITS_RANDOM_SEED_UID) for which the file contains the
+ *   device's random seed (if this feature is enabled).
+ * - Only key ids from 1 to #MBEDTLS_PSA_KEY_SLOT_COUNT are actually used.
+ *
+ * Since we need to preserve the random seed, avoid using that key slot.
+ * Reserve a whole range of key slots just in case something else comes up.
+ *
+ * This limitation will probably become moot when we implement client
+ * separation for key storage.
+ */
+#define PSA_MAX_PERSISTENT_KEY_IDENTIFIER PSA_KEY_ID_VENDOR_MAX
+
+/**
+ * \brief Checks if persistent data is stored for the given key slot number
+ *
+ * This function checks if any key data or metadata exists for the key slot in
+ * the persistent storage.
+ *
+ * \param key           Persistent identifier to check.
+ *
+ * \retval 0
+ *         No persistent data present for slot number
+ * \retval 1
+ *         Persistent data present for slot number
+ */
+int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Format key data and metadata and save to a location for given key
+ *        slot.
+ *
+ * This function formats the key data and metadata and saves it to a
+ * persistent storage backend. The storage location corresponding to the
+ * key slot must be empty, otherwise this function will fail. This function
+ * should be called after loading the key into an internal slot to ensure the
+ * persistent key is not saved into a storage location corresponding to an
+ * already occupied non-persistent key, as well as ensuring the key data is
+ * validated.
+ *
+ * Note: This function will only succeed for key buffers which are not
+ * empty. If passed a NULL pointer or zero-length, the function will fail
+ * with #PSA_ERROR_INVALID_ARGUMENT.
+ *
+ * \param[in] attr          The attributes of the key to save.
+ *                          The key identifier field in the attributes
+ *                          determines the key's location.
+ * \param[in] data          Buffer containing the key data.
+ * \param data_length       The number of bytes that make up the key data.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ */
+psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
+                                     const uint8_t *data,
+                                     const size_t data_length);
+
+/**
+ * \brief Parses key data and metadata and load persistent key for given
+ * key slot number.
+ *
+ * This function reads from a storage backend, parses the key data and
+ * metadata and writes them to the appropriate output parameters.
+ *
+ * Note: This function allocates a buffer and returns a pointer to it through
+ * the data parameter. On successful return, the pointer is guaranteed to be
+ * valid and the buffer contains at least one byte of data.
+ * psa_free_persistent_key_data() must be called on the data buffer
+ * afterwards to zeroize and free this buffer.
+ *
+ * \param[in,out] attr      On input, the key identifier field identifies
+ *                          the key to load. Other fields are ignored.
+ *                          On success, the attribute structure contains
+ *                          the key metadata that was loaded from storage.
+ * \param[out] data         Pointer to an allocated key data buffer on return.
+ * \param[out] data_length  The number of bytes that make up the key data.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ */
+psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
+                                     uint8_t **data,
+                                     size_t *data_length);
+
+/**
+ * \brief Remove persistent data for the given key slot number.
+ *
+ * \param key           Persistent identifier of the key to remove
+ *                      from persistent storage.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully removed,
+ *         or the key did not exist.
+ * \retval #PSA_ERROR_DATA_INVALID
+ */
+psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Free the temporary buffer allocated by psa_load_persistent_key().
+ *
+ * This function must be called at some point after psa_load_persistent_key()
+ * to zeroize and free the memory allocated to the buffer in that function.
+ *
+ * \param key_data        Buffer for the key data.
+ * \param key_data_length Size of the key data buffer.
+ *
+ */
+void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length);
+
+/**
+ * \brief Formats key data and metadata for persistent storage
+ *
+ * \param[in] data          Buffer containing the key data.
+ * \param data_length       Length of the key data buffer.
+ * \param[in] attr          The core attributes of the key.
+ * \param[out] storage_data Output buffer for the formatted data.
+ *
+ */
+void psa_format_key_data_for_storage(const uint8_t *data,
+                                     const size_t data_length,
+                                     const psa_core_key_attributes_t *attr,
+                                     uint8_t *storage_data);
+
+/**
+ * \brief Parses persistent storage data into key data and metadata
+ *
+ * \param[in] storage_data     Buffer for the storage data.
+ * \param storage_data_length  Length of the storage data buffer
+ * \param[out] key_data        On output, pointer to a newly allocated buffer
+ *                             containing the key data. This must be freed
+ *                             using psa_free_persistent_key_data()
+ * \param[out] key_data_length Length of the key data buffer
+ * \param[out] attr            On success, the attribute structure is filled
+ *                             with the loaded key metadata.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_DATA_INVALID
+ */
+psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
+                                             size_t storage_data_length,
+                                             uint8_t **key_data,
+                                             size_t *key_data_length,
+                                             psa_core_key_attributes_t *attr);
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/** This symbol is defined if transaction support is required. */
+#define PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS
+#endif
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+
+/** The type of transaction that is in progress.
+ */
+/* This is an integer type rather than an enum for two reasons: to support
+ * unknown values when loading a transaction file, and to ensure that the
+ * type has a known size.
+ */
+typedef uint16_t psa_crypto_transaction_type_t;
+
+/** No transaction is in progress.
+ *
+ * This has the value 0, so zero-initialization sets a transaction's type to
+ * this value.
+ */
+#define PSA_CRYPTO_TRANSACTION_NONE             ( (psa_crypto_transaction_type_t) 0x0000 )
+
+/** A key creation transaction.
+ *
+ * This is only used for keys in an external cryptoprocessor (secure element).
+ * Keys in RAM or in internal storage are created atomically in storage
+ * (simple file creation), so they do not need a transaction mechanism.
+ */
+#define PSA_CRYPTO_TRANSACTION_CREATE_KEY       ( (psa_crypto_transaction_type_t) 0x0001 )
+
+/** A key destruction transaction.
+ *
+ * This is only used for keys in an external cryptoprocessor (secure element).
+ * Keys in RAM or in internal storage are destroyed atomically in storage
+ * (simple file deletion), so they do not need a transaction mechanism.
+ */
+#define PSA_CRYPTO_TRANSACTION_DESTROY_KEY      ( (psa_crypto_transaction_type_t) 0x0002 )
+
+/** Transaction data.
+ *
+ * This type is designed to be serialized by writing the memory representation
+ * and reading it back on the same device.
+ *
+ * \note The transaction mechanism is designed for a single active transaction
+ *       at a time. The transaction object is #psa_crypto_transaction.
+ *
+ * \note If an API call starts a transaction, it must complete this transaction
+ *       before returning to the application.
+ *
+ * The lifetime of a transaction is the following (note that only one
+ * transaction may be active at a time):
+ *
+ * -# Call psa_crypto_prepare_transaction() to initialize the transaction
+ *    object in memory and declare the type of transaction that is starting.
+ * -# Fill in the type-specific fields of #psa_crypto_transaction.
+ * -# Call psa_crypto_save_transaction() to start the transaction. This
+ *    saves the transaction data to internal storage.
+ * -# Perform the work of the transaction by modifying files, contacting
+ *    external entities, or whatever needs doing. Note that the transaction
+ *    may be interrupted by a power failure, so you need to have a way
+ *    recover from interruptions either by undoing what has been done
+ *    so far or by resuming where you left off.
+ * -# If there are intermediate stages in the transaction, update
+ *    the fields of #psa_crypto_transaction and call
+ *    psa_crypto_save_transaction() again when each stage is reached.
+ * -# When the transaction is over, call psa_crypto_stop_transaction() to
+ *    remove the transaction data in storage and in memory.
+ *
+ * If the system crashes while a transaction is in progress, psa_crypto_init()
+ * calls psa_crypto_load_transaction() and takes care of completing or
+ * rewinding the transaction. This is done in psa_crypto_recover_transaction()
+ * in psa_crypto.c. If you add a new type of transaction, be
+ * sure to add code for it in psa_crypto_recover_transaction().
+ */
+typedef union {
+    /* Each element of this union must have the following properties
+     * to facilitate serialization and deserialization:
+     *
+     * - The element is a struct.
+     * - The first field of the struct is `psa_crypto_transaction_type_t type`.
+     * - Elements of the struct are arranged such a way that there is
+     *   no padding.
+     */
+    struct psa_crypto_transaction_unknown_s {
+        psa_crypto_transaction_type_t type;
+        uint16_t unused1;
+        uint32_t unused2;
+        uint64_t unused3;
+        uint64_t unused4;
+    } unknown;
+    /* ::type is #PSA_CRYPTO_TRANSACTION_CREATE_KEY or
+     * #PSA_CRYPTO_TRANSACTION_DESTROY_KEY. */
+    struct psa_crypto_transaction_key_s {
+        psa_crypto_transaction_type_t type;
+        uint16_t unused1;
+        psa_key_lifetime_t lifetime;
+        psa_key_slot_number_t slot;
+        mbedtls_svc_key_id_t id;
+    } key;
+} psa_crypto_transaction_t;
+
+/** The single active transaction.
+ */
+extern psa_crypto_transaction_t psa_crypto_transaction;
+
+/** Prepare for a transaction.
+ *
+ * There must not be an ongoing transaction.
+ *
+ * \param type          The type of transaction to start.
+ */
+static inline void psa_crypto_prepare_transaction(
+    psa_crypto_transaction_type_t type) {
+    psa_crypto_transaction.unknown.type = type;
+}
+
+/** Save the transaction data to storage.
+ *
+ * You may call this function multiple times during a transaction to
+ * atomically update the transaction state.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_save_transaction(void);
+
+/** Load the transaction data from storage, if any.
+ *
+ * This function is meant to be called from psa_crypto_init() to recover
+ * in case a transaction was interrupted by a system crash.
+ *
+ * \retval #PSA_SUCCESS
+ *         The data about the ongoing transaction has been loaded to
+ *         #psa_crypto_transaction.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no ongoing transaction.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ */
+psa_status_t psa_crypto_load_transaction(void);
+
+/** Indicate that the current transaction is finished.
+ *
+ * Call this function at the very end of transaction processing.
+ * This function does not "commit" or "abort" the transaction: the storage
+ * subsystem has no concept of "commit" and "abort", just saving and
+ * removing the transaction information in storage.
+ *
+ * This function erases the transaction data in storage (if any) and
+ * resets the transaction data in memory.
+ *
+ * \retval #PSA_SUCCESS
+ *         There was transaction data in storage.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There was no transaction data in storage.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         It was impossible to determine whether there was transaction data
+ *         in storage, or the transaction data could not be erased.
+ */
+psa_status_t psa_crypto_stop_transaction(void);
+
+/** The ITS file identifier for the transaction data.
+ *
+ * 0xffffffNN = special file; 0x74 = 't' for transaction.
+ */
+#define PSA_CRYPTO_ITS_TRANSACTION_UID ( (psa_key_id_t) 0xffffff74 )
+
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+/** Backend side of mbedtls_psa_inject_entropy().
+ *
+ * This function stores the supplied data into the entropy seed file.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The entropy seed file already exists.
+ */
+psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
+                                                size_t seed_size);
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/common/mbedtls/psa_its_file.c b/common/mbedtls/psa_its_file.c
new file mode 100644
index 000000000..9065ea431
--- /dev/null
+++ b/common/mbedtls/psa_its_file.c
@@ -0,0 +1,248 @@
+/*
+ *  PSA ITS simulator over stdio files.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+#include "psa_crypto_its.h"
+
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#if !defined(PSA_ITS_STORAGE_PREFIX)
+#define PSA_ITS_STORAGE_PREFIX ""
+#endif
+
+#define PSA_ITS_STORAGE_FILENAME_PATTERN "%08x%08x"
+#define PSA_ITS_STORAGE_SUFFIX ".psa_its"
+#define PSA_ITS_STORAGE_FILENAME_LENGTH         \
+    ( sizeof( PSA_ITS_STORAGE_PREFIX ) - 1 + /*prefix without terminating 0*/ \
+      16 + /*UID (64-bit number in hex)*/                               \
+      sizeof( PSA_ITS_STORAGE_SUFFIX ) - 1 + /*suffix without terminating 0*/ \
+      1 /*terminating null byte*/ )
+#define PSA_ITS_STORAGE_TEMP \
+    PSA_ITS_STORAGE_PREFIX "tempfile" PSA_ITS_STORAGE_SUFFIX
+
+/* The maximum value of psa_storage_info_t.size */
+#define PSA_ITS_MAX_SIZE 0xffffffff
+
+#define PSA_ITS_MAGIC_STRING "PSA\0ITS\0"
+#define PSA_ITS_MAGIC_LENGTH 8
+
+/* As rename fails on Windows if the new filepath already exists,
+ * use MoveFileExA with the MOVEFILE_REPLACE_EXISTING flag instead.
+ * Returns 0 on success, nonzero on failure. */
+#if defined(_WIN32)
+#define rename_replace_existing( oldpath, newpath ) \
+    ( ! MoveFileExA( oldpath, newpath, MOVEFILE_REPLACE_EXISTING ) )
+#else
+#define rename_replace_existing( oldpath, newpath ) rename( oldpath, newpath )
+#endif
+
+typedef struct {
+    uint8_t magic[PSA_ITS_MAGIC_LENGTH];
+    uint8_t size[sizeof(uint32_t)];
+    uint8_t flags[sizeof(psa_storage_create_flags_t)];
+} psa_its_file_header_t;
+
+static void psa_its_fill_filename(psa_storage_uid_t uid, char *filename) {
+    /* Break up the UID into two 32-bit pieces so as not to rely on
+     * long long support in snprintf. */
+    mbedtls_snprintf(filename, PSA_ITS_STORAGE_FILENAME_LENGTH,
+                     "%s" PSA_ITS_STORAGE_FILENAME_PATTERN "%s",
+                     PSA_ITS_STORAGE_PREFIX,
+                     (unsigned)(uid >> 32),
+                     (unsigned)(uid & 0xffffffff),
+                     PSA_ITS_STORAGE_SUFFIX);
+}
+
+static psa_status_t psa_its_read_file(psa_storage_uid_t uid,
+                                      struct psa_storage_info_t *p_info,
+                                      FILE **p_stream) {
+    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+    psa_its_file_header_t header;
+    size_t n;
+
+    *p_stream = NULL;
+    psa_its_fill_filename(uid, filename);
+    *p_stream = fopen(filename, "rb");
+    if (*p_stream == NULL)
+        return (PSA_ERROR_DOES_NOT_EXIST);
+
+    n = fread(&header, 1, sizeof(header), *p_stream);
+    if (n != sizeof(header))
+        return (PSA_ERROR_DATA_CORRUPT);
+    if (memcmp(header.magic, PSA_ITS_MAGIC_STRING,
+               PSA_ITS_MAGIC_LENGTH) != 0)
+        return (PSA_ERROR_DATA_CORRUPT);
+
+    p_info->size = (header.size[0] |
+                    header.size[1] << 8 |
+                    header.size[2] << 16 |
+                    header.size[3] << 24);
+    p_info->flags = (header.flags[0] |
+                     header.flags[1] << 8 |
+                     header.flags[2] << 16 |
+                     header.flags[3] << 24);
+    return (PSA_SUCCESS);
+}
+
+psa_status_t psa_its_get_info(psa_storage_uid_t uid,
+                              struct psa_storage_info_t *p_info) {
+    psa_status_t status;
+    FILE *stream = NULL;
+    status = psa_its_read_file(uid, p_info, &stream);
+    if (stream != NULL)
+        fclose(stream);
+    return (status);
+}
+
+psa_status_t psa_its_get(psa_storage_uid_t uid,
+                         uint32_t data_offset,
+                         uint32_t data_length,
+                         void *p_data,
+                         size_t *p_data_length) {
+    psa_status_t status;
+    FILE *stream = NULL;
+    size_t n;
+    struct psa_storage_info_t info;
+
+    status = psa_its_read_file(uid, &info, &stream);
+    if (status != PSA_SUCCESS)
+        goto exit;
+    status = PSA_ERROR_INVALID_ARGUMENT;
+    if (data_offset + data_length < data_offset)
+        goto exit;
+#if SIZE_MAX < 0xffffffff
+    if (data_offset + data_length > SIZE_MAX)
+        goto exit;
+#endif
+    if (data_offset + data_length > info.size)
+        goto exit;
+
+    status = PSA_ERROR_STORAGE_FAILURE;
+#if LONG_MAX < 0xffffffff
+    while (data_offset > LONG_MAX) {
+        if (fseek(stream, LONG_MAX, SEEK_CUR) != 0)
+            goto exit;
+        data_offset -= LONG_MAX;
+    }
+#endif
+    if (fseek(stream, data_offset, SEEK_CUR) != 0)
+        goto exit;
+    n = fread(p_data, 1, data_length, stream);
+    if (n != data_length)
+        goto exit;
+    status = PSA_SUCCESS;
+    if (p_data_length != NULL)
+        *p_data_length = n;
+
+exit:
+    if (stream != NULL)
+        fclose(stream);
+    return (status);
+}
+
+psa_status_t psa_its_set(psa_storage_uid_t uid,
+                         uint32_t data_length,
+                         const void *p_data,
+                         psa_storage_create_flags_t create_flags) {
+    psa_status_t status = PSA_ERROR_STORAGE_FAILURE;
+    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+    FILE *stream = NULL;
+    psa_its_file_header_t header;
+    size_t n;
+
+    memcpy(header.magic, PSA_ITS_MAGIC_STRING, PSA_ITS_MAGIC_LENGTH);
+    header.size[0] = data_length & 0xff;
+    header.size[1] = (data_length >> 8) & 0xff;
+    header.size[2] = (data_length >> 16) & 0xff;
+    header.size[3] = (data_length >> 24) & 0xff;
+    header.flags[0] = create_flags & 0xff;
+    header.flags[1] = (create_flags >> 8) & 0xff;
+    header.flags[2] = (create_flags >> 16) & 0xff;
+    header.flags[3] = (create_flags >> 24) & 0xff;
+
+    psa_its_fill_filename(uid, filename);
+    stream = fopen(PSA_ITS_STORAGE_TEMP, "wb");
+    if (stream == NULL)
+        goto exit;
+
+    status = PSA_ERROR_INSUFFICIENT_STORAGE;
+    n = fwrite(&header, 1, sizeof(header), stream);
+    if (n != sizeof(header))
+        goto exit;
+    if (data_length != 0) {
+        n = fwrite(p_data, 1, data_length, stream);
+        if (n != data_length)
+            goto exit;
+    }
+    status = PSA_SUCCESS;
+
+exit:
+    if (stream != NULL) {
+        int ret = fclose(stream);
+        if (status == PSA_SUCCESS && ret != 0)
+            status = PSA_ERROR_INSUFFICIENT_STORAGE;
+    }
+    if (status == PSA_SUCCESS) {
+        if (rename_replace_existing(PSA_ITS_STORAGE_TEMP, filename) != 0)
+            status = PSA_ERROR_STORAGE_FAILURE;
+    }
+    /* The temporary file may still exist, but only in failure cases where
+     * we're already reporting an error. So there's nothing we can do on
+     * failure. If the function succeeded, and in some error cases, the
+     * temporary file doesn't exist and so remove() is expected to fail.
+     * Thus we just ignore the return status of remove(). */
+    (void) remove(PSA_ITS_STORAGE_TEMP);
+    return (status);
+}
+
+psa_status_t psa_its_remove(psa_storage_uid_t uid) {
+    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+    FILE *stream;
+    psa_its_fill_filename(uid, filename);
+    stream = fopen(filename, "rb");
+    if (stream == NULL)
+        return (PSA_ERROR_DOES_NOT_EXIST);
+    fclose(stream);
+    if (remove(filename) != 0)
+        return (PSA_ERROR_STORAGE_FAILURE);
+    return (PSA_SUCCESS);
+}
+
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
diff --git a/common/mbedtls/psa_util.h b/common/mbedtls/psa_util.h
new file mode 100644
index 000000000..92348fa51
--- /dev/null
+++ b/common/mbedtls/psa_util.h
@@ -0,0 +1,490 @@
+/**
+ * \file psa_util.h
+ *
+ * \brief Utility functions for the use of the PSA Crypto library.
+ *
+ * \warning This function is not part of the public API and may
+ *          change at any time.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_PSA_UTIL_H
+#define MBEDTLS_PSA_UTIL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+#include "psa/crypto.h"
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/md.h"
+#include "mbedtls/pk.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+/* Translations for symmetric crypto. */
+
+static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
+    mbedtls_cipher_type_t cipher) {
+    switch (cipher) {
+        case MBEDTLS_CIPHER_AES_128_CCM:
+        case MBEDTLS_CIPHER_AES_192_CCM:
+        case MBEDTLS_CIPHER_AES_256_CCM:
+        case MBEDTLS_CIPHER_AES_128_GCM:
+        case MBEDTLS_CIPHER_AES_192_GCM:
+        case MBEDTLS_CIPHER_AES_256_GCM:
+        case MBEDTLS_CIPHER_AES_128_CBC:
+        case MBEDTLS_CIPHER_AES_192_CBC:
+        case MBEDTLS_CIPHER_AES_256_CBC:
+            return (PSA_KEY_TYPE_AES);
+
+        /* ARIA not yet supported in PSA. */
+        /* case MBEDTLS_CIPHER_ARIA_128_CCM:
+           case MBEDTLS_CIPHER_ARIA_192_CCM:
+           case MBEDTLS_CIPHER_ARIA_256_CCM:
+           case MBEDTLS_CIPHER_ARIA_128_GCM:
+           case MBEDTLS_CIPHER_ARIA_192_GCM:
+           case MBEDTLS_CIPHER_ARIA_256_GCM:
+           case MBEDTLS_CIPHER_ARIA_128_CBC:
+           case MBEDTLS_CIPHER_ARIA_192_CBC:
+           case MBEDTLS_CIPHER_ARIA_256_CBC:
+               return( PSA_KEY_TYPE_ARIA ); */
+
+        default:
+            return (0);
+    }
+}
+
+static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
+    mbedtls_cipher_mode_t mode, size_t taglen) {
+    switch (mode) {
+        case MBEDTLS_MODE_ECB:
+            return (PSA_ALG_ECB_NO_PADDING);
+        case MBEDTLS_MODE_GCM:
+            return (PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen));
+        case MBEDTLS_MODE_CCM:
+            return (PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen));
+        case MBEDTLS_MODE_CBC:
+            if (taglen == 0)
+                return (PSA_ALG_CBC_NO_PADDING);
+        /* Intentional fallthrough for taglen != 0 */
+        /* fallthrough */
+        default:
+            return (0);
+    }
+}
+
+static inline psa_key_usage_t mbedtls_psa_translate_cipher_operation(
+    mbedtls_operation_t op) {
+    switch (op) {
+        case MBEDTLS_ENCRYPT:
+            return (PSA_KEY_USAGE_ENCRYPT);
+        case MBEDTLS_DECRYPT:
+            return (PSA_KEY_USAGE_DECRYPT);
+        default:
+            return (0);
+    }
+}
+
+/* Translations for hashing. */
+
+static inline psa_algorithm_t mbedtls_psa_translate_md(mbedtls_md_type_t md_alg) {
+    switch (md_alg) {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return (PSA_ALG_MD2);
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return (PSA_ALG_MD4);
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (PSA_ALG_MD5);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (PSA_ALG_SHA_1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return (PSA_ALG_SHA_224);
+        case MBEDTLS_MD_SHA256:
+            return (PSA_ALG_SHA_256);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return (PSA_ALG_SHA_384);
+        case MBEDTLS_MD_SHA512:
+            return (PSA_ALG_SHA_512);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return (PSA_ALG_RIPEMD160);
+#endif
+        case MBEDTLS_MD_NONE:  /* Intentional fallthrough */
+        default:
+            return (0);
+    }
+}
+
+/* Translations for ECC. */
+
+static inline int mbedtls_psa_get_ecc_oid_from_id(
+    psa_ecc_family_t curve, size_t bits,
+    char const **oid, size_t *oid_len) {
+    switch (curve) {
+        case PSA_ECC_FAMILY_SECP_R1:
+            switch (bits) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+                case 192:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP192R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP192R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+                case 224:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP224R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP224R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+                case 256:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP256R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP256R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+                case 384:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP384R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP384R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+                case 521:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP521R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP521R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+            }
+            break;
+        case PSA_ECC_FAMILY_SECP_K1:
+            switch (bits) {
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+                case 192:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP192K1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP192K1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+                case 224:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP224K1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP224K1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+                case 256:
+                    *oid = MBEDTLS_OID_EC_GRP_SECP256K1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP256K1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+            }
+            break;
+        case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+            switch (bits) {
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+                case 256:
+                    *oid = MBEDTLS_OID_EC_GRP_BP256R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_BP256R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+                case 384:
+                    *oid = MBEDTLS_OID_EC_GRP_BP384R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_BP384R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+                case 512:
+                    *oid = MBEDTLS_OID_EC_GRP_BP512R1;
+                    *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_BP512R1);
+                    return (0);
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+            }
+            break;
+    }
+    (void) oid;
+    (void) oid_len;
+    return (-1);
+}
+
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH 1
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 192 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 192 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 224 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 224 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 256 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 256 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 384 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 384 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 521 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 521 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 192 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 192 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 224 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 224 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 256 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 256 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 256 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 256 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 384 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 384 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#if MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH < ( 2 * ( ( 512 + 7 ) / 8 ) + 1 )
+#undef MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH ( 2 * ( ( 512 + 7 ) / 8 ) + 1 )
+#endif
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+
+/* Translations for PK layer */
+
+static inline int mbedtls_psa_err_translate_pk(psa_status_t status) {
+    switch (status) {
+        case PSA_SUCCESS:
+            return (0);
+        case PSA_ERROR_NOT_SUPPORTED:
+            return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+        case PSA_ERROR_INSUFFICIENT_MEMORY:
+            return (MBEDTLS_ERR_PK_ALLOC_FAILED);
+        case PSA_ERROR_INSUFFICIENT_ENTROPY:
+            return (MBEDTLS_ERR_ECP_RANDOM_FAILED);
+        case PSA_ERROR_BAD_STATE:
+            return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+        /* All other failures */
+        case PSA_ERROR_COMMUNICATION_FAILURE:
+        case PSA_ERROR_HARDWARE_FAILURE:
+        case PSA_ERROR_CORRUPTION_DETECTED:
+            return (MBEDTLS_ERR_PK_HW_ACCEL_FAILED);
+        default: /* We return the same as for the 'other failures',
+                  * but list them separately nonetheless to indicate
+                  * which failure conditions we have considered. */
+            return (MBEDTLS_ERR_PK_HW_ACCEL_FAILED);
+    }
+}
+
+/* Translations for ECC */
+
+/* This function transforms an ECC group identifier from
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+ * into a PSA ECC group identifier. */
+#if defined(MBEDTLS_ECP_C)
+static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group(
+    uint16_t tls_ecc_grp_reg_id, size_t *bits) {
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_tls_id(tls_ecc_grp_reg_id);
+    if (curve_info == NULL)
+        return (0);
+    return (PSA_KEY_TYPE_ECC_KEY_PAIR(
+                mbedtls_ecc_group_to_psa(curve_info->grp_id, bits)));
+}
+#endif /* MBEDTLS_ECP_C */
+
+/* This function takes a buffer holding an EC public key
+ * exported through psa_export_public_key(), and converts
+ * it into an ECPoint structure to be put into a ClientKeyExchange
+ * message in an ECDHE exchange.
+ *
+ * Both the present and the foreseeable future format of EC public keys
+ * used by PSA have the ECPoint structure contained in the exported key
+ * as a subbuffer, and the function merely selects this subbuffer instead
+ * of making a copy.
+ */
+static inline int mbedtls_psa_tls_psa_ec_to_ecpoint(unsigned char *src,
+                                                    size_t srclen,
+                                                    unsigned char **dst,
+                                                    size_t *dstlen) {
+    *dst = src;
+    *dstlen = srclen;
+    return (0);
+}
+
+/* This function takes a buffer holding an ECPoint structure
+ * (as contained in a TLS ServerKeyExchange message for ECDHE
+ * exchanges) and converts it into a format that the PSA key
+ * agreement API understands.
+ */
+static inline int mbedtls_psa_tls_ecpoint_to_psa_ec(unsigned char const *src,
+                                                    size_t srclen,
+                                                    unsigned char *dst,
+                                                    size_t dstlen,
+                                                    size_t *olen) {
+    if (srclen > dstlen)
+        return (MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
+
+    memcpy(dst, src, srclen);
+    *olen = srclen;
+    return (0);
+}
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/* Expose whatever RNG the PSA subsystem uses to applications using the
+ * mbedtls_xxx API. The declarations and definitions here need to be
+ * consistent with the implementation in library/psa_crypto_random_impl.h.
+ * See that file for implementation documentation. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/* The type of a `f_rng` random generator function that many library functions
+ * take.
+ *
+ * This type name is not part of the Mbed TLS stable API. It may be renamed
+ * or moved without warning.
+ */
+typedef int mbedtls_f_rng_t(void *p_rng, unsigned char *output, size_t output_size);
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+/** The random generator function for the PSA subsystem.
+ *
+ * This function is suitable as the `f_rng` random generator function
+ * parameter of many `mbedtls_xxx` functions. Use #MBEDTLS_PSA_RANDOM_STATE
+ * to obtain the \p p_rng parameter.
+ *
+ * The implementation of this function depends on the configuration of the
+ * library.
+ *
+ * \note Depending on the configuration, this may be a function or
+ *       a pointer to a function.
+ *
+ * \note This function may only be used if the PSA crypto subsystem is active.
+ *       This means that you must call psa_crypto_init() before any call to
+ *       this function, and you must not call this function after calling
+ *       mbedtls_psa_crypto_free().
+ *
+ * \param p_rng         The random generator context. This must be
+ *                      #MBEDTLS_PSA_RANDOM_STATE. No other state is
+ *                      supported.
+ * \param output        The buffer to fill. It must have room for
+ *                      \c output_size bytes.
+ * \param output_size   The number of bytes to write to \p output.
+ *                      This function may fail if \p output_size is too
+ *                      large. It is guaranteed to accept any output size
+ *                      requested by Mbed TLS library functions. The
+ *                      maximum request size depends on the library
+ *                      configuration.
+ *
+ * \return              \c 0 on success.
+ * \return              An `MBEDTLS_ERR_ENTROPY_xxx`,
+ *                      `MBEDTLS_ERR_PLATFORM_xxx,
+ *                      `MBEDTLS_ERR_CTR_DRBG_xxx` or
+ *                      `MBEDTLS_ERR_HMAC_DRBG_xxx` on error.
+ */
+int mbedtls_psa_get_random(void *p_rng,
+                           unsigned char *output,
+                           size_t output_size);
+
+/** The random generator state for the PSA subsystem.
+ *
+ * This macro expands to an expression which is suitable as the `p_rng`
+ * random generator state parameter of many `mbedtls_xxx` functions.
+ * It must be used in combination with the random generator function
+ * mbedtls_psa_get_random().
+ *
+ * The implementation of this macro depends on the configuration of the
+ * library. Do not make any assumption on its nature.
+ */
+#define MBEDTLS_PSA_RANDOM_STATE NULL
+
+#else /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
+static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_ctr_drbg_random;
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
+static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_hmac_drbg_random;
+#endif
+extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
+
+#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
+
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+#endif /* MBEDTLS_PSA_UTIL_H */
diff --git a/common/mbedtls/ripemd160.c b/common/mbedtls/ripemd160.c
new file mode 100644
index 000000000..0a84d980e
--- /dev/null
+++ b/common/mbedtls/ripemd160.c
@@ -0,0 +1,551 @@
+/*
+ *  RIPE MD-160 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ *  The RIPEMD-160 algorithm was designed by RIPE in 1996
+ *  http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
+ *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_ripemd160_context));
+}
+
+void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ripemd160_context));
+}
+
+void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
+                             const mbedtls_ripemd160_context *src) {
+    *dst = *src;
+}
+
+/*
+ * RIPEMD-160 context setup
+ */
+int mbedtls_ripemd160_starts_ret(mbedtls_ripemd160_context *ctx) {
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx) {
+    mbedtls_ripemd160_starts_ret(ctx);
+}
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+/*
+ * Process one block
+ */
+int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
+                                       const unsigned char data[64]) {
+    struct {
+        uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+    } local;
+
+    GET_UINT32_LE(local.X[ 0], data,  0);
+    GET_UINT32_LE(local.X[ 1], data,  4);
+    GET_UINT32_LE(local.X[ 2], data,  8);
+    GET_UINT32_LE(local.X[ 3], data, 12);
+    GET_UINT32_LE(local.X[ 4], data, 16);
+    GET_UINT32_LE(local.X[ 5], data, 20);
+    GET_UINT32_LE(local.X[ 6], data, 24);
+    GET_UINT32_LE(local.X[ 7], data, 28);
+    GET_UINT32_LE(local.X[ 8], data, 32);
+    GET_UINT32_LE(local.X[ 9], data, 36);
+    GET_UINT32_LE(local.X[10], data, 40);
+    GET_UINT32_LE(local.X[11], data, 44);
+    GET_UINT32_LE(local.X[12], data, 48);
+    GET_UINT32_LE(local.X[13], data, 52);
+    GET_UINT32_LE(local.X[14], data, 56);
+    GET_UINT32_LE(local.X[15], data, 60);
+
+    local.A = local.Ap = ctx->state[0];
+    local.B = local.Bp = ctx->state[1];
+    local.C = local.Cp = ctx->state[2];
+    local.D = local.Dp = ctx->state[3];
+    local.E = local.Ep = ctx->state[4];
+
+#define F1( x, y, z )   ( (x) ^ (y) ^ (z) )
+#define F2( x, y, z )   ( ( (x) & (y) ) | ( ~(x) & (z) ) )
+#define F3( x, y, z )   ( ( (x) | ~(y) ) ^ (z) )
+#define F4( x, y, z )   ( ( (x) & (z) ) | ( (y) & ~(z) ) )
+#define F5( x, y, z )   ( (x) ^ ( (y) | ~(z) ) )
+
+#define S( x, n ) ( ( (x) << (n) ) | ( (x) >> (32 - (n)) ) )
+
+#define P( a, b, c, d, e, r, s, f, k )                      \
+    do                                                      \
+    {                                                       \
+        (a) += f( (b), (c), (d) ) + local.X[r] + (k);       \
+        (a) = S( (a), (s) ) + (e);                          \
+        (c) = S( (c), 10 );                                 \
+    } while( 0 )
+
+#define P2( a, b, c, d, e, r, s, rp, sp )                               \
+    do                                                                  \
+    {                                                                   \
+        P( (a), (b), (c), (d), (e), (r), (s), F, K );                   \
+        P( a ## p, b ## p, c ## p, d ## p, e ## p,                      \
+           (rp), (sp), Fp, Kp );                                        \
+    } while( 0 )
+
+#define F   F1
+#define K   0x00000000
+#define Fp  F5
+#define Kp  0x50A28BE6
+    P2(local.A, local.B, local.C, local.D, local.E,  0, 11,  5,  8);
+    P2(local.E, local.A, local.B, local.C, local.D,  1, 14, 14,  9);
+    P2(local.D, local.E, local.A, local.B, local.C,  2, 15,  7,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  3, 12,  0, 11);
+    P2(local.B, local.C, local.D, local.E, local.A,  4,  5,  9, 13);
+    P2(local.A, local.B, local.C, local.D, local.E,  5,  8,  2, 15);
+    P2(local.E, local.A, local.B, local.C, local.D,  6,  7, 11, 15);
+    P2(local.D, local.E, local.A, local.B, local.C,  7,  9,  4,  5);
+    P2(local.C, local.D, local.E, local.A, local.B,  8, 11, 13,  7);
+    P2(local.B, local.C, local.D, local.E, local.A,  9, 13,  6,  7);
+    P2(local.A, local.B, local.C, local.D, local.E, 10, 14, 15,  8);
+    P2(local.E, local.A, local.B, local.C, local.D, 11, 15,  8, 11);
+    P2(local.D, local.E, local.A, local.B, local.C, 12,  6,  1, 14);
+    P2(local.C, local.D, local.E, local.A, local.B, 13,  7, 10, 14);
+    P2(local.B, local.C, local.D, local.E, local.A, 14,  9,  3, 12);
+    P2(local.A, local.B, local.C, local.D, local.E, 15,  8, 12,  6);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F2
+#define K   0x5A827999
+#define Fp  F4
+#define Kp  0x5C4DD124
+    P2(local.E, local.A, local.B, local.C, local.D,  7,  7,  6,  9);
+    P2(local.D, local.E, local.A, local.B, local.C,  4,  6, 11, 13);
+    P2(local.C, local.D, local.E, local.A, local.B, 13,  8,  3, 15);
+    P2(local.B, local.C, local.D, local.E, local.A,  1, 13,  7,  7);
+    P2(local.A, local.B, local.C, local.D, local.E, 10, 11,  0, 12);
+    P2(local.E, local.A, local.B, local.C, local.D,  6,  9, 13,  8);
+    P2(local.D, local.E, local.A, local.B, local.C, 15,  7,  5,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  3, 15, 10, 11);
+    P2(local.B, local.C, local.D, local.E, local.A, 12,  7, 14,  7);
+    P2(local.A, local.B, local.C, local.D, local.E,  0, 12, 15,  7);
+    P2(local.E, local.A, local.B, local.C, local.D,  9, 15,  8, 12);
+    P2(local.D, local.E, local.A, local.B, local.C,  5,  9, 12,  7);
+    P2(local.C, local.D, local.E, local.A, local.B,  2, 11,  4,  6);
+    P2(local.B, local.C, local.D, local.E, local.A, 14,  7,  9, 15);
+    P2(local.A, local.B, local.C, local.D, local.E, 11, 13,  1, 13);
+    P2(local.E, local.A, local.B, local.C, local.D,  8, 12,  2, 11);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F3
+#define K   0x6ED9EBA1
+#define Fp  F3
+#define Kp  0x6D703EF3
+    P2(local.D, local.E, local.A, local.B, local.C,  3, 11, 15,  9);
+    P2(local.C, local.D, local.E, local.A, local.B, 10, 13,  5,  7);
+    P2(local.B, local.C, local.D, local.E, local.A, 14,  6,  1, 15);
+    P2(local.A, local.B, local.C, local.D, local.E,  4,  7,  3, 11);
+    P2(local.E, local.A, local.B, local.C, local.D,  9, 14,  7,  8);
+    P2(local.D, local.E, local.A, local.B, local.C, 15,  9, 14,  6);
+    P2(local.C, local.D, local.E, local.A, local.B,  8, 13,  6,  6);
+    P2(local.B, local.C, local.D, local.E, local.A,  1, 15,  9, 14);
+    P2(local.A, local.B, local.C, local.D, local.E,  2, 14, 11, 12);
+    P2(local.E, local.A, local.B, local.C, local.D,  7,  8,  8, 13);
+    P2(local.D, local.E, local.A, local.B, local.C,  0, 13, 12,  5);
+    P2(local.C, local.D, local.E, local.A, local.B,  6,  6,  2, 14);
+    P2(local.B, local.C, local.D, local.E, local.A, 13,  5, 10, 13);
+    P2(local.A, local.B, local.C, local.D, local.E, 11, 12,  0, 13);
+    P2(local.E, local.A, local.B, local.C, local.D,  5,  7,  4,  7);
+    P2(local.D, local.E, local.A, local.B, local.C, 12,  5, 13,  5);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F4
+#define K   0x8F1BBCDC
+#define Fp  F2
+#define Kp  0x7A6D76E9
+    P2(local.C, local.D, local.E, local.A, local.B,  1, 11,  8, 15);
+    P2(local.B, local.C, local.D, local.E, local.A,  9, 12,  6,  5);
+    P2(local.A, local.B, local.C, local.D, local.E, 11, 14,  4,  8);
+    P2(local.E, local.A, local.B, local.C, local.D, 10, 15,  1, 11);
+    P2(local.D, local.E, local.A, local.B, local.C,  0, 14,  3, 14);
+    P2(local.C, local.D, local.E, local.A, local.B,  8, 15, 11, 14);
+    P2(local.B, local.C, local.D, local.E, local.A, 12,  9, 15,  6);
+    P2(local.A, local.B, local.C, local.D, local.E,  4,  8,  0, 14);
+    P2(local.E, local.A, local.B, local.C, local.D, 13,  9,  5,  6);
+    P2(local.D, local.E, local.A, local.B, local.C,  3, 14, 12,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  7,  5,  2, 12);
+    P2(local.B, local.C, local.D, local.E, local.A, 15,  6, 13,  9);
+    P2(local.A, local.B, local.C, local.D, local.E, 14,  8,  9, 12);
+    P2(local.E, local.A, local.B, local.C, local.D,  5,  6,  7,  5);
+    P2(local.D, local.E, local.A, local.B, local.C,  6,  5, 10, 15);
+    P2(local.C, local.D, local.E, local.A, local.B,  2, 12, 14,  8);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F5
+#define K   0xA953FD4E
+#define Fp  F1
+#define Kp  0x00000000
+    P2(local.B, local.C, local.D, local.E, local.A,  4,  9, 12,  8);
+    P2(local.A, local.B, local.C, local.D, local.E,  0, 15, 15,  5);
+    P2(local.E, local.A, local.B, local.C, local.D,  5,  5, 10, 12);
+    P2(local.D, local.E, local.A, local.B, local.C,  9, 11,  4,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  7,  6,  1, 12);
+    P2(local.B, local.C, local.D, local.E, local.A, 12,  8,  5,  5);
+    P2(local.A, local.B, local.C, local.D, local.E,  2, 13,  8, 14);
+    P2(local.E, local.A, local.B, local.C, local.D, 10, 12,  7,  6);
+    P2(local.D, local.E, local.A, local.B, local.C, 14,  5,  6,  8);
+    P2(local.C, local.D, local.E, local.A, local.B,  1, 12,  2, 13);
+    P2(local.B, local.C, local.D, local.E, local.A,  3, 13, 13,  6);
+    P2(local.A, local.B, local.C, local.D, local.E,  8, 14, 14,  5);
+    P2(local.E, local.A, local.B, local.C, local.D, 11, 11,  0, 15);
+    P2(local.D, local.E, local.A, local.B, local.C,  6,  8,  3, 13);
+    P2(local.C, local.D, local.E, local.A, local.B, 15,  5,  9, 11);
+    P2(local.B, local.C, local.D, local.E, local.A, 13,  6, 11, 11);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+    local.C       = ctx->state[1] + local.C + local.Dp;
+    ctx->state[1] = ctx->state[2] + local.D + local.Ep;
+    ctx->state[2] = ctx->state[3] + local.E + local.Ap;
+    ctx->state[3] = ctx->state[4] + local.A + local.Bp;
+    ctx->state[4] = ctx->state[0] + local.B + local.Cp;
+    ctx->state[0] = local.C;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_process(mbedtls_ripemd160_context *ctx,
+                               const unsigned char data[64]) {
+    mbedtls_internal_ripemd160_process(ctx, data);
+}
+#endif
+#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+/*
+ * RIPEMD-160 process buffer
+ */
+int mbedtls_ripemd160_update_ret(mbedtls_ripemd160_context *ctx,
+                                 const unsigned char *input,
+                                 size_t ilen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    uint32_t left;
+
+    if (ilen == 0)
+        return (0);
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < (uint32_t) ilen)
+        ctx->total[1]++;
+
+    if (left && ilen >= fill) {
+        memcpy((void *)(ctx->buffer + left), input, fill);
+
+        if ((ret = mbedtls_internal_ripemd160_process(ctx, ctx->buffer)) != 0)
+            return (ret);
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= 64) {
+        if ((ret = mbedtls_internal_ripemd160_process(ctx, input)) != 0)
+            return (ret);
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *)(ctx->buffer + left), input, ilen);
+    }
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
+                              const unsigned char *input,
+                              size_t ilen) {
+    mbedtls_ripemd160_update_ret(ctx, input, ilen);
+}
+#endif
+
+static const unsigned char ripemd160_padding[64] = {
+    0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * RIPEMD-160 final digest
+ */
+int mbedtls_ripemd160_finish_ret(mbedtls_ripemd160_context *ctx,
+                                 unsigned char output[20]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = (ctx->total[0] >> 29)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    PUT_UINT32_LE(low,  msglen, 0);
+    PUT_UINT32_LE(high, msglen, 4);
+
+    last = ctx->total[0] & 0x3F;
+    padn = (last < 56) ? (56 - last) : (120 - last);
+
+    ret = mbedtls_ripemd160_update_ret(ctx, ripemd160_padding, padn);
+    if (ret != 0)
+        return (ret);
+
+    ret = mbedtls_ripemd160_update_ret(ctx, msglen, 8);
+    if (ret != 0)
+        return (ret);
+
+    PUT_UINT32_LE(ctx->state[0], output,  0);
+    PUT_UINT32_LE(ctx->state[1], output,  4);
+    PUT_UINT32_LE(ctx->state[2], output,  8);
+    PUT_UINT32_LE(ctx->state[3], output, 12);
+    PUT_UINT32_LE(ctx->state[4], output, 16);
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
+                              unsigned char output[20]) {
+    mbedtls_ripemd160_finish_ret(ctx, output);
+}
+#endif
+
+#endif /* ! MBEDTLS_RIPEMD160_ALT */
+
+/*
+ * output = RIPEMD-160( input buffer )
+ */
+int mbedtls_ripemd160_ret(const unsigned char *input,
+                          size_t ilen,
+                          unsigned char output[20]) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ripemd160_context ctx;
+
+    mbedtls_ripemd160_init(&ctx);
+
+    if ((ret = mbedtls_ripemd160_starts_ret(&ctx)) != 0)
+        goto exit;
+
+    if ((ret = mbedtls_ripemd160_update_ret(&ctx, input, ilen)) != 0)
+        goto exit;
+
+    if ((ret = mbedtls_ripemd160_finish_ret(&ctx, output)) != 0)
+        goto exit;
+
+exit:
+    mbedtls_ripemd160_free(&ctx);
+
+    return (ret);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160(const unsigned char *input,
+                       size_t ilen,
+                       unsigned char output[20]) {
+    mbedtls_ripemd160_ret(input, ilen, output);
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Test vectors from the RIPEMD-160 paper and
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
+ */
+#define TESTS   8
+static const unsigned char ripemd160_test_str[TESTS][81] = {
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" },
+};
+
+static const size_t ripemd160_test_strlen[TESTS] = {
+    0, 1, 3, 14, 26, 56, 62, 80
+};
+
+static const unsigned char ripemd160_test_md[TESTS][20] = {
+    {
+        0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
+        0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31
+    },
+    {
+        0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
+        0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe
+    },
+    {
+        0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
+        0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc
+    },
+    {
+        0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
+        0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36
+    },
+    {
+        0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
+        0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc
+    },
+    {
+        0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
+        0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b
+    },
+    {
+        0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
+        0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89
+    },
+    {
+        0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
+        0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb
+    },
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ripemd160_self_test(int verbose) {
+    int i, ret = 0;
+    unsigned char output[20];
+
+    memset(output, 0, sizeof output);
+
+    for (i = 0; i < TESTS; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  RIPEMD-160 test #%d: ", i + 1);
+
+        ret = mbedtls_ripemd160_ret(ripemd160_test_str[i],
+                                    ripemd160_test_strlen[i], output);
+        if (ret != 0)
+            goto fail;
+
+        if (memcmp(output, ripemd160_test_md[i], 20) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+    return (0);
+
+fail:
+    if (verbose != 0)
+        mbedtls_printf("failed\n");
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/common/mbedtls/ripemd160.h b/common/mbedtls/ripemd160.h
new file mode 100644
index 000000000..a394f0551
--- /dev/null
+++ b/common/mbedtls/ripemd160.h
@@ -0,0 +1,234 @@
+/**
+ * \file ripemd160.h
+ *
+ * \brief RIPE MD-160 message digest
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_RIPEMD160_H
+#define MBEDTLS_RIPEMD160_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031  /**< RIPEMD160 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          RIPEMD-160 context structure
+ */
+typedef struct mbedtls_ripemd160_context {
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[5];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_ripemd160_context;
+
+#else  /* MBEDTLS_RIPEMD160_ALT */
+#include "ripemd160_alt.h"
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
+/**
+ * \brief          Initialize RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be initialized
+ */
+void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          Clear RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be cleared
+ */
+void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          Clone (the state of) an RIPEMD-160 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ */
+void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
+                             const mbedtls_ripemd160_context *src);
+
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_starts_ret(mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_update_ret(mbedtls_ripemd160_context *ctx,
+                                 const unsigned char *input,
+                                 size_t ilen);
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_finish_ret(mbedtls_ripemd160_context *ctx,
+                                 unsigned char output[20]);
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
+                                       const unsigned char data[64]);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_starts(
+    mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_update_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_update(
+    mbedtls_ripemd160_context *ctx,
+    const unsigned char *input,
+    size_t ilen);
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_finish(
+    mbedtls_ripemd160_context *ctx,
+    unsigned char output[20]);
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_ripemd160_process() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
+    mbedtls_ripemd160_context *ctx,
+    const unsigned char data[64]);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_ret(const unsigned char *input,
+                          size_t ilen,
+                          unsigned char output[20]);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160(const unsigned char *input,
+                                          size_t ilen,
+                                          unsigned char output[20]);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_ripemd160_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_ripemd160.h */
diff --git a/common/mbedtls/rsa.c b/common/mbedtls/rsa.c
index 5e40062fe..eb7ced3b0 100644
--- a/common/mbedtls/rsa.c
+++ b/common/mbedtls/rsa.c
@@ -1,24 +1,20 @@
 /*
  *  The RSA public-key cryptosystem
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -39,11 +35,7 @@
  *
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_RSA_C)
 
@@ -51,6 +43,7 @@
 #include "mbedtls/rsa_internal.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -58,7 +51,7 @@
 #include "mbedtls/md.h"
 #endif
 
-#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
 #include <stdlib.h>
 #endif
 
@@ -73,6 +66,12 @@
 
 #if !defined(MBEDTLS_RSA_ALT)
 
+/* Parameter validation macros */
+#define RSA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+#define RSA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_PKCS1_V15)
 /* constant-time buffer comparison */
 static inline int mbedtls_safer_memcmp(const void *a, const void *b, size_t n) {
@@ -92,7 +91,8 @@ int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
                        const mbedtls_mpi *N,
                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
                        const mbedtls_mpi *D, const mbedtls_mpi *E) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    RSA_VALIDATE_RET(ctx != NULL);
 
     if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
             (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
@@ -115,6 +115,7 @@ int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
                            unsigned char const *D, size_t D_len,
                            unsigned char const *E, size_t E_len) {
     int ret = 0;
+    RSA_VALIDATE_RET(ctx != NULL);
 
     if (N != NULL) {
         MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
@@ -229,12 +230,25 @@ static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
 
 int mbedtls_rsa_complete(mbedtls_rsa_context *ctx) {
     int ret = 0;
+    int have_N, have_P, have_Q, have_D, have_E;
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    int have_DP, have_DQ, have_QP;
+#endif
+    int n_missing, pq_missing, d_missing, is_pub, is_priv;
 
-    const int have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
-    const int have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
-    const int have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
-    const int have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
-    const int have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
+    RSA_VALIDATE_RET(ctx != NULL);
+
+    have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
+    have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
+    have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
+    have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
+    have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
+    have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
+    have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
+#endif
 
     /*
      * Check whether provided parameters are enough
@@ -246,13 +260,13 @@ int mbedtls_rsa_complete(mbedtls_rsa_context *ctx) {
      *
      */
 
-    const int n_missing  =              have_P &&  have_Q &&  have_D && have_E;
-    const int pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
-    const int d_missing  =              have_P &&  have_Q && !have_D && have_E;
-    const int is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
+    n_missing  =              have_P &&  have_Q &&  have_D && have_E;
+    pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
+    d_missing  =              have_P &&  have_Q && !have_D && have_E;
+    is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
 
     /* These three alternatives are mutually exclusive */
-    const int is_priv = n_missing || pq_missing || d_missing;
+    is_priv = n_missing || pq_missing || d_missing;
 
     if (!is_priv && !is_pub)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
@@ -295,7 +309,7 @@ int mbedtls_rsa_complete(mbedtls_rsa_context *ctx) {
      */
 
 #if !defined(MBEDTLS_RSA_NO_CRT)
-    if (is_priv) {
+    if (is_priv && !(have_DP && have_DQ && have_QP)) {
         ret = mbedtls_rsa_deduce_crt(&ctx->P,  &ctx->Q,  &ctx->D,
                                      &ctx->DP, &ctx->DQ, &ctx->QP);
         if (ret != 0)
@@ -317,9 +331,11 @@ int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
                            unsigned char *D, size_t D_len,
                            unsigned char *E, size_t E_len) {
     int ret = 0;
+    int is_priv;
+    RSA_VALIDATE_RET(ctx != NULL);
 
     /* Check if key is private or public */
-    const int is_priv =
+    is_priv =
         mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
         mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
         mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
@@ -357,10 +373,12 @@ cleanup:
 int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
                        mbedtls_mpi *D, mbedtls_mpi *E) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int is_priv;
+    RSA_VALIDATE_RET(ctx != NULL);
 
     /* Check if key is private or public */
-    int is_priv =
+    is_priv =
         mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
         mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
         mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
@@ -396,10 +414,12 @@ int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
  */
 int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int is_priv;
+    RSA_VALIDATE_RET(ctx != NULL);
 
     /* Check if key is private or public */
-    int is_priv =
+    is_priv =
         mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
         mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
         mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
@@ -432,11 +452,18 @@ int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
 void mbedtls_rsa_init(mbedtls_rsa_context *ctx,
                       int padding,
                       int hash_id) {
+    RSA_VALIDATE(ctx != NULL);
+    RSA_VALIDATE(padding == MBEDTLS_RSA_PKCS_V15 ||
+                 padding == MBEDTLS_RSA_PKCS_V21);
+
     memset(ctx, 0, sizeof(mbedtls_rsa_context));
 
     mbedtls_rsa_set_padding(ctx, padding, hash_id);
 
 #if defined(MBEDTLS_THREADING_C)
+    /* Set ctx->ver to nonzero to indicate that the mutex has been
+     * initialized and will need to be freed. */
+    ctx->ver = 1;
     mbedtls_mutex_init(&ctx->mutex);
 #endif
 }
@@ -444,7 +471,12 @@ void mbedtls_rsa_init(mbedtls_rsa_context *ctx,
 /*
  * Set padding for an existing RSA context
  */
-void mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding, int hash_id) {
+void mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
+                             int hash_id) {
+    RSA_VALIDATE(ctx != NULL);
+    RSA_VALIDATE(padding == MBEDTLS_RSA_PKCS_V15 ||
+                 padding == MBEDTLS_RSA_PKCS_V21);
+
     ctx->padding = padding;
     ctx->hash_id = hash_id;
 }
@@ -470,19 +502,29 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
                         int (*f_rng)(void *, unsigned char *, size_t),
                         void *p_rng,
                         unsigned int nbits, int exponent) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi H, G, L;
+    int prime_quality = 0;
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(f_rng != NULL);
 
-    if (f_rng == NULL || nbits < 128 || exponent < 3)
-        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
-
-    if (nbits % 2)
-        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    /*
+     * If the modulus is 1024 bit long or shorter, then the security strength of
+     * the RSA algorithm is less than or equal to 80 bits and therefore an error
+     * rate of 2^-80 is sufficient.
+     */
+    if (nbits > 1024)
+        prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
 
     mbedtls_mpi_init(&H);
     mbedtls_mpi_init(&G);
     mbedtls_mpi_init(&L);
 
+    if (nbits < 128 || exponent < 3 || nbits % 2 != 0) {
+        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
     /*
      * find primes P and Q with Q < P so that:
      * 1.  |P-Q| > 2^( nbits / 2 - 100 )
@@ -492,11 +534,11 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
 
     do {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1, 0,
-                                              f_rng, p_rng));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
+                                              prime_quality, f_rng, p_rng));
 
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1, 0,
-                                              f_rng, p_rng));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
+                                              prime_quality, f_rng, p_rng));
 
         /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
         MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
@@ -557,7 +599,9 @@ cleanup:
 
     if (ret != 0) {
         mbedtls_rsa_free(ctx);
-        return (MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret);
+        if ((-ret & ~0x7f) == 0)
+            ret = MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret;
+        return (ret);
     }
 
     return (0);
@@ -569,6 +613,8 @@ cleanup:
  * Check a public RSA key
  */
 int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx) {
+    RSA_VALIDATE_RET(ctx != NULL);
+
     if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0)
         return (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED);
 
@@ -589,6 +635,8 @@ int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx) {
  * Check for the consistency of all fields in an RSA private key context
  */
 int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx) {
+    RSA_VALIDATE_RET(ctx != NULL);
+
     if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
             rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
         return (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED);
@@ -614,6 +662,9 @@ int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx) {
  */
 int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
                                const mbedtls_rsa_context *prv) {
+    RSA_VALIDATE_RET(pub != NULL);
+    RSA_VALIDATE_RET(prv != NULL);
+
     if (mbedtls_rsa_check_pubkey(pub)  != 0 ||
             mbedtls_rsa_check_privkey(prv) != 0) {
         return (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED);
@@ -633,9 +684,12 @@ int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
 int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
                        const unsigned char *input,
                        unsigned char *output) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t olen;
     mbedtls_mpi T;
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(input != NULL);
+    RSA_VALIDATE_RET(output != NULL);
 
     if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */))
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
@@ -681,6 +735,9 @@ cleanup:
 static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
                                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
     int ret, count = 0;
+    mbedtls_mpi R;
+
+    mbedtls_mpi_init(&R);
 
     if (ctx->Vf.p != NULL) {
         /* We already have blinding values, just update them by squaring */
@@ -694,19 +751,40 @@ static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
 
     /* Unblinding value: Vf = random number, invertible mod N */
     do {
-        if (count++ > 10)
-            return (MBEDTLS_ERR_RSA_RNG_FAILED);
+        if (count++ > 10) {
+            ret = MBEDTLS_ERR_RSA_RNG_FAILED;
+            goto cleanup;
+        }
 
         MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&ctx->Vi, &ctx->Vf, &ctx->N));
-    } while (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0);
 
-    /* Blinding value: Vi =  Vf^(-e) mod N */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vf, &ctx->N));
+        /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+
+        /* At this point, Vi is invertible mod N if and only if both Vf and R
+         * are invertible mod N. If one of them isn't, we don't need to know
+         * which one, we just loop and choose new values for both of them.
+         * (Each iteration succeeds with overwhelming probability.) */
+        ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
+        if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE)
+            goto cleanup;
+
+    } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
+
+    /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+
+    /* Blinding value: Vi = Vf^(-e) mod N
+     * (Vi already contains Vf^-1 at this point) */
     MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
 
 
 cleanup:
+    mbedtls_mpi_free(&R);
+
     return (ret);
 }
 
@@ -739,7 +817,7 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
                         void *p_rng,
                         const unsigned char *input,
                         unsigned char *output) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t olen;
 
     /* Temporary holding the result */
@@ -774,6 +852,10 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
      * checked result; should be the same in the end. */
     mbedtls_mpi I, C;
 
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(input  != NULL);
+    RSA_VALIDATE_RET(output != NULL);
+
     if (rsa_check_context(ctx, 1             /* private key checks */,
                           f_rng != NULL /* blinding y/n       */) != 0) {
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
@@ -945,10 +1027,10 @@ cleanup:
     mbedtls_mpi_free(&C);
     mbedtls_mpi_free(&I);
 
-    if (ret != 0)
+    if (ret != 0 && ret >= -0x007f)
         return (MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret);
 
-    return (0);
+    return (ret);
 }
 
 #if defined(MBEDTLS_PKCS1_V21)
@@ -1020,12 +1102,19 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
                                    const unsigned char *input,
                                    unsigned char *output) {
     size_t olen;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p = output;
     unsigned int hlen;
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
 
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(output != NULL);
+    RSA_VALIDATE_RET(ilen == 0 || input != NULL);
+    RSA_VALIDATE_RET(label_len == 0 || label != NULL);
+
     if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
@@ -1059,7 +1148,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
     p += hlen;
     p += olen - 2 * hlen - 2 - ilen;
     *p++ = 1;
-    memcpy(p, input, ilen);
+    if (ilen != 0)
+        memcpy(p, input, ilen);
 
     mbedtls_md_init(&md_ctx);
     if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0)
@@ -1098,14 +1188,16 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
                                         const unsigned char *input,
                                         unsigned char *output) {
     size_t nb_pad, olen;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p = output;
 
-    if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15)
-        return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(output != NULL);
+    RSA_VALIDATE_RET(ilen == 0 || input != NULL);
 
-    // We don't check p_rng because it won't be dereferenced here
-    if (f_rng == NULL || input == NULL || output == NULL)
+    if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
     olen = ctx->len;
@@ -1118,6 +1210,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
 
     *p++ = 0;
     if (mode == MBEDTLS_RSA_PUBLIC) {
+        if (f_rng == NULL)
+            return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+
         *p++ = MBEDTLS_RSA_CRYPT;
 
         while (nb_pad-- > 0) {
@@ -1141,7 +1236,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
     }
 
     *p++ = 0;
-    memcpy(p, input, ilen);
+    if (ilen != 0)
+        memcpy(p, input, ilen);
 
     return ((mode == MBEDTLS_RSA_PUBLIC)
             ? mbedtls_rsa_public(ctx, output, output)
@@ -1158,6 +1254,12 @@ int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
                               int mode, size_t ilen,
                               const unsigned char *input,
                               unsigned char *output) {
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(output != NULL);
+    RSA_VALIDATE_RET(ilen == 0 || input != NULL);
+
     switch (ctx->padding) {
 #if defined(MBEDTLS_PKCS1_V15)
         case MBEDTLS_RSA_PKCS_V15:
@@ -1189,7 +1291,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
                                    const unsigned char *input,
                                    unsigned char *output,
                                    size_t output_max_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t ilen, i, pad_len;
     unsigned char *p, bad, pad_done;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
@@ -1198,6 +1300,14 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
 
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);
+    RSA_VALIDATE_RET(label_len == 0 || label != NULL);
+    RSA_VALIDATE_RET(input != NULL);
+    RSA_VALIDATE_RET(olen != NULL);
+
     /*
      * Parameters sanity checks
      */
@@ -1297,7 +1407,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
     }
 
     *olen = ilen - (p - buf);
-    memcpy(output, p, *olen);
+    if (*olen != 0)
+        memcpy(output, p, *olen);
     ret = 0;
 
 cleanup:
@@ -1309,6 +1420,91 @@ cleanup:
 #endif /* MBEDTLS_PKCS1_V21 */
 
 #if defined(MBEDTLS_PKCS1_V15)
+/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
+ *
+ * \param value     The value to analyze.
+ * \return          Zero if \p value is zero, otherwise all-bits-one.
+ */
+static unsigned all_or_nothing_int(unsigned value) {
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    return (- ((value | - value) >> (sizeof(value) * 8 - 1)));
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+}
+
+/** Check whether a size is out of bounds, without branches.
+ *
+ * This is equivalent to `size > max`, but is likely to be compiled to
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param size      Size to check.
+ * \param max       Maximum desired value for \p size.
+ * \return          \c 0 if `size <= max`.
+ * \return          \c 1 if `size > max`.
+ */
+static unsigned size_greater_than(size_t size, size_t max) {
+    /* Return the sign bit (1 for negative) of (max - size). */
+    return ((max - size) >> (sizeof(size_t) * 8 - 1));
+}
+
+/** Choose between two integer values, without branches.
+ *
+ * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param cond      Condition to test.
+ * \param if1       Value to use if \p cond is nonzero.
+ * \param if0       Value to use if \p cond is zero.
+ * \return          \c if1 if \p cond is nonzero, otherwise \c if0.
+ */
+static unsigned if_int(unsigned cond, unsigned if1, unsigned if0) {
+    unsigned mask = all_or_nothing_int(cond);
+    return ((mask & if1) | (~mask & if0));
+}
+
+/** Shift some data towards the left inside a buffer without leaking
+ * the length of the data through side channels.
+ *
+ * `mem_move_to_left(start, total, offset)` is functionally equivalent to
+ * ```
+ * memmove(start, start + offset, total - offset);
+ * memset(start + offset, 0, total - offset);
+ * ```
+ * but it strives to use a memory access pattern (and thus total timing)
+ * that does not depend on \p offset. This timing independence comes at
+ * the expense of performance.
+ *
+ * \param start     Pointer to the start of the buffer.
+ * \param total     Total size of the buffer.
+ * \param offset    Offset from which to copy \p total - \p offset bytes.
+ */
+static void mem_move_to_left(void *start,
+                             size_t total,
+                             size_t offset) {
+    volatile unsigned char *buf = start;
+    size_t i, n;
+    if (total == 0)
+        return;
+    for (i = 0; i < total; i++) {
+        unsigned no_op = size_greater_than(total - offset, i);
+        /* The first `total - offset` passes are a no-op. The last
+         * `offset` passes shift the data one byte to the left and
+         * zero out the last byte. */
+        for (n = 0; n < total - 1; n++) {
+            unsigned char current = buf[n];
+            unsigned char next = buf[n + 1];
+            buf[n] = if_int(no_op, current, next);
+        }
+        buf[total - 1] = if_int(no_op, buf[total - 1], 0);
+    }
+}
+
 /*
  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
  */
@@ -1319,16 +1515,40 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
                                         const unsigned char *input,
                                         unsigned char *output,
                                         size_t output_max_len) {
-    int ret;
-    size_t ilen, pad_count = 0, i;
-    unsigned char *p, bad, pad_done = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t ilen, i, plaintext_max_size;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    /* The following variables take sensitive values: their value must
+     * not leak into the observable behavior of the function other than
+     * the designated outputs (output, olen, return value). Otherwise
+     * this would open the execution of the function to
+     * side-channel-based variants of the Bleichenbacher padding oracle
+     * attack. Potential side channels include overall timing, memory
+     * access patterns (especially visible to an adversary who has access
+     * to a shared memory cache), and branches (especially visible to
+     * an adversary who has access to a shared code cache or to a shared
+     * branch predictor). */
+    size_t pad_count = 0;
+    unsigned bad = 0;
+    unsigned char pad_done = 0;
+    size_t plaintext_size = 0;
+    unsigned output_too_large;
+
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);
+    RSA_VALIDATE_RET(input != NULL);
+    RSA_VALIDATE_RET(olen != NULL);
+
+    ilen = ctx->len;
+    plaintext_max_size = (output_max_len > ilen - 11 ?
+                          ilen - 11 :
+                          output_max_len);
 
     if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
-    ilen = ctx->len;
-
     if (ilen < 16 || ilen > sizeof(buf))
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
@@ -1339,56 +1559,110 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
     if (ret != 0)
         goto cleanup;
 
-    p = buf;
-    bad = 0;
+    /* Check and get padding length in constant time and constant
+     * memory trace. The first byte must be 0. */
+    bad |= buf[0];
 
-    /*
-     * Check and get padding len in "constant-time"
-     */
-    bad |= *p++; /* First byte must be 0 */
-
-    /* This test does not depend on secret data */
     if (mode == MBEDTLS_RSA_PRIVATE) {
-        bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
+        /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
+         * where PS must be at least 8 nonzero bytes. */
+        bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
 
-        /* Get padding len, but always read till end of buffer
-         * (minus one, for the 00 byte) */
-        for (i = 0; i < ilen - 3; i++) {
-            pad_done  |= ((p[i] | (unsigned char) - p[i]) >> 7) ^ 1;
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count. */
+        for (i = 2; i < ilen; i++) {
+            pad_done  |= ((buf[i] | (unsigned char) - buf[i]) >> 7) ^ 1;
             pad_count += ((pad_done | (unsigned char) - pad_done) >> 7) ^ 1;
         }
-
-        p += pad_count;
-        bad |= *p++; /* Must be zero */
     } else {
-        bad |= *p++ ^ MBEDTLS_RSA_SIGN;
+        /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
+         * where PS must be at least 8 bytes with the value 0xFF. */
+        bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
 
-        /* Get padding len, but always read till end of buffer
-         * (minus one, for the 00 byte) */
-        for (i = 0; i < ilen - 3; i++) {
-            pad_done |= (p[i] != 0xFF);
-            pad_count += (pad_done == 0);
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count.
+         * If there's a non-0xff byte in the padding, the padding is bad. */
+        for (i = 2; i < ilen; i++) {
+            pad_done |= if_int(buf[i], 0, 1);
+            pad_count += if_int(pad_done, 0, 1);
+            bad |= if_int(pad_done, 0, buf[i] ^ 0xFF);
         }
-
-        p += pad_count;
-        bad |= *p++; /* Must be zero */
     }
 
-    bad |= (pad_count < 8);
+    /* If pad_done is still zero, there's no data, only unfinished padding. */
+    bad |= if_int(pad_done, 0, 1);
 
-    if (bad) {
-        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
-        goto cleanup;
-    }
+    /* There must be at least 8 bytes of padding. */
+    bad |= size_greater_than(8, pad_count);
 
-    if (ilen - (p - buf) > output_max_len) {
-        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
-        goto cleanup;
-    }
+    /* If the padding is valid, set plaintext_size to the number of
+     * remaining bytes after stripping the padding. If the padding
+     * is invalid, avoid leaking this fact through the size of the
+     * output: use the maximum message size that fits in the output
+     * buffer. Do it without branches to avoid leaking the padding
+     * validity through timing. RSA keys are small enough that all the
+     * size_t values involved fit in unsigned int. */
+    plaintext_size = if_int(bad,
+                            (unsigned) plaintext_max_size,
+                            (unsigned)(ilen - pad_count - 3));
 
-    *olen = ilen - (p - buf);
-    memcpy(output, p, *olen);
-    ret = 0;
+    /* Set output_too_large to 0 if the plaintext fits in the output
+     * buffer and to 1 otherwise. */
+    output_too_large = size_greater_than(plaintext_size,
+                                         plaintext_max_size);
+
+    /* Set ret without branches to avoid timing attacks. Return:
+     * - INVALID_PADDING if the padding is bad (bad != 0).
+     * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
+     *   plaintext does not fit in the output buffer.
+     * - 0 if the padding is correct. */
+    ret = - (int) if_int(bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
+                         if_int(output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
+                                0));
+
+    /* If the padding is bad or the plaintext is too large, zero the
+     * data that we're about to copy to the output buffer.
+     * We need to copy the same amount of data
+     * from the same buffer whether the padding is good or not to
+     * avoid leaking the padding validity through overall timing or
+     * through memory or cache access patterns. */
+    bad = all_or_nothing_int(bad | output_too_large);
+    for (i = 11; i < ilen; i++)
+        buf[i] &= ~bad;
+
+    /* If the plaintext is too large, truncate it to the buffer size.
+     * Copy anyway to avoid revealing the length through timing, because
+     * revealing the length is as bad as revealing the padding validity
+     * for a Bleichenbacher attack. */
+    plaintext_size = if_int(output_too_large,
+                            (unsigned) plaintext_max_size,
+                            (unsigned) plaintext_size);
+
+    /* Move the plaintext to the leftmost position where it can start in
+     * the working buffer, i.e. make it start plaintext_max_size from
+     * the end of the buffer. Do this with a memory access trace that
+     * does not depend on the plaintext size. After this move, the
+     * starting location of the plaintext is no longer sensitive
+     * information. */
+    mem_move_to_left(buf + ilen - plaintext_max_size,
+                     plaintext_max_size,
+                     plaintext_max_size - plaintext_size);
+
+    /* Finally copy the decrypted plaintext plus trailing zeros into the output
+     * buffer. If output_max_len is 0, then output may be an invalid pointer
+     * and the result of memcpy() would be undefined; prevent undefined
+     * behavior making sure to depend only on output_max_len (the size of the
+     * user-provided output buffer), which is independent from plaintext
+     * length, validity of padding, success of the decryption, and other
+     * secrets. */
+    if (output_max_len != 0)
+        memcpy(output, buf + ilen - plaintext_max_size, plaintext_max_size);
+
+    /* Report the amount of data we copied to the output buffer. In case
+     * of errors (bad padding or output too large), the value of *olen
+     * when this function returns is not specified. Making it equivalent
+     * to the good case limits the risks of leaking the padding validity. */
+    *olen = plaintext_size;
 
 cleanup:
     mbedtls_platform_zeroize(buf, sizeof(buf));
@@ -1407,6 +1681,13 @@ int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
                               const unsigned char *input,
                               unsigned char *output,
                               size_t output_max_len) {
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);
+    RSA_VALIDATE_RET(input != NULL);
+    RSA_VALIDATE_RET(olen != NULL);
+
     switch (ctx->padding) {
 #if defined(MBEDTLS_PKCS1_V15)
         case MBEDTLS_RSA_PKCS_V15:
@@ -1441,11 +1722,18 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
     size_t olen;
     unsigned char *p = sig;
     unsigned char salt[MBEDTLS_MD_MAX_SIZE];
-    unsigned int slen, hlen, offset = 0;
-    int ret;
+    size_t slen, min_slen, hlen, offset = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t msb;
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+    RSA_VALIDATE_RET(sig != NULL);
 
     if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
@@ -1469,10 +1757,20 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
     hlen = mbedtls_md_get_size(md_info);
-    slen = hlen;
 
-    if (olen < hlen + slen + 2)
+    /* Calculate the largest possible salt length. Normally this is the hash
+     * length, which is the maximum length the salt can have. If there is not
+     * enough room, use the maximum salt length that fits. The constraint is
+     * that the hash length plus the salt length plus 2 bytes must be at most
+     * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+     * (PKCS#1 v2.2) §9.1.1 step 3. */
+    min_slen = hlen - 2;
+    if (olen < hlen + min_slen + 2)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    else if (olen >= hlen + hlen + 2)
+        slen = hlen;
+    else
+        slen = olen - hlen - 2;
 
     memset(sig, 0, olen);
 
@@ -1482,7 +1780,7 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
 
     /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
     msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
-    p += olen - hlen * 2 - 2;
+    p += olen - hlen - slen - 2;
     *p++ = 0x01;
     memcpy(p, salt, slen);
     p += slen;
@@ -1672,9 +1970,17 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
                                       unsigned int hashlen,
                                       const unsigned char *hash,
                                       unsigned char *sig) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *sig_try = NULL, *verif = NULL;
 
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+    RSA_VALIDATE_RET(sig != NULL);
+
     if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
@@ -1740,6 +2046,14 @@ int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
                            unsigned int hashlen,
                            const unsigned char *hash,
                            unsigned char *sig) {
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+    RSA_VALIDATE_RET(sig != NULL);
+
     switch (ctx->padding) {
 #if defined(MBEDTLS_PKCS1_V15)
         case MBEDTLS_RSA_PKCS_V15:
@@ -1772,7 +2086,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
                                       mbedtls_md_type_t mgf1_hash_id,
                                       int expected_salt_len,
                                       const unsigned char *sig) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t siglen;
     unsigned char *p;
     unsigned char *hash_start;
@@ -1784,6 +2098,14 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
     mbedtls_md_context_t md_ctx;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
 
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(sig != NULL);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+
     if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
@@ -1906,9 +2228,18 @@ int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
                                   unsigned int hashlen,
                                   const unsigned char *hash,
                                   const unsigned char *sig) {
-    mbedtls_md_type_t mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
-                                     ? (mbedtls_md_type_t) ctx->hash_id
-                                     : md_alg;
+    mbedtls_md_type_t mgf1_hash_id;
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(sig != NULL);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+
+    mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
+                   ? (mbedtls_md_type_t) ctx->hash_id
+                   : md_alg;
 
     return (mbedtls_rsa_rsassa_pss_verify_ext(ctx, f_rng, p_rng, mode,
                                               md_alg, hashlen, hash,
@@ -1931,9 +2262,19 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
                                         const unsigned char *hash,
                                         const unsigned char *sig) {
     int ret = 0;
-    const size_t sig_len = ctx->len;
+    size_t sig_len;
     unsigned char *encoded = NULL, *encoded_expected = NULL;
 
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(sig != NULL);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+
+    sig_len = ctx->len;
+
     if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15)
         return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
 
@@ -1998,6 +2339,14 @@ int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
                              unsigned int hashlen,
                              const unsigned char *hash,
                              const unsigned char *sig) {
+    RSA_VALIDATE_RET(ctx != NULL);
+    RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
+                     mode == MBEDTLS_RSA_PUBLIC);
+    RSA_VALIDATE_RET(sig != NULL);
+    RSA_VALIDATE_RET((md_alg  == MBEDTLS_MD_NONE &&
+                      hashlen == 0) ||
+                     hash != NULL);
+
     switch (ctx->padding) {
 #if defined(MBEDTLS_PKCS1_V15)
         case MBEDTLS_RSA_PKCS_V15:
@@ -2020,9 +2369,10 @@ int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
  * Copy the components of an RSA key
  */
 int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    RSA_VALIDATE_RET(dst != NULL);
+    RSA_VALIDATE_RET(src != NULL);
 
-    dst->ver = src->ver;
     dst->len = src->len;
 
     MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
@@ -2059,6 +2409,9 @@ cleanup:
  * Free the components of an RSA key
  */
 void mbedtls_rsa_free(mbedtls_rsa_context *ctx) {
+    if (ctx == NULL)
+        return;
+
     mbedtls_mpi_free(&ctx->Vi);
     mbedtls_mpi_free(&ctx->Vf);
     mbedtls_mpi_free(&ctx->RN);
@@ -2077,7 +2430,11 @@ void mbedtls_rsa_free(mbedtls_rsa_context *ctx) {
 #endif /* MBEDTLS_RSA_NO_CRT */
 
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_free(&ctx->mutex);
+    /* Free the mutex, but only if it hasn't been freed already. */
+    if (ctx->ver != 0) {
+        mbedtls_mutex_free(&ctx->mutex);
+        ctx->ver = 0;
+    }
 #endif
 }
 
@@ -2093,42 +2450,42 @@ void mbedtls_rsa_free(mbedtls_rsa_context *ctx) {
 #define KEY_LEN 128
 
 #define RSA_N   "9292758453063D803DD603D5E777D788" \
-    "8ED1D5BF35786190FA2F23EBC0848AEA" \
-    "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
-    "7130B9CED7ACDF54CFC7555AC14EEBAB" \
-    "93A89813FBF3C4F8066D2D800F7C38A8" \
-    "1AE31942917403FF4946B0A83D3D3E05" \
-    "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
-    "5E94BB77B07507233A0BC7BAC8F90F79"
+                "8ED1D5BF35786190FA2F23EBC0848AEA" \
+                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
+                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
+                "93A89813FBF3C4F8066D2D800F7C38A8" \
+                "1AE31942917403FF4946B0A83D3D3E05" \
+                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
+                "5E94BB77B07507233A0BC7BAC8F90F79"
 
 #define RSA_E   "10001"
 
 #define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
-    "66CA472BC44D253102F8B4A9D3BFA750" \
-    "91386C0077937FE33FA3252D28855837" \
-    "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
-    "DF79C5CE07EE72C7F123142198164234" \
-    "CABB724CF78B8173B9F880FC86322407" \
-    "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
-    "071513A1E85B5DFA031F21ECAE91A34D"
+                "66CA472BC44D253102F8B4A9D3BFA750" \
+                "91386C0077937FE33FA3252D28855837" \
+                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
+                "DF79C5CE07EE72C7F123142198164234" \
+                "CABB724CF78B8173B9F880FC86322407" \
+                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
+                "071513A1E85B5DFA031F21ECAE91A34D"
 
 #define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
-    "2C01CAD19EA484A87EA4377637E75500" \
-    "FCB2005C5C7DD6EC4AC023CDA285D796" \
-    "C3D9E75E1EFC42488BB4F1D13AC30A57"
+                "2C01CAD19EA484A87EA4377637E75500" \
+                "FCB2005C5C7DD6EC4AC023CDA285D796" \
+                "C3D9E75E1EFC42488BB4F1D13AC30A57"
 
 #define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
-    "E211C2B9E5DB1ED0BF61D0D9899620F4" \
-    "910E4168387E3C30AA1E00C339A79508" \
-    "8452DD96A9A5EA5D9DCA68DA636032AF"
+                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
+                "910E4168387E3C30AA1E00C339A79508" \
+                "8452DD96A9A5EA5D9DCA68DA636032AF"
 
 #define PT_LEN  24
 #define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
-    "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
+                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
 
 #if defined(MBEDTLS_PKCS1_V15)
 static int myrand(void *rng_state, unsigned char *output, size_t len) {
-#if !defined(__OpenBSD__)
+#if !defined(__OpenBSD__) && !defined(__NetBSD__)
     size_t i;
 
     if (rng_state != NULL)
@@ -2141,7 +2498,7 @@ static int myrand(void *rng_state, unsigned char *output, size_t len) {
         rng_state = NULL;
 
     arc4random_buf(output, len);
-#endif /* !OpenBSD */
+#endif /* !OpenBSD && !NetBSD */
 
     return (0);
 }
diff --git a/common/mbedtls/rsa.h b/common/mbedtls/rsa.h
index 3972d961f..d13ef3c43 100644
--- a/common/mbedtls/rsa.h
+++ b/common/mbedtls/rsa.h
@@ -10,39 +10,35 @@
  *
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_RSA_H
 #define MBEDTLS_RSA_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "bignum.h"
-#include "md.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/md.h"
 
 #if defined(MBEDTLS_THREADING_C)
-#include "threading.h"
+#include "mbedtls/threading.h"
 #endif
 
 /*
@@ -57,7 +53,12 @@
 #define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
 #define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
+
+/* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
+ */
 #define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500  /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
+
+/* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED                   -0x4580  /**< RSA hardware accelerator failed. */
 
 /*
@@ -95,7 +96,10 @@ extern "C" {
  *          the public interface functions.
  */
 typedef struct mbedtls_rsa_context {
-    int ver;                    /*!<  Always 0.*/
+    int ver;                    /*!<  Reserved for internal purposes.
+                                 *    Do not set this field in application
+                                 *    code. Its meaning might change without
+                                 *    notice. */
     size_t len;                 /*!<  The size of \p N in Bytes. */
 
     mbedtls_mpi N;              /*!<  The public modulus. */
@@ -125,6 +129,7 @@ typedef struct mbedtls_rsa_context {
                                      mask generating function used in the
                                      EME-OAEP and EMSA-PSS encodings. */
 #if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized iff ver != 0. */
     mbedtls_threading_mutex_t mutex;    /*!<  Thread-safety mutex. */
 #endif
 }
@@ -146,19 +151,20 @@ mbedtls_rsa_context;
  * \note           The choice of padding mode is strictly enforced for private key
  *                 operations, since there might be security concerns in
  *                 mixing padding modes. For public key operations it is
- *                 a default value, which can be overriden by calling specific
+ *                 a default value, which can be overridden by calling specific
  *                 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
  *
  * \note           The hash selected in \p hash_id is always used for OEAP
  *                 encryption. For PSS signatures, it is always used for
- *                 making signatures, but can be overriden for verifying them.
- *                 If set to #MBEDTLS_MD_NONE, it is always overriden.
+ *                 making signatures, but can be overridden for verifying them.
+ *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
  *
- * \param ctx      The RSA context to initialize.
- * \param padding  Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
- *                 #MBEDTLS_RSA_PKCS_V21.
- * \param hash_id  The hash identifier of #mbedtls_md_type_t type, if
- *                 \p padding is #MBEDTLS_RSA_PKCS_V21.
+ * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The hash identifier of ::mbedtls_md_type_t type, if
+ *                 \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
+ *                 otherwise.
  */
 void mbedtls_rsa_init(mbedtls_rsa_context *ctx,
                       int padding,
@@ -184,11 +190,11 @@ void mbedtls_rsa_init(mbedtls_rsa_context *ctx,
  *                 for the lifetime of the RSA context being set up.
  *
  * \param ctx      The initialized RSA context to store the parameters in.
- * \param N        The RSA modulus, or NULL.
- * \param P        The first prime factor of \p N, or NULL.
- * \param Q        The second prime factor of \p N, or NULL.
- * \param D        The private exponent, or NULL.
- * \param E        The public exponent, or NULL.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param E        The public exponent. This may be \c NULL.
  *
  * \return         \c 0 on success.
  * \return         A non-zero error code on failure.
@@ -218,16 +224,16 @@ int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
  *                 for the lifetime of the RSA context being set up.
  *
  * \param ctx      The initialized RSA context to store the parameters in.
- * \param N        The RSA modulus, or NULL.
- * \param N_len    The Byte length of \p N, ignored if \p N == NULL.
- * \param P        The first prime factor of \p N, or NULL.
- * \param P_len    The Byte length of \p P, ignored if \p P == NULL.
- * \param Q        The second prime factor of \p N, or NULL.
- * \param Q_len    The Byte length of \p Q, ignored if \p Q == NULL.
- * \param D        The private exponent, or NULL.
- * \param D_len    The Byte length of \p D, ignored if \p D == NULL.
- * \param E        The public exponent, or NULL.
- * \param E_len    The Byte length of \p E, ignored if \p E == NULL.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param P_len    The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param D_len    The Byte length of \p D; it is ignored if \p D == NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ * \param E_len    The Byte length of \p E; it is ignored if \p E == NULL.
  *
  * \return         \c 0 on success.
  * \return         A non-zero error code on failure.
@@ -282,7 +288,7 @@ int mbedtls_rsa_complete(mbedtls_rsa_context *ctx);
  *                 zero Bytes.
  *
  *                 Possible reasons for returning
- *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
  *                 <li>An alternative RSA implementation is in use, which
  *                 stores the key externally, and either cannot or should
  *                 not export it into RAM.</li>
@@ -295,14 +301,19 @@ int mbedtls_rsa_complete(mbedtls_rsa_context *ctx);
  *                 the RSA context stays intact and remains usable.
  *
  * \param ctx      The initialized RSA context.
- * \param N        The MPI to hold the RSA modulus, or NULL.
- * \param P        The MPI to hold the first prime factor of \p N, or NULL.
- * \param Q        The MPI to hold the second prime factor of \p N, or NULL.
- * \param D        The MPI to hold the private exponent, or NULL.
- * \param E        The MPI to hold the public exponent, or NULL.
+ * \param N        The MPI to hold the RSA modulus.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param P        The MPI to hold the first prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param Q        The MPI to hold the second prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param D        The MPI to hold the private exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param E        The MPI to hold the public exponent.
+ *                 This may be \c NULL if this field need not be exported.
  *
  * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
  *                 requested parameters cannot be done due to missing
  *                 functionality or because of security policies.
  * \return         A non-zero return code on any other failure.
@@ -322,7 +333,7 @@ int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
  *                 zero Bytes.
  *
  *                 Possible reasons for returning
- *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
  *                 <li>An alternative RSA implementation is in use, which
  *                 stores the key externally, and either cannot or should
  *                 not export it into RAM.</li>
@@ -337,21 +348,24 @@ int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
  *                 buffer pointers are NULL.
  *
  * \param ctx      The initialized RSA context.
- * \param N        The Byte array to store the RSA modulus, or NULL.
+ * \param N        The Byte array to store the RSA modulus,
+ *                 or \c NULL if this field need not be exported.
  * \param N_len    The size of the buffer for the modulus.
- * \param P        The Byte array to hold the first prime factor of \p N, or
- *                 NULL.
+ * \param P        The Byte array to hold the first prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
  * \param P_len    The size of the buffer for the first prime factor.
- * \param Q        The Byte array to hold the second prime factor of \p N, or
- *                 NULL.
+ * \param Q        The Byte array to hold the second prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
  * \param Q_len    The size of the buffer for the second prime factor.
- * \param D        The Byte array to hold the private exponent, or NULL.
+ * \param D        The Byte array to hold the private exponent,
+ *                 or \c NULL if this field need not be exported.
  * \param D_len    The size of the buffer for the private exponent.
- * \param E        The Byte array to hold the public exponent, or NULL.
+ * \param E        The Byte array to hold the public exponent,
+ *                 or \c NULL if this field need not be exported.
  * \param E_len    The size of the buffer for the public exponent.
  *
  * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
  *                 requested parameters cannot be done due to missing
  *                 functionality or because of security policies.
  * \return         A non-zero return code on any other failure.
@@ -371,9 +385,12 @@ int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
  *                 mbedtls_rsa_deduce_opt().
  *
  * \param ctx      The initialized RSA context.
- * \param DP       The MPI to hold D modulo P-1, or NULL.
- * \param DQ       The MPI to hold D modulo Q-1, or NULL.
- * \param QP       The MPI to hold modular inverse of Q modulo P, or NULL.
+ * \param DP       The MPI to hold \c D modulo `P-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param DQ       The MPI to hold \c D modulo `Q-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param QP       The MPI to hold modular inverse of \c Q modulo \c P,
+ *                 or \c NULL if it need not be exported.
  *
  * \return         \c 0 on success.
  * \return         A non-zero error code on failure.
@@ -386,9 +403,9 @@ int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
  * \brief          This function sets padding for an already initialized RSA
  *                 context. See mbedtls_rsa_init() for details.
  *
- * \param ctx      The RSA context to be set.
- * \param padding  Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
- *                 #MBEDTLS_RSA_PKCS_V21.
+ * \param ctx      The initialized RSA context to be configured.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
  * \param hash_id  The #MBEDTLS_RSA_PKCS_V21 hash identifier.
  */
 void mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
@@ -410,11 +427,14 @@ size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx);
  * \note           mbedtls_rsa_init() must be called before this function,
  *                 to set up the RSA context.
  *
- * \param ctx      The RSA context used to hold the key.
- * \param f_rng    The RNG function.
- * \param p_rng    The RNG context.
+ * \param ctx      The initialized RSA context used to hold the key.
+ * \param f_rng    The RNG function to be used for key generation.
+ *                 This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't need a context.
  * \param nbits    The size of the public key in bits.
- * \param exponent The public exponent. For example, 65537.
+ * \param exponent The public exponent to use. For example, \c 65537.
+ *                 This must be odd and greater than \c 1.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -432,7 +452,7 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
  *                 enough information is present to perform an RSA public key
  *                 operation using mbedtls_rsa_public().
  *
- * \param ctx      The RSA context to check.
+ * \param ctx      The initialized RSA context to check.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -471,7 +491,7 @@ int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx);
  *             parameters, which goes beyond what is effectively checkable
  *             by the library.</li></ul>
  *
- * \param ctx  The RSA context to check.
+ * \param ctx  The initialized RSA context to check.
  *
  * \return     \c 0 on success.
  * \return     An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -483,8 +503,8 @@ int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx);
  *
  *                 It checks each of the contexts, and makes sure they match.
  *
- * \param pub      The RSA context holding the public key.
- * \param prv      The RSA context holding the private key.
+ * \param pub      The initialized RSA context holding the public key.
+ * \param prv      The initialized RSA context holding the private key.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -495,18 +515,19 @@ int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
 /**
  * \brief          This function performs an RSA public key operation.
  *
+ * \param ctx      The initialized RSA context to use.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
  * \note           This function does not handle message padding.
  *
  * \note           Make sure to set \p input[0] = 0 or ensure that
  *                 input is smaller than \p N.
  *
- * \note           The input and output buffers must be large
- *                 enough. For example, 128 Bytes if RSA-1024 is used.
- *
- * \param ctx      The RSA context.
- * \param input    The input buffer.
- * \param output   The output buffer.
- *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
@@ -517,9 +538,6 @@ int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
 /**
  * \brief          This function performs an RSA private key operation.
  *
- * \note           The input and output buffers must be large
- *                 enough. For example, 128 Bytes if RSA-1024 is used.
- *
  * \note           Blinding is used if and only if a PRNG is provided.
  *
  * \note           If blinding is used, both the base of exponentation
@@ -531,11 +549,18 @@ int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
  *                 Future versions of the library may enforce the presence
  *                 of a PRNG.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for blinding.
- * \param p_rng    The RNG context.
- * \param input    The input buffer.
- * \param output   The output buffer.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function, used for blinding. It is discouraged
+ *                 and deprecated to pass \c NULL here, in which case
+ *                 blinding will be omitted.
+ * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -554,9 +579,6 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
  *                 It is the generic wrapper for performing a PKCS#1 encryption
  *                 operation using the \p mode from the context.
  *
- * \note           The input and output buffers must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -564,16 +586,27 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for padding, PKCS#1 v2.1
- *                 encoding, and #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param ilen     The length of the plaintext.
- * \param input    The buffer holding the data to encrypt.
- * \param output   The buffer used to hold the ciphertext.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG to use. It is mandatory for PKCS#1 v2.1 padding
+ *                 encoding, and for PKCS#1 v1.5 padding encoding when used
+ *                 with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
+ *                 padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
+ *                 it is used for blinding and should be provided in this
+ *                 case; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. May be
+ *                 \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
+ *                 need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. It may be \c NULL if
+ *                 `ilen == 0`.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -589,9 +622,6 @@ int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 encryption operation
  *                 (RSAES-PKCS1-v1_5-ENCRYPT).
  *
- * \note           The output buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -599,16 +629,25 @@ int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for padding and
- *                 #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param ilen     The length of the plaintext.
- * \param input    The buffer holding the data to encrypt.
- * \param output   The buffer used to hold the ciphertext.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. It is needed for padding generation
+ *                 if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
+ *                 #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
+ *                 blinding and should be provided; see mbedtls_rsa_private().
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may
+ *                 be \c NULL if \p f_rng is \c NULL or if \p f_rng
+ *                 doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. It may be \c NULL if
+ *                 `ilen == 0`.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -634,18 +673,26 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
  *
  * \note             Alternative implementations of RSA need not support
  *                   mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                   return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx        The RSA context.
- * \param f_rng      The RNG function. Needed for padding and PKCS#1 v2.1
- *                   encoding and #MBEDTLS_RSA_PRIVATE.
- * \param p_rng      The RNG context.
- * \param mode       #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx        The initnialized RSA context to use.
+ * \param f_rng      The RNG function to use. This is needed for padding
+ *                   generation and must be provided.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may
+ *                   be \c NULL if \p f_rng doesn't need a context argument.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param label      The buffer holding the custom label to use.
- * \param label_len  The length of the label.
- * \param ilen       The length of the plaintext.
- * \param input      The buffer holding the data to encrypt.
- * \param output     The buffer used to hold the ciphertext.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param ilen       The length of the plaintext buffer \p input in Bytes.
+ * \param input      The input data to encrypt. This must be a readable
+ *                   buffer of size \p ilen Bytes. It may be \c NULL if
+ *                   `ilen == 0`.
+ * \param output     The output buffer. This must be a writable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
  *
  * \return           \c 0 on success.
  * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -673,9 +720,6 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
  *                 hold the decryption of the particular ciphertext provided,
  *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \note           The input buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -683,16 +727,25 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param olen     The length of the plaintext.
- * \param input    The buffer holding the encrypted data.
- * \param output   The buffer used to hold the plaintext.
- * \param output_max_len    The maximum length of the output buffer.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -716,9 +769,6 @@ int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
  *                 hold the decryption of the particular ciphertext provided,
  *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \note           The input buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -726,16 +776,25 @@ int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param olen     The length of the plaintext.
- * \param input    The buffer holding the encrypted data.
- * \param output   The buffer to hold the plaintext.
- * \param output_max_len    The maximum length of the output buffer.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -761,9 +820,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
  *                   ciphertext provided, the function returns
  *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \note             The input buffer must be as large as the size
- *                   of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated       It is deprecated and discouraged to call this function
  *                   in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
  *                   are likely to remove the \p mode argument and have it
@@ -771,18 +827,29 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
  *
  * \note             Alternative implementations of RSA need not support
  *                   mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                   return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx        The RSA context.
- * \param f_rng      The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng      The RNG context.
- * \param mode       #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx        The initialized RSA context to use.
+ * \param f_rng      The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                   this is used for blinding and should be provided; see
+ *                   mbedtls_rsa_private() for more. If \p mode is
+ *                   #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may be
+ *                   \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
  * \param label      The buffer holding the custom label to use.
- * \param label_len  The length of the label.
- * \param olen       The length of the plaintext.
- * \param input      The buffer holding the encrypted data.
- * \param output     The buffer to hold the plaintext.
- * \param output_max_len    The maximum length of the output buffer.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param olen       The address at which to store the length of
+ *                   the plaintext. This must not be \c NULL.
+ * \param input      The ciphertext buffer. This must be a readable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ * \param output     The buffer used to hold the plaintext. This must
+ *                   be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
  *
  * \return         \c 0 on success.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -818,18 +885,31 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for PKCS#1 v2.1 encoding and for
- *                 #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. If the padding mode is PKCS#1 v2.1,
+ *                 this must be provided. If the padding mode is PKCS#1 v1.5 and
+ *                 \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
+ *                 and should be provided; see mbedtls_rsa_private() for more
+ *                 more. It is ignored otherwise.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer to hold the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
  *
  * \return         \c 0 if the signing operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -847,9 +927,6 @@ int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 signature
  *                 operation (RSASSA-PKCS1-v1_5-SIGN).
  *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -857,17 +934,30 @@ int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer to hold the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
  *
  * \return         \c 0 if the signing operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -885,9 +975,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v2.1 PSS signature
  *                 operation (RSASSA-PSS-SIGN).
  *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \note           The \p hash_id in the RSA context is the one used for the
  *                 encoding. \p md_alg in the function call is the type of hash
  *                 that is encoded. According to <em>RFC-3447: Public-Key
@@ -895,6 +982,16 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
  *                 Specifications</em> it is advised to keep both hashes the
  *                 same.
  *
+ * \note           This function always uses the maximum possible salt size,
+ *                 up to the length of the payload hash. This choice of salt
+ *                 size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
+ *                 v2.2) §9.1.1 step 3. Furthermore this function enforces a
+ *                 minimum salt size which is the hash size minus 2 bytes. If
+ *                 this minimum size is too large given the key size (the salt
+ *                 size, plus the hash size, plus 2 bytes must be no more than
+ *                 the key size in bytes), this function returns
+ *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -902,18 +999,27 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for PKCS#1 v2.1 encoding and for
- *                 #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. It must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer to hold the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
  *
  * \return         \c 0 if the signing operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -934,9 +1040,6 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
  *                 This is the generic wrapper for performing a PKCS#1
  *                 verification using the mode from the context.
  *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \note           For PKCS#1 v2.1 encoding, see comments on
  *                 mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
  *                 \p hash_id.
@@ -948,17 +1051,28 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer holding the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 if the verify operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -976,9 +1090,6 @@ int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 verification
  *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
  *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -986,17 +1097,28 @@ int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer holding the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 if the verify operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -1017,9 +1139,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
  *                 The hash function for the MGF mask generating function
  *                 is that specified in the RSA context.
  *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
  * \note           The \p hash_id in the RSA context is the one used for the
  *                 verification. \p md_alg in the function call is the type of
  *                 hash that is verified. According to <em>RFC-3447: Public-Key
@@ -1035,17 +1154,28 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer holding the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 if the verify operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -1071,19 +1201,29 @@ int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
  *
  * \note           The \p hash_id in the RSA context is ignored.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG context.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is
- *                 #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param mgf1_hash_id       The message digest used for mask generation.
- * \param expected_salt_len  The length of the salt used in padding. Use
- *                           #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
- * \param sig      The buffer holding the ciphertext.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param mgf1_hash_id      The message digest used for mask generation.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ *                          #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \return         \c 0 if the verify operation was successful.
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -1102,8 +1242,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
 /**
  * \brief          This function copies the components of an RSA context.
  *
- * \param dst      The destination context.
- * \param src      The source context.
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The source context. This must be initialized.
  *
  * \return         \c 0 on success.
  * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
@@ -1113,10 +1253,14 @@ int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src);
 /**
  * \brief          This function frees the components of an RSA key.
  *
- * \param ctx      The RSA Context to free.
+ * \param ctx      The RSA context to free. May be \c NULL, in which case
+ *                 this function is a no-op. If it is not \c NULL, it must
+ *                 point to an initialized RSA context.
  */
 void mbedtls_rsa_free(mbedtls_rsa_context *ctx);
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          The RSA checkup routine.
  *
@@ -1125,6 +1269,8 @@ void mbedtls_rsa_free(mbedtls_rsa_context *ctx);
  */
 int mbedtls_rsa_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/rsa_internal.c b/common/mbedtls/rsa_internal.c
index c9412a911..e1be1d9c0 100644
--- a/common/mbedtls/rsa_internal.c
+++ b/common/mbedtls/rsa_internal.c
@@ -1,32 +1,24 @@
 /*
  *  Helper functions for the RSA module
  *
- *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  *
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_RSA_C)
 
@@ -332,14 +324,19 @@ int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
      */
 
 #if defined(MBEDTLS_GENPRIME)
+    /*
+     * When generating keys, the strongest security we support aims for an error
+     * rate of at most 2^-100 and we are aiming for the same certainty here as
+     * well.
+     */
     if (f_rng != NULL && P != NULL &&
-            (ret = mbedtls_mpi_is_prime(P, f_rng, p_rng)) != 0) {
+            (ret = mbedtls_mpi_is_prime_ext(P, 50, f_rng, p_rng)) != 0) {
         ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
         goto cleanup;
     }
 
     if (f_rng != NULL && Q != NULL &&
-            (ret = mbedtls_mpi_is_prime(Q, f_rng, p_rng)) != 0) {
+            (ret = mbedtls_mpi_is_prime_ext(Q, 50, f_rng, p_rng)) != 0) {
         ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
         goto cleanup;
     }
diff --git a/common/mbedtls/rsa_internal.h b/common/mbedtls/rsa_internal.h
index 65a1304b4..017018bca 100644
--- a/common/mbedtls/rsa_internal.h
+++ b/common/mbedtls/rsa_internal.h
@@ -35,24 +35,20 @@
  *
  */
 /*
- *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  *
  */
 
@@ -60,12 +56,12 @@
 #define MBEDTLS_RSA_INTERNAL_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "bignum.h"
+#include "mbedtls/bignum.h"
 
 #ifdef __cplusplus
 extern "C" {
diff --git a/common/mbedtls/sha1.c b/common/mbedtls/sha1.c
index d050e760b..cfb302f5e 100644
--- a/common/mbedtls/sha1.c
+++ b/common/mbedtls/sha1.c
@@ -1,24 +1,20 @@
 /*
  *  FIPS-180-1 compliant SHA-1 implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The SHA-1 standard was published by NIST in 1993.
@@ -26,16 +22,13 @@
  *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_SHA1_C)
 
 #include "mbedtls/sha1.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -48,6 +41,11 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
+#define SHA1_VALIDATE_RET(cond)                             \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA )
+
+#define SHA1_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if !defined(MBEDTLS_SHA1_ALT)
 
 /*
@@ -55,25 +53,27 @@
  */
 #ifndef GET_UINT32_BE
 #define GET_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-              | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 3]       );            \
-    }
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
 #endif
 
 #ifndef PUT_UINT32_BE
 #define PUT_UINT32_BE(n,b,i)                            \
-    {                                                       \
-        (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-    }
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
 #endif
 
 void mbedtls_sha1_init(mbedtls_sha1_context *ctx) {
+    SHA1_VALIDATE(ctx != NULL);
+
     memset(ctx, 0, sizeof(mbedtls_sha1_context));
 }
 
@@ -86,6 +86,9 @@ void mbedtls_sha1_free(mbedtls_sha1_context *ctx) {
 
 void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
                         const mbedtls_sha1_context *src) {
+    SHA1_VALIDATE(dst != NULL);
+    SHA1_VALIDATE(src != NULL);
+
     *dst = *src;
 }
 
@@ -93,6 +96,8 @@ void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
  * SHA-1 context setup
  */
 int mbedtls_sha1_starts_ret(mbedtls_sha1_context *ctx) {
+    SHA1_VALIDATE_RET(ctx != NULL);
+
     ctx->total[0] = 0;
     ctx->total[1] = 0;
 
@@ -114,158 +119,170 @@ void mbedtls_sha1_starts(mbedtls_sha1_context *ctx) {
 #if !defined(MBEDTLS_SHA1_PROCESS_ALT)
 int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
                                   const unsigned char data[64]) {
-    uint32_t temp, W[16], A, B, C, D, E;
+    struct {
+        uint32_t temp, W[16], A, B, C, D, E;
+    } local;
 
-    GET_UINT32_BE(W[ 0], data,  0);
-    GET_UINT32_BE(W[ 1], data,  4);
-    GET_UINT32_BE(W[ 2], data,  8);
-    GET_UINT32_BE(W[ 3], data, 12);
-    GET_UINT32_BE(W[ 4], data, 16);
-    GET_UINT32_BE(W[ 5], data, 20);
-    GET_UINT32_BE(W[ 6], data, 24);
-    GET_UINT32_BE(W[ 7], data, 28);
-    GET_UINT32_BE(W[ 8], data, 32);
-    GET_UINT32_BE(W[ 9], data, 36);
-    GET_UINT32_BE(W[10], data, 40);
-    GET_UINT32_BE(W[11], data, 44);
-    GET_UINT32_BE(W[12], data, 48);
-    GET_UINT32_BE(W[13], data, 52);
-    GET_UINT32_BE(W[14], data, 56);
-    GET_UINT32_BE(W[15], data, 60);
+    SHA1_VALIDATE_RET(ctx != NULL);
+    SHA1_VALIDATE_RET((const unsigned char *)data != NULL);
 
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+    GET_UINT32_BE(local.W[ 0], data,  0);
+    GET_UINT32_BE(local.W[ 1], data,  4);
+    GET_UINT32_BE(local.W[ 2], data,  8);
+    GET_UINT32_BE(local.W[ 3], data, 12);
+    GET_UINT32_BE(local.W[ 4], data, 16);
+    GET_UINT32_BE(local.W[ 5], data, 20);
+    GET_UINT32_BE(local.W[ 6], data, 24);
+    GET_UINT32_BE(local.W[ 7], data, 28);
+    GET_UINT32_BE(local.W[ 8], data, 32);
+    GET_UINT32_BE(local.W[ 9], data, 36);
+    GET_UINT32_BE(local.W[10], data, 40);
+    GET_UINT32_BE(local.W[11], data, 44);
+    GET_UINT32_BE(local.W[12], data, 48);
+    GET_UINT32_BE(local.W[13], data, 52);
+    GET_UINT32_BE(local.W[14], data, 56);
+    GET_UINT32_BE(local.W[15], data, 60);
 
-#define R(t)                                            \
-    (                                                       \
-                                                            temp = W[( t -  3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
-                                                                    W[( t - 14 ) & 0x0F] ^ W[  t       & 0x0F],  \
-                                                            ( W[t & 0x0F] = S(temp,1) )                         \
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define R(t)                                                    \
+    (                                                           \
+        local.temp = local.W[( (t) -  3 ) & 0x0F] ^             \
+                     local.W[( (t) -  8 ) & 0x0F] ^             \
+                     local.W[( (t) - 14 ) & 0x0F] ^             \
+                     local.W[  (t)        & 0x0F],              \
+        ( local.W[(t) & 0x0F] = S(local.temp,1) )               \
     )
 
-#define P(a,b,c,d,e,x)                                  \
-    {                                                       \
-        e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);        \
-    }
+#define P(a,b,c,d,e,x)                                          \
+    do                                                          \
+    {                                                           \
+        (e) += S((a),5) + F((b),(c),(d)) + K + (x);             \
+        (b) = S((b),30);                                        \
+    } while( 0 )
 
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-    E = ctx->state[4];
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+    local.E = ctx->state[4];
 
-#define F(x,y,z) (z ^ (x & (y ^ z)))
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 #define K 0x5A827999
 
-    P(A, B, C, D, E, W[0]);
-    P(E, A, B, C, D, W[1]);
-    P(D, E, A, B, C, W[2]);
-    P(C, D, E, A, B, W[3]);
-    P(B, C, D, E, A, W[4]);
-    P(A, B, C, D, E, W[5]);
-    P(E, A, B, C, D, W[6]);
-    P(D, E, A, B, C, W[7]);
-    P(C, D, E, A, B, W[8]);
-    P(B, C, D, E, A, W[9]);
-    P(A, B, C, D, E, W[10]);
-    P(E, A, B, C, D, W[11]);
-    P(D, E, A, B, C, W[12]);
-    P(C, D, E, A, B, W[13]);
-    P(B, C, D, E, A, W[14]);
-    P(A, B, C, D, E, W[15]);
-    P(E, A, B, C, D, R(16));
-    P(D, E, A, B, C, R(17));
-    P(C, D, E, A, B, R(18));
-    P(B, C, D, E, A, R(19));
+    P(local.A, local.B, local.C, local.D, local.E, local.W[0]);
+    P(local.E, local.A, local.B, local.C, local.D, local.W[1]);
+    P(local.D, local.E, local.A, local.B, local.C, local.W[2]);
+    P(local.C, local.D, local.E, local.A, local.B, local.W[3]);
+    P(local.B, local.C, local.D, local.E, local.A, local.W[4]);
+    P(local.A, local.B, local.C, local.D, local.E, local.W[5]);
+    P(local.E, local.A, local.B, local.C, local.D, local.W[6]);
+    P(local.D, local.E, local.A, local.B, local.C, local.W[7]);
+    P(local.C, local.D, local.E, local.A, local.B, local.W[8]);
+    P(local.B, local.C, local.D, local.E, local.A, local.W[9]);
+    P(local.A, local.B, local.C, local.D, local.E, local.W[10]);
+    P(local.E, local.A, local.B, local.C, local.D, local.W[11]);
+    P(local.D, local.E, local.A, local.B, local.C, local.W[12]);
+    P(local.C, local.D, local.E, local.A, local.B, local.W[13]);
+    P(local.B, local.C, local.D, local.E, local.A, local.W[14]);
+    P(local.A, local.B, local.C, local.D, local.E, local.W[15]);
+    P(local.E, local.A, local.B, local.C, local.D, R(16));
+    P(local.D, local.E, local.A, local.B, local.C, R(17));
+    P(local.C, local.D, local.E, local.A, local.B, R(18));
+    P(local.B, local.C, local.D, local.E, local.A, R(19));
 
 #undef K
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
+#define F(x,y,z) ((x) ^ (y) ^ (z))
 #define K 0x6ED9EBA1
 
-    P(A, B, C, D, E, R(20));
-    P(E, A, B, C, D, R(21));
-    P(D, E, A, B, C, R(22));
-    P(C, D, E, A, B, R(23));
-    P(B, C, D, E, A, R(24));
-    P(A, B, C, D, E, R(25));
-    P(E, A, B, C, D, R(26));
-    P(D, E, A, B, C, R(27));
-    P(C, D, E, A, B, R(28));
-    P(B, C, D, E, A, R(29));
-    P(A, B, C, D, E, R(30));
-    P(E, A, B, C, D, R(31));
-    P(D, E, A, B, C, R(32));
-    P(C, D, E, A, B, R(33));
-    P(B, C, D, E, A, R(34));
-    P(A, B, C, D, E, R(35));
-    P(E, A, B, C, D, R(36));
-    P(D, E, A, B, C, R(37));
-    P(C, D, E, A, B, R(38));
-    P(B, C, D, E, A, R(39));
+    P(local.A, local.B, local.C, local.D, local.E, R(20));
+    P(local.E, local.A, local.B, local.C, local.D, R(21));
+    P(local.D, local.E, local.A, local.B, local.C, R(22));
+    P(local.C, local.D, local.E, local.A, local.B, R(23));
+    P(local.B, local.C, local.D, local.E, local.A, R(24));
+    P(local.A, local.B, local.C, local.D, local.E, R(25));
+    P(local.E, local.A, local.B, local.C, local.D, R(26));
+    P(local.D, local.E, local.A, local.B, local.C, R(27));
+    P(local.C, local.D, local.E, local.A, local.B, R(28));
+    P(local.B, local.C, local.D, local.E, local.A, R(29));
+    P(local.A, local.B, local.C, local.D, local.E, R(30));
+    P(local.E, local.A, local.B, local.C, local.D, R(31));
+    P(local.D, local.E, local.A, local.B, local.C, R(32));
+    P(local.C, local.D, local.E, local.A, local.B, R(33));
+    P(local.B, local.C, local.D, local.E, local.A, R(34));
+    P(local.A, local.B, local.C, local.D, local.E, R(35));
+    P(local.E, local.A, local.B, local.C, local.D, R(36));
+    P(local.D, local.E, local.A, local.B, local.C, R(37));
+    P(local.C, local.D, local.E, local.A, local.B, R(38));
+    P(local.B, local.C, local.D, local.E, local.A, R(39));
 
 #undef K
 #undef F
 
-#define F(x,y,z) ((x & y) | (z & (x | y)))
+#define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
 #define K 0x8F1BBCDC
 
-    P(A, B, C, D, E, R(40));
-    P(E, A, B, C, D, R(41));
-    P(D, E, A, B, C, R(42));
-    P(C, D, E, A, B, R(43));
-    P(B, C, D, E, A, R(44));
-    P(A, B, C, D, E, R(45));
-    P(E, A, B, C, D, R(46));
-    P(D, E, A, B, C, R(47));
-    P(C, D, E, A, B, R(48));
-    P(B, C, D, E, A, R(49));
-    P(A, B, C, D, E, R(50));
-    P(E, A, B, C, D, R(51));
-    P(D, E, A, B, C, R(52));
-    P(C, D, E, A, B, R(53));
-    P(B, C, D, E, A, R(54));
-    P(A, B, C, D, E, R(55));
-    P(E, A, B, C, D, R(56));
-    P(D, E, A, B, C, R(57));
-    P(C, D, E, A, B, R(58));
-    P(B, C, D, E, A, R(59));
+    P(local.A, local.B, local.C, local.D, local.E, R(40));
+    P(local.E, local.A, local.B, local.C, local.D, R(41));
+    P(local.D, local.E, local.A, local.B, local.C, R(42));
+    P(local.C, local.D, local.E, local.A, local.B, R(43));
+    P(local.B, local.C, local.D, local.E, local.A, R(44));
+    P(local.A, local.B, local.C, local.D, local.E, R(45));
+    P(local.E, local.A, local.B, local.C, local.D, R(46));
+    P(local.D, local.E, local.A, local.B, local.C, R(47));
+    P(local.C, local.D, local.E, local.A, local.B, R(48));
+    P(local.B, local.C, local.D, local.E, local.A, R(49));
+    P(local.A, local.B, local.C, local.D, local.E, R(50));
+    P(local.E, local.A, local.B, local.C, local.D, R(51));
+    P(local.D, local.E, local.A, local.B, local.C, R(52));
+    P(local.C, local.D, local.E, local.A, local.B, R(53));
+    P(local.B, local.C, local.D, local.E, local.A, R(54));
+    P(local.A, local.B, local.C, local.D, local.E, R(55));
+    P(local.E, local.A, local.B, local.C, local.D, R(56));
+    P(local.D, local.E, local.A, local.B, local.C, R(57));
+    P(local.C, local.D, local.E, local.A, local.B, R(58));
+    P(local.B, local.C, local.D, local.E, local.A, R(59));
 
 #undef K
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
+#define F(x,y,z) ((x) ^ (y) ^ (z))
 #define K 0xCA62C1D6
 
-    P(A, B, C, D, E, R(60));
-    P(E, A, B, C, D, R(61));
-    P(D, E, A, B, C, R(62));
-    P(C, D, E, A, B, R(63));
-    P(B, C, D, E, A, R(64));
-    P(A, B, C, D, E, R(65));
-    P(E, A, B, C, D, R(66));
-    P(D, E, A, B, C, R(67));
-    P(C, D, E, A, B, R(68));
-    P(B, C, D, E, A, R(69));
-    P(A, B, C, D, E, R(70));
-    P(E, A, B, C, D, R(71));
-    P(D, E, A, B, C, R(72));
-    P(C, D, E, A, B, R(73));
-    P(B, C, D, E, A, R(74));
-    P(A, B, C, D, E, R(75));
-    P(E, A, B, C, D, R(76));
-    P(D, E, A, B, C, R(77));
-    P(C, D, E, A, B, R(78));
-    P(B, C, D, E, A, R(79));
+    P(local.A, local.B, local.C, local.D, local.E, R(60));
+    P(local.E, local.A, local.B, local.C, local.D, R(61));
+    P(local.D, local.E, local.A, local.B, local.C, R(62));
+    P(local.C, local.D, local.E, local.A, local.B, R(63));
+    P(local.B, local.C, local.D, local.E, local.A, R(64));
+    P(local.A, local.B, local.C, local.D, local.E, R(65));
+    P(local.E, local.A, local.B, local.C, local.D, R(66));
+    P(local.D, local.E, local.A, local.B, local.C, R(67));
+    P(local.C, local.D, local.E, local.A, local.B, R(68));
+    P(local.B, local.C, local.D, local.E, local.A, R(69));
+    P(local.A, local.B, local.C, local.D, local.E, R(70));
+    P(local.E, local.A, local.B, local.C, local.D, R(71));
+    P(local.D, local.E, local.A, local.B, local.C, R(72));
+    P(local.C, local.D, local.E, local.A, local.B, R(73));
+    P(local.B, local.C, local.D, local.E, local.A, R(74));
+    P(local.A, local.B, local.C, local.D, local.E, R(75));
+    P(local.E, local.A, local.B, local.C, local.D, R(76));
+    P(local.D, local.E, local.A, local.B, local.C, R(77));
+    P(local.C, local.D, local.E, local.A, local.B, R(78));
+    P(local.B, local.C, local.D, local.E, local.A, R(79));
 
 #undef K
 #undef F
 
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-    ctx->state[4] += E;
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+    ctx->state[4] += local.E;
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
 
     return (0);
 }
@@ -284,10 +301,13 @@ void mbedtls_sha1_process(mbedtls_sha1_context *ctx,
 int mbedtls_sha1_update_ret(mbedtls_sha1_context *ctx,
                             const unsigned char *input,
                             size_t ilen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t fill;
     uint32_t left;
 
+    SHA1_VALIDATE_RET(ctx != NULL);
+    SHA1_VALIDATE_RET(ilen == 0 || input != NULL);
+
     if (ilen == 0)
         return (0);
 
@@ -338,10 +358,13 @@ void mbedtls_sha1_update(mbedtls_sha1_context *ctx,
  */
 int mbedtls_sha1_finish_ret(mbedtls_sha1_context *ctx,
                             unsigned char output[20]) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     uint32_t used;
     uint32_t high, low;
 
+    SHA1_VALIDATE_RET(ctx != NULL);
+    SHA1_VALIDATE_RET((unsigned char *)output != NULL);
+
     /*
      * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
      */
@@ -402,9 +425,12 @@ void mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
 int mbedtls_sha1_ret(const unsigned char *input,
                      size_t ilen,
                      unsigned char output[20]) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_sha1_context ctx;
 
+    SHA1_VALIDATE_RET(ilen == 0 || input != NULL);
+    SHA1_VALIDATE_RET((unsigned char *)output != NULL);
+
     mbedtls_sha1_init(&ctx);
 
     if ((ret = mbedtls_sha1_starts_ret(&ctx)) != 0)
diff --git a/common/mbedtls/sha1.h b/common/mbedtls/sha1.h
index c57f6b99b..4a9d7565b 100644
--- a/common/mbedtls/sha1.h
+++ b/common/mbedtls/sha1.h
@@ -11,30 +11,26 @@
  *            digests instead.
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_SHA1_H
 #define MBEDTLS_SHA1_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -42,7 +38,9 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035  /**< SHA-1 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073  /**< SHA-1 input data was malformed. */
 
 #ifdef __cplusplus
 extern "C" {
@@ -79,6 +77,7 @@ mbedtls_sha1_context;
  *                 stronger message digests instead.
  *
  * \param ctx      The SHA-1 context to initialize.
+ *                 This must not be \c NULL.
  *
  */
 void mbedtls_sha1_init(mbedtls_sha1_context *ctx);
@@ -90,7 +89,10 @@ void mbedtls_sha1_init(mbedtls_sha1_context *ctx);
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
- * \param ctx      The SHA-1 context to clear.
+ * \param ctx      The SHA-1 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it is
+ *                 not \c NULL, it must point to an initialized
+ *                 SHA-1 context.
  *
  */
 void mbedtls_sha1_free(mbedtls_sha1_context *ctx);
@@ -102,8 +104,8 @@ void mbedtls_sha1_free(mbedtls_sha1_context *ctx);
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
- * \param dst      The SHA-1 context to clone to.
- * \param src      The SHA-1 context to clone from.
+ * \param dst      The SHA-1 context to clone to. This must be initialized.
+ * \param src      The SHA-1 context to clone from. This must be initialized.
  *
  */
 void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
@@ -116,9 +118,10 @@ void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
- * \param ctx      The SHA-1 context to initialize.
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  *
  */
 int mbedtls_sha1_starts_ret(mbedtls_sha1_context *ctx);
@@ -131,11 +134,14 @@ int mbedtls_sha1_starts_ret(mbedtls_sha1_context *ctx);
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
- * \param ctx      The SHA-1 context.
+ * \param ctx      The SHA-1 context. This must be initialized
+ *                 and have a hash operation started.
  * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha1_update_ret(mbedtls_sha1_context *ctx,
                             const unsigned char *input,
@@ -149,10 +155,13 @@ int mbedtls_sha1_update_ret(mbedtls_sha1_context *ctx,
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
- * \param ctx      The SHA-1 context.
- * \param output   The SHA-1 checksum result.
+ * \param ctx      The SHA-1 context to use. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of length \c 20 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha1_finish_ret(mbedtls_sha1_context *ctx,
                             unsigned char output[20]);
@@ -164,10 +173,12 @@ int mbedtls_sha1_finish_ret(mbedtls_sha1_context *ctx,
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
- * \param ctx      The SHA-1 context.
- * \param data     The data block being processed.
+ * \param ctx      The SHA-1 context to use. This must be initialized.
+ * \param data     The data block being processed. This must be a
+ *                 readable buffer of length \c 64 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  *
  */
 int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
@@ -188,7 +199,7 @@ int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0.
  *
- * \param ctx      The SHA-1 context to initialize.
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
  *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_starts(mbedtls_sha1_context *ctx);
@@ -203,9 +214,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_starts(mbedtls_sha1_context *ctx);
  *
  * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0.
  *
- * \param ctx      The SHA-1 context.
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
  * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
  *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_update(mbedtls_sha1_context *ctx,
@@ -222,9 +235,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_update(mbedtls_sha1_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0.
  *
- * \param ctx      The SHA-1 context.
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
  * \param output   The SHA-1 checksum result.
- *
+ *                 This must be a writable buffer of length \c 20 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
                                             unsigned char output[20]);
@@ -238,8 +252,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0.
  *
- * \param ctx      The SHA-1 context.
+ * \param ctx      The SHA-1 context. This must be initialized.
  * \param data     The data block being processed.
+ *                 This must be a readable buffer of length \c 64 bytes.
  *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_process(mbedtls_sha1_context *ctx,
@@ -262,10 +277,13 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_process(mbedtls_sha1_context *ctx,
  *                 stronger message digests instead.
  *
  * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
  * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  *
  */
 int mbedtls_sha1_ret(const unsigned char *input,
@@ -294,8 +312,10 @@ int mbedtls_sha1_ret(const unsigned char *input,
  * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
  *
  * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-1 checksum result.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of size \c 20 Bytes.
  *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1(const unsigned char *input,
@@ -305,6 +325,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha1(const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          The SHA-1 checkup routine.
  *
@@ -318,6 +340,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha1(const unsigned char *input,
  */
 int mbedtls_sha1_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/sha256.c b/common/mbedtls/sha256.c
index 161b54dc5..a8acc781b 100644
--- a/common/mbedtls/sha256.c
+++ b/common/mbedtls/sha256.c
@@ -1,24 +1,20 @@
 /*
  *  FIPS-180-2 compliant SHA-256 implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
@@ -26,16 +22,13 @@
  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_SHA256_C)
 
 #include "mbedtls/sha256.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -51,6 +44,10 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
+#define SHA256_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
+#define SHA256_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if !defined(MBEDTLS_SHA256_ALT)
 
 /*
@@ -58,25 +55,27 @@
  */
 #ifndef GET_UINT32_BE
 #define GET_UINT32_BE(n,b,i)                            \
-    do {                                                    \
-        (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-              | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-              | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-              | ( (uint32_t) (b)[(i) + 3]       );            \
-    } while( 0 )
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
 #endif
 
 #ifndef PUT_UINT32_BE
 #define PUT_UINT32_BE(n,b,i)                            \
-    do {                                                    \
-        (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-    } while( 0 )
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
 #endif
 
 void mbedtls_sha256_init(mbedtls_sha256_context *ctx) {
+    SHA256_VALIDATE(ctx != NULL);
+
     memset(ctx, 0, sizeof(mbedtls_sha256_context));
 }
 
@@ -89,6 +88,9 @@ void mbedtls_sha256_free(mbedtls_sha256_context *ctx) {
 
 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
                           const mbedtls_sha256_context *src) {
+    SHA256_VALIDATE(dst != NULL);
+    SHA256_VALIDATE(src != NULL);
+
     *dst = *src;
 }
 
@@ -96,6 +98,9 @@ void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
  * SHA-256 context setup
  */
 int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224) {
+    SHA256_VALIDATE_RET(ctx != NULL);
+    SHA256_VALIDATE_RET(is224 == 0 || is224 == 1);
+
     ctx->total[0] = 0;
     ctx->total[1] = 0;
 
@@ -153,8 +158,8 @@ static const uint32_t K[] = {
     0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
 };
 
-#define  SHR(x,n) ((x & 0xFFFFFFFF) >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
+#define  SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
+#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
 
 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
@@ -162,79 +167,106 @@ static const uint32_t K[] = {
 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
 
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 
-#define R(t)                                    \
-    (                                               \
-                                                    W[t] = S1(W[t -  2]) + W[t -  7] +          \
-                                                           S0(W[t - 15]) + W[t - 16]            \
+#define R(t)                                                        \
+    (                                                               \
+        local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
+                     S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
     )
 
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-    {                                               \
-        temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-        temp2 = S2(a) + F0(a,b,c);                  \
-        d += temp1; h = temp1 + temp2;              \
-    }
+#define P(a,b,c,d,e,f,g,h,x,K)                                      \
+    do                                                              \
+    {                                                               \
+        local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);    \
+        local.temp2 = S2(a) + F0((a),(b),(c));                      \
+        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
+    } while( 0 )
 
 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
                                     const unsigned char data[64]) {
-    uint32_t temp1, temp2, W[64];
-    uint32_t A[8];
+    struct {
+        uint32_t temp1, temp2, W[64];
+        uint32_t A[8];
+    } local;
+
     unsigned int i;
 
+    SHA256_VALIDATE_RET(ctx != NULL);
+    SHA256_VALIDATE_RET((const unsigned char *)data != NULL);
+
     for (i = 0; i < 8; i++)
-        A[i] = ctx->state[i];
+        local.A[i] = ctx->state[i];
 
 #if defined(MBEDTLS_SHA256_SMALLER)
     for (i = 0; i < 64; i++) {
         if (i < 16)
-            GET_UINT32_BE(W[i], data, 4 * i);
+            GET_UINT32_BE(local.W[i], data, 4 * i);
         else
             R(i);
 
-        P(A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i]);
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
 
-        temp1 = A[7];
-        A[7] = A[6];
-        A[6] = A[5];
-        A[5] = A[4];
-        A[4] = A[3];
-        A[3] = A[2];
-        A[2] = A[1];
-        A[1] = A[0];
-        A[0] = temp1;
+        local.temp1 = local.A[7];
+        local.A[7] = local.A[6];
+        local.A[6] = local.A[5];
+        local.A[5] = local.A[4];
+        local.A[4] = local.A[3];
+        local.A[3] = local.A[2];
+        local.A[2] = local.A[1];
+        local.A[1] = local.A[0];
+        local.A[0] = local.temp1;
     }
 #else /* MBEDTLS_SHA256_SMALLER */
     for (i = 0; i < 16; i++)
-        GET_UINT32_BE(W[i], data, 4 * i);
+        GET_UINT32_BE(local.W[i], data, 4 * i);
 
     for (i = 0; i < 16; i += 8) {
-        P(A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i + 0], K[i + 0]);
-        P(A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i + 1], K[i + 1]);
-        P(A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i + 2], K[i + 2]);
-        P(A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i + 3], K[i + 3]);
-        P(A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i + 4], K[i + 4]);
-        P(A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i + 5], K[i + 5]);
-        P(A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i + 6], K[i + 6]);
-        P(A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i + 7], K[i + 7]);
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i + 0], K[i + 0]);
+        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+          local.A[4], local.A[5], local.A[6], local.W[i + 1], K[i + 1]);
+        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+          local.A[3], local.A[4], local.A[5], local.W[i + 2], K[i + 2]);
+        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+          local.A[2], local.A[3], local.A[4], local.W[i + 3], K[i + 3]);
+        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+          local.A[1], local.A[2], local.A[3], local.W[i + 4], K[i + 4]);
+        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+          local.A[0], local.A[1], local.A[2], local.W[i + 5], K[i + 5]);
+        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+          local.A[7], local.A[0], local.A[1], local.W[i + 6], K[i + 6]);
+        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+          local.A[6], local.A[7], local.A[0], local.W[i + 7], K[i + 7]);
     }
 
     for (i = 16; i < 64; i += 8) {
-        P(A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i + 0), K[i + 0]);
-        P(A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i + 1), K[i + 1]);
-        P(A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i + 2), K[i + 2]);
-        P(A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i + 3), K[i + 3]);
-        P(A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i + 4), K[i + 4]);
-        P(A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i + 5), K[i + 5]);
-        P(A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i + 6), K[i + 6]);
-        P(A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i + 7), K[i + 7]);
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], R(i + 0), K[i + 0]);
+        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+          local.A[4], local.A[5], local.A[6], R(i + 1), K[i + 1]);
+        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+          local.A[3], local.A[4], local.A[5], R(i + 2), K[i + 2]);
+        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+          local.A[2], local.A[3], local.A[4], R(i + 3), K[i + 3]);
+        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+          local.A[1], local.A[2], local.A[3], R(i + 4), K[i + 4]);
+        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+          local.A[0], local.A[1], local.A[2], R(i + 5), K[i + 5]);
+        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+          local.A[7], local.A[0], local.A[1], R(i + 6), K[i + 6]);
+        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+          local.A[6], local.A[7], local.A[0], R(i + 7), K[i + 7]);
     }
 #endif /* MBEDTLS_SHA256_SMALLER */
 
     for (i = 0; i < 8; i++)
-        ctx->state[i] += A[i];
+        ctx->state[i] += local.A[i];
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
 
     return (0);
 }
@@ -253,10 +285,13 @@ void mbedtls_sha256_process(mbedtls_sha256_context *ctx,
 int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx,
                               const unsigned char *input,
                               size_t ilen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t fill;
     uint32_t left;
 
+    SHA256_VALIDATE_RET(ctx != NULL);
+    SHA256_VALIDATE_RET(ilen == 0 || input != NULL);
+
     if (ilen == 0)
         return (0);
 
@@ -307,10 +342,13 @@ void mbedtls_sha256_update(mbedtls_sha256_context *ctx,
  */
 int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx,
                               unsigned char output[32]) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     uint32_t used;
     uint32_t high, low;
 
+    SHA256_VALIDATE_RET(ctx != NULL);
+    SHA256_VALIDATE_RET((unsigned char *)output != NULL);
+
     /*
      * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
      */
@@ -377,9 +415,13 @@ int mbedtls_sha256_ret(const unsigned char *input,
                        size_t ilen,
                        unsigned char output[32],
                        int is224) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_sha256_context ctx;
 
+    SHA256_VALIDATE_RET(is224 == 0 || is224 == 1);
+    SHA256_VALIDATE_RET(ilen == 0 || input != NULL);
+    SHA256_VALIDATE_RET((unsigned char *)output != NULL);
+
     mbedtls_sha256_init(&ctx);
 
     if ((ret = mbedtls_sha256_starts_ret(&ctx, is224)) != 0)
diff --git a/common/mbedtls/sha256.h b/common/mbedtls/sha256.h
index 760b2e443..dc5308c7c 100644
--- a/common/mbedtls/sha256.h
+++ b/common/mbedtls/sha256.h
@@ -7,30 +7,26 @@
  * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_SHA256_H
 #define MBEDTLS_SHA256_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -38,7 +34,9 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074  /**< SHA-256 input data was malformed. */
 
 #ifdef __cplusplus
 extern "C" {
@@ -71,22 +69,24 @@ mbedtls_sha256_context;
 /**
  * \brief          This function initializes a SHA-256 context.
  *
- * \param ctx      The SHA-256 context to initialize.
+ * \param ctx      The SHA-256 context to initialize. This must not be \c NULL.
  */
 void mbedtls_sha256_init(mbedtls_sha256_context *ctx);
 
 /**
  * \brief          This function clears a SHA-256 context.
  *
- * \param ctx      The SHA-256 context to clear.
+ * \param ctx      The SHA-256 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-256 context.
  */
 void mbedtls_sha256_free(mbedtls_sha256_context *ctx);
 
 /**
  * \brief          This function clones the state of a SHA-256 context.
  *
- * \param dst      The destination context.
- * \param src      The context to clone.
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
  */
 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
                           const mbedtls_sha256_context *src);
@@ -95,11 +95,12 @@ void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
  * \brief          This function starts a SHA-224 or SHA-256 checksum
  *                 calculation.
  *
- * \param ctx      The context to initialize.
- * \param is224    Determines which function to use:
- *                 0: Use SHA-256, or 1: Use SHA-224.
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    This determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224);
 
@@ -107,11 +108,14 @@ int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224);
  * \brief          This function feeds an input buffer into an ongoing
  *                 SHA-256 checksum calculation.
  *
- * \param ctx      The SHA-256 context.
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx,
                               const unsigned char *input,
@@ -121,10 +125,13 @@ int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx,
  * \brief          This function finishes the SHA-256 operation, and writes
  *                 the result to the output buffer.
  *
- * \param ctx      The SHA-256 context.
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
  * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx,
                               unsigned char output[32]);
@@ -134,10 +141,12 @@ int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx,
  *                 the ongoing SHA-256 computation. This function is for
  *                 internal use only.
  *
- * \param ctx      The SHA-256 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must
+ *                 be a readable buffer of length \c 64 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
                                     const unsigned char data[64]);
@@ -152,12 +161,11 @@ int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
  * \brief          This function starts a SHA-224 or SHA-256 checksum
  *                 calculation.
  *
- *
  * \deprecated     Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
  *
- * \param ctx      The context to initialize.
- * \param is224    Determines which function to use:
- *                 0: Use SHA-256, or 1: Use SHA-224.
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_starts(mbedtls_sha256_context *ctx,
                                               int is224);
@@ -168,9 +176,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_starts(mbedtls_sha256_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha256_update_ret() in 2.7.0.
  *
- * \param ctx      The SHA-256 context to initialize.
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-256 context to use. This must be
+ *                 initialized and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_update(mbedtls_sha256_context *ctx,
                                               const unsigned char *input,
@@ -182,8 +192,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_update(mbedtls_sha256_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
  *
- * \param ctx      The SHA-256 context.
- * \param output   The SHA-224 or SHA-256 checksum result.
+ * \param ctx      The SHA-256 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
                                               unsigned char output[32]);
@@ -195,8 +207,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_internal_sha256_process() in 2.7.0.
  *
- * \param ctx      The SHA-256 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of size \c 64 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_process(mbedtls_sha256_context *ctx,
                                                const unsigned char data[64]);
@@ -214,11 +227,13 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_process(mbedtls_sha256_context *ctx,
  *                 The SHA-256 result is calculated as
  *                 output = SHA-256(input buffer).
  *
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-224 or SHA-256 checksum result.
- * \param is224    Determines which function to use:
- *                 0: Use SHA-256, or 1: Use SHA-224.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must
+ *                 be a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  */
 int mbedtls_sha256_ret(const unsigned char *input,
                        size_t ilen,
@@ -244,11 +259,13 @@ int mbedtls_sha256_ret(const unsigned char *input,
  *
  * \deprecated     Superseded by mbedtls_sha256_ret() in 2.7.0.
  *
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-224 or SHA-256 checksum result.
- * \param is224    Determines which function to use:
- *                 0: Use SHA-256, or 1: Use SHA-224.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be either
+ *                 \c 0 for SHA-256, or \c 1 for SHA-224.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256(const unsigned char *input,
                                        size_t ilen,
@@ -258,6 +275,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha256(const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          The SHA-224 and SHA-256 checkup routine.
  *
@@ -266,6 +285,8 @@ MBEDTLS_DEPRECATED void mbedtls_sha256(const unsigned char *input,
  */
 int mbedtls_sha256_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/common/mbedtls/sha512.c b/common/mbedtls/sha512.c
index f3dd0d15c..f6038353e 100644
--- a/common/mbedtls/sha512.c
+++ b/common/mbedtls/sha512.c
@@ -1,24 +1,20 @@
 /*
  *  FIPS-180-2 compliant SHA-384/512 implementation
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
@@ -26,16 +22,13 @@
  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_SHA512_C)
 
 #include "mbedtls/sha512.h"
 #include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
 
 #if defined(_MSC_VER) || defined(__WATCOMC__)
 #define UL64(x) x##ui64
@@ -57,6 +50,10 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
+#define SHA512_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA )
+#define SHA512_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if !defined(MBEDTLS_SHA512_ALT)
 
 /*
@@ -64,33 +61,43 @@
  */
 #ifndef GET_UINT64_BE
 #define GET_UINT64_BE(n,b,i)                            \
-    {                                                       \
-        (n) = ( (uint64_t) (b)[(i)    ] << 56 )       \
-              | ( (uint64_t) (b)[(i) + 1] << 48 )       \
-              | ( (uint64_t) (b)[(i) + 2] << 40 )       \
-              | ( (uint64_t) (b)[(i) + 3] << 32 )       \
-              | ( (uint64_t) (b)[(i) + 4] << 24 )       \
-              | ( (uint64_t) (b)[(i) + 5] << 16 )       \
-              | ( (uint64_t) (b)[(i) + 6] <<  8 )       \
-              | ( (uint64_t) (b)[(i) + 7]       );      \
-    }
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i)    ] << 56 )       \
+        | ( (uint64_t) (b)[(i) + 1] << 48 )       \
+        | ( (uint64_t) (b)[(i) + 2] << 40 )       \
+        | ( (uint64_t) (b)[(i) + 3] << 32 )       \
+        | ( (uint64_t) (b)[(i) + 4] << 24 )       \
+        | ( (uint64_t) (b)[(i) + 5] << 16 )       \
+        | ( (uint64_t) (b)[(i) + 6] <<  8 )       \
+        | ( (uint64_t) (b)[(i) + 7]       );      \
+}
 #endif /* GET_UINT64_BE */
 
 #ifndef PUT_UINT64_BE
 #define PUT_UINT64_BE(n,b,i)                            \
-    {                                                       \
-        (b)[(i)    ] = (unsigned char) ( (n) >> 56 );       \
-        (b)[(i) + 1] = (unsigned char) ( (n) >> 48 );       \
-        (b)[(i) + 2] = (unsigned char) ( (n) >> 40 );       \
-        (b)[(i) + 3] = (unsigned char) ( (n) >> 32 );       \
-        (b)[(i) + 4] = (unsigned char) ( (n) >> 24 );       \
-        (b)[(i) + 5] = (unsigned char) ( (n) >> 16 );       \
-        (b)[(i) + 6] = (unsigned char) ( (n) >>  8 );       \
-        (b)[(i) + 7] = (unsigned char) ( (n)       );       \
-    }
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 7] = (unsigned char) ( (n)       );       \
+}
 #endif /* PUT_UINT64_BE */
 
+#if defined(MBEDTLS_SHA512_SMALLER)
+static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i) {
+    PUT_UINT64_BE(n, b, i);
+}
+#else
+#define sha512_put_uint64_be    PUT_UINT64_BE
+#endif /* MBEDTLS_SHA512_SMALLER */
+
 void mbedtls_sha512_init(mbedtls_sha512_context *ctx) {
+    SHA512_VALIDATE(ctx != NULL);
+
     memset(ctx, 0, sizeof(mbedtls_sha512_context));
 }
 
@@ -103,6 +110,9 @@ void mbedtls_sha512_free(mbedtls_sha512_context *ctx) {
 
 void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
                           const mbedtls_sha512_context *src) {
+    SHA512_VALIDATE(dst != NULL);
+    SHA512_VALIDATE(src != NULL);
+
     *dst = *src;
 }
 
@@ -110,6 +120,13 @@ void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
  * SHA-512 context setup
  */
 int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384) {
+    SHA512_VALIDATE_RET(ctx != NULL);
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+    SHA512_VALIDATE_RET(is384 == 0 || is384 == 1);
+#else
+    SHA512_VALIDATE_RET(is384 == 0);
+#endif
+
     ctx->total[0] = 0;
     ctx->total[1] = 0;
 
@@ -124,6 +141,9 @@ int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384) {
         ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
         ctx->state[7] = UL64(0x5BE0CD19137E2179);
     } else {
+#if defined(MBEDTLS_SHA512_NO_SHA384)
+        return (MBEDTLS_ERR_SHA512_BAD_INPUT_DATA);
+#else
         /* SHA-384 */
         ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
         ctx->state[1] = UL64(0x629A292A367CD507);
@@ -133,9 +153,12 @@ int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384) {
         ctx->state[5] = UL64(0x8EB44A8768581511);
         ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
         ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+#endif /* MBEDTLS_SHA512_NO_SHA384 */
     }
 
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
     ctx->is384 = is384;
+#endif
 
     return (0);
 }
@@ -198,11 +221,16 @@ static const uint64_t K[80] = {
 int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
                                     const unsigned char data[128]) {
     int i;
-    uint64_t temp1, temp2, W[80];
-    uint64_t A, B, C, D, E, F, G, H;
+    struct {
+        uint64_t temp1, temp2, W[80];
+        uint64_t A[8];
+    } local;
 
-#define  SHR(x,n) (x >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
+    SHA512_VALIDATE_RET(ctx != NULL);
+    SHA512_VALIDATE_RET((const unsigned char *)data != NULL);
+
+#define  SHR(x,n) ((x) >> (n))
+#define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
 
 #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
 #define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^  SHR(x, 6))
@@ -210,62 +238,86 @@ int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
 #define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
 #define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
 
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-    {                                               \
-        temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-        temp2 = S2(a) + F0(a,b,c);                  \
-        d += temp1; h = temp1 + temp2;              \
+#define P(a,b,c,d,e,f,g,h,x,K)                                      \
+    do                                                              \
+    {                                                               \
+        local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);    \
+        local.temp2 = S2(a) + F0((a),(b),(c));                      \
+        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
+    } while( 0 )
+
+    for (i = 0; i < 8; i++)
+        local.A[i] = ctx->state[i];
+
+#if defined(MBEDTLS_SHA512_SMALLER)
+    for (i = 0; i < 80; i++) {
+        if (i < 16) {
+            GET_UINT64_BE(local.W[i], data, i << 3);
+        } else {
+            local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
+                         S0(local.W[i - 15]) + local.W[i - 16];
+        }
+
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
+
+        local.temp1 = local.A[7];
+        local.A[7] = local.A[6];
+        local.A[6] = local.A[5];
+        local.A[5] = local.A[4];
+        local.A[4] = local.A[3];
+        local.A[3] = local.A[2];
+        local.A[2] = local.A[1];
+        local.A[1] = local.A[0];
+        local.A[0] = local.temp1;
     }
-
+#else /* MBEDTLS_SHA512_SMALLER */
     for (i = 0; i < 16; i++) {
-        GET_UINT64_BE(W[i], data, i << 3);
+        GET_UINT64_BE(local.W[i], data, i << 3);
     }
 
     for (; i < 80; i++) {
-        W[i] = S1(W[i -  2]) + W[i -  7] +
-               S0(W[i - 15]) + W[i - 16];
+        local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
+                     S0(local.W[i - 15]) + local.W[i - 16];
     }
 
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-    E = ctx->state[4];
-    F = ctx->state[5];
-    G = ctx->state[6];
-    H = ctx->state[7];
     i = 0;
-
     do {
-        P(A, B, C, D, E, F, G, H, W[i], K[i]);
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
         i++;
-        P(H, A, B, C, D, E, F, G, W[i], K[i]);
+        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+          local.A[4], local.A[5], local.A[6], local.W[i], K[i]);
         i++;
-        P(G, H, A, B, C, D, E, F, W[i], K[i]);
+        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+          local.A[3], local.A[4], local.A[5], local.W[i], K[i]);
         i++;
-        P(F, G, H, A, B, C, D, E, W[i], K[i]);
+        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+          local.A[2], local.A[3], local.A[4], local.W[i], K[i]);
         i++;
-        P(E, F, G, H, A, B, C, D, W[i], K[i]);
+        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+          local.A[1], local.A[2], local.A[3], local.W[i], K[i]);
         i++;
-        P(D, E, F, G, H, A, B, C, W[i], K[i]);
+        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+          local.A[0], local.A[1], local.A[2], local.W[i], K[i]);
         i++;
-        P(C, D, E, F, G, H, A, B, W[i], K[i]);
+        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+          local.A[7], local.A[0], local.A[1], local.W[i], K[i]);
         i++;
-        P(B, C, D, E, F, G, H, A, W[i], K[i]);
+        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+          local.A[6], local.A[7], local.A[0], local.W[i], K[i]);
         i++;
     } while (i < 80);
+#endif /* MBEDTLS_SHA512_SMALLER */
 
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-    ctx->state[4] += E;
-    ctx->state[5] += F;
-    ctx->state[6] += G;
-    ctx->state[7] += H;
+    for (i = 0; i < 8; i++)
+        ctx->state[i] += local.A[i];
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
 
     return (0);
 }
@@ -284,10 +336,13 @@ void mbedtls_sha512_process(mbedtls_sha512_context *ctx,
 int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
                               const unsigned char *input,
                               size_t ilen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t fill;
     unsigned int left;
 
+    SHA512_VALIDATE_RET(ctx != NULL);
+    SHA512_VALIDATE_RET(ilen == 0 || input != NULL);
+
     if (ilen == 0)
         return (0);
 
@@ -337,10 +392,13 @@ void mbedtls_sha512_update(mbedtls_sha512_context *ctx,
  */
 int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
                               unsigned char output[64]) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned used;
     uint64_t high, low;
 
+    SHA512_VALIDATE_RET(ctx != NULL);
+    SHA512_VALIDATE_RET((unsigned char *)output != NULL);
+
     /*
      * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
      */
@@ -368,8 +426,8 @@ int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
            | (ctx->total[1] <<  3);
     low  = (ctx->total[0] <<  3);
 
-    PUT_UINT64_BE(high, ctx->buffer, 112);
-    PUT_UINT64_BE(low,  ctx->buffer, 120);
+    sha512_put_uint64_be(high, ctx->buffer, 112);
+    sha512_put_uint64_be(low,  ctx->buffer, 120);
 
     if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0)
         return (ret);
@@ -377,16 +435,19 @@ int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
     /*
      * Output final state
      */
-    PUT_UINT64_BE(ctx->state[0], output,  0);
-    PUT_UINT64_BE(ctx->state[1], output,  8);
-    PUT_UINT64_BE(ctx->state[2], output, 16);
-    PUT_UINT64_BE(ctx->state[3], output, 24);
-    PUT_UINT64_BE(ctx->state[4], output, 32);
-    PUT_UINT64_BE(ctx->state[5], output, 40);
+    sha512_put_uint64_be(ctx->state[0], output,  0);
+    sha512_put_uint64_be(ctx->state[1], output,  8);
+    sha512_put_uint64_be(ctx->state[2], output, 16);
+    sha512_put_uint64_be(ctx->state[3], output, 24);
+    sha512_put_uint64_be(ctx->state[4], output, 32);
+    sha512_put_uint64_be(ctx->state[5], output, 40);
 
-    if (ctx->is384 == 0) {
-        PUT_UINT64_BE(ctx->state[6], output, 48);
-        PUT_UINT64_BE(ctx->state[7], output, 56);
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+    if (ctx->is384 == 0)
+#endif
+    {
+        sha512_put_uint64_be(ctx->state[6], output, 48);
+        sha512_put_uint64_be(ctx->state[7], output, 56);
     }
 
     return (0);
@@ -408,9 +469,17 @@ int mbedtls_sha512_ret(const unsigned char *input,
                        size_t ilen,
                        unsigned char output[64],
                        int is384) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_sha512_context ctx;
 
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
+    SHA512_VALIDATE_RET(is384 == 0 || is384 == 1);
+#else
+    SHA512_VALIDATE_RET(is384 == 0);
+#endif
+    SHA512_VALIDATE_RET(ilen == 0 || input != NULL);
+    SHA512_VALIDATE_RET((unsigned char *)output != NULL);
+
     mbedtls_sha512_init(&ctx);
 
     if ((ret = mbedtls_sha512_starts_ret(&ctx, is384)) != 0)
@@ -444,10 +513,7 @@ void mbedtls_sha512(const unsigned char *input,
  */
 static const unsigned char sha512_test_buf[3][113] = {
     { "abc" },
-    {
-        "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
-        "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
-    },
+    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
     { "" }
 };
 
@@ -455,7 +521,8 @@ static const size_t sha512_test_buflen[3] = {
     3, 112, 1000
 };
 
-static const unsigned char sha512_test_sum[6][64] = {
+static const unsigned char sha512_test_sum[][64] = {
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
     /*
      * SHA-384 test vectors
      */
@@ -483,6 +550,7 @@ static const unsigned char sha512_test_sum[6][64] = {
         0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
         0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85
     },
+#endif /* !MBEDTLS_SHA512_NO_SHA384 */
 
     /*
      * SHA-512 test vectors
@@ -519,6 +587,8 @@ static const unsigned char sha512_test_sum[6][64] = {
     }
 };
 
+#define ARRAY_LENGTH( a )   ( sizeof( a ) / sizeof( ( a )[0] ) )
+
 /*
  * Checkup routine
  */
@@ -538,9 +608,13 @@ int mbedtls_sha512_self_test(int verbose) {
 
     mbedtls_sha512_init(&ctx);
 
-    for (i = 0; i < 6; i++) {
+    for (i = 0; i < (int) ARRAY_LENGTH(sha512_test_sum); i++) {
         j = i % 3;
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
         k = i < 3;
+#else
+        k = 0;
+#endif
 
         if (verbose != 0)
             mbedtls_printf("  SHA-%d test #%d: ", 512 - k * 128, j + 1);
@@ -591,6 +665,8 @@ exit:
     return (ret);
 }
 
+#undef ARRAY_LENGTH
+
 #endif /* MBEDTLS_SELF_TEST */
 
 #endif /* MBEDTLS_SHA512_C */
diff --git a/common/mbedtls/sha512.h b/common/mbedtls/sha512.h
index cc03222a2..10587bc85 100644
--- a/common/mbedtls/sha512.h
+++ b/common/mbedtls/sha512.h
@@ -6,30 +6,26 @@
  * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
  */
 /*
- *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_SHA512_H
 #define MBEDTLS_SHA512_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -37,7 +33,9 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039  /**< SHA-512 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075  /**< SHA-512 input data was malformed. */
 
 #ifdef __cplusplus
 extern "C" {
@@ -58,8 +56,10 @@ typedef struct mbedtls_sha512_context {
     uint64_t total[2];          /*!< The number of Bytes processed. */
     uint64_t state[8];          /*!< The intermediate digest state. */
     unsigned char buffer[128];  /*!< The data block being processed. */
+#if !defined(MBEDTLS_SHA512_NO_SHA384)
     int is384;                  /*!< Determines which function to use:
                                      0: Use SHA-512, or 1: Use SHA-384. */
+#endif
 }
 mbedtls_sha512_context;
 
@@ -70,22 +70,26 @@ mbedtls_sha512_context;
 /**
  * \brief          This function initializes a SHA-512 context.
  *
- * \param ctx      The SHA-512 context to initialize.
+ * \param ctx      The SHA-512 context to initialize. This must
+ *                 not be \c NULL.
  */
 void mbedtls_sha512_init(mbedtls_sha512_context *ctx);
 
 /**
  * \brief          This function clears a SHA-512 context.
  *
- * \param ctx      The SHA-512 context to clear.
+ * \param ctx      The SHA-512 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it
+ *                 is not \c NULL, it must point to an initialized
+ *                 SHA-512 context.
  */
 void mbedtls_sha512_free(mbedtls_sha512_context *ctx);
 
 /**
  * \brief          This function clones the state of a SHA-512 context.
  *
- * \param dst      The destination context.
- * \param src      The context to clone.
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
  */
 void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
                           const mbedtls_sha512_context *src);
@@ -94,11 +98,16 @@ void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
  * \brief          This function starts a SHA-384 or SHA-512 checksum
  *                 calculation.
  *
- * \param ctx      The SHA-512 context to initialize.
- * \param is384    Determines which function to use:
- *                 0: Use SHA-512, or 1: Use SHA-384.
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be
+ *                 either \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
+ *                 be \c 0, or the function will return
+ *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384);
 
@@ -106,11 +115,14 @@ int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384);
  * \brief          This function feeds an input buffer into an ongoing
  *                 SHA-512 checksum calculation.
  *
- * \param ctx      The SHA-512 context.
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
                               const unsigned char *input,
@@ -118,13 +130,15 @@ int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
 
 /**
  * \brief          This function finishes the SHA-512 operation, and writes
- *                 the result to the output buffer. This function is for
- *                 internal use only.
+ *                 the result to the output buffer.
  *
- * \param ctx      The SHA-512 context.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
  * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
                               unsigned char output[64]);
@@ -132,11 +146,14 @@ int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
 /**
  * \brief          This function processes a single data block within
  *                 the ongoing SHA-512 computation.
+ *                 This function is for internal use only.
  *
- * \param ctx      The SHA-512 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This
+ *                 must be a readable buffer of length \c 128 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
                                     const unsigned char data[128]);
@@ -152,9 +169,12 @@ int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha512_starts_ret() in 2.7.0
  *
- * \param ctx      The SHA-512 context to initialize.
- * \param is384    Determines which function to use:
- *                 0: Use SHA-512, or 1: Use SHA-384.
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512 or \c 1 for SHA-384.
+ *
+ * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
+ *                 be \c 0, or the function will fail to work.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_starts(mbedtls_sha512_context *ctx,
                                               int is384);
@@ -165,9 +185,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_starts(mbedtls_sha512_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0.
  *
- * \param ctx      The SHA-512 context.
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_update(mbedtls_sha512_context *ctx,
                                               const unsigned char *input,
@@ -179,8 +201,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_update(mbedtls_sha512_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0.
  *
- * \param ctx      The SHA-512 context.
- * \param output   The SHA-384 or SHA-512 checksum result.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of size \c 64 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
                                               unsigned char output[64]);
@@ -192,8 +216,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0.
  *
- * \param ctx      The SHA-512 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of length \c 128 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_process(
     mbedtls_sha512_context *ctx,
@@ -212,13 +237,20 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_process(
  *                 The SHA-512 result is calculated as
  *                 output = SHA-512(input buffer).
  *
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ * \param input    The buffer holding the input data. This must be
+ *                 a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  * \param output   The SHA-384 or SHA-512 checksum result.
- * \param is384    Determines which function to use:
- *                 0: Use SHA-512, or 1: Use SHA-384.
+ *                 This must be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
+ *                 be \c 0, or the function will return
+ *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_ret(const unsigned char *input,
                        size_t ilen,
@@ -231,6 +263,7 @@ int mbedtls_sha512_ret(const unsigned char *input,
 #else
 #define MBEDTLS_DEPRECATED
 #endif
+
 /**
  * \brief          This function calculates the SHA-512 or SHA-384
  *                 checksum of a buffer.
@@ -243,11 +276,16 @@ int mbedtls_sha512_ret(const unsigned char *input,
  *
  * \deprecated     Superseded by mbedtls_sha512_ret() in 2.7.0
  *
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-384 or SHA-512 checksum result.
- * \param is384    Determines which function to use:
- *                 0: Use SHA-512, or 1: Use SHA-384.
+ * \param input    The buffer holding the data. This must be a
+ *                 readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
+ *                 be \c 0, or the function will fail to work.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512(const unsigned char *input,
                                        size_t ilen,
@@ -256,6 +294,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha512(const unsigned char *input,
 
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
 * \brief          The SHA-384 or SHA-512 checkup routine.
 *
@@ -263,6 +304,7 @@ MBEDTLS_DEPRECATED void mbedtls_sha512(const unsigned char *input,
 * \return         \c 1 on failure.
 */
 int mbedtls_sha512_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
 
 #ifdef __cplusplus
 }
diff --git a/common/mbedtls/ssl.h b/common/mbedtls/ssl.h
new file mode 100644
index 000000000..7c78a698a
--- /dev/null
+++ b/common/mbedtls/ssl.h
@@ -0,0 +1,4344 @@
+/**
+ * \file ssl.h
+ *
+ * \brief SSL/TLS functions.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_H
+#define MBEDTLS_SSL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+
+#include "mbedtls/ssl_ciphersuites.h"
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_crl.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "mbedtls/dhm.h"
+#endif
+
+/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
+ * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
+ * in functionality that access to ecdh_ctx structure is needed for
+ * MBEDTLS_ECDSA_C which does not seem correct.
+ */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdh.h"
+#endif
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and will be removed in the next major revision of the library"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
+#endif
+
+#include "zlib.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * SSL Error codes
+ */
+#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
+#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
+#define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
+#define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
+#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
+#define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
+#define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
+#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
+#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */
+#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED                 -0x7680  /**< No CA Chain is set, but required to operate. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE                -0x7700  /**< An unexpected message was received from our peer. */
+#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE               -0x7780  /**< A fatal alert message was received from our peer. */
+#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED                -0x7800  /**< Verification of our peer failed. */
+#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY                 -0x7880  /**< The peer notified us that the connection is going to be closed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO               -0x7900  /**< Processing of the ClientHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO               -0x7980  /**< Processing of the ServerHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE                -0x7A00  /**< Processing of the Certificate handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST        -0x7A80  /**< Processing of the CertificateRequest handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE        -0x7B00  /**< Processing of the ServerKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE          -0x7B80  /**< Processing of the ServerHelloDone handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE        -0x7C00  /**< Processing of the ClientKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP     -0x7C80  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS     -0x7D00  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY         -0x7D80  /**< Processing of the CertificateVerify handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC         -0x7E00  /**< Processing of the ChangeCipherSpec handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED                   -0x7E80  /**< Processing of the Finished handshake message failed. */
+#define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00  /**< Memory allocation failed */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80  /**< Hardware acceleration function returned with error */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
+#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
+#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
+#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET         -0x6E00  /**< Processing of the NewSessionTicket handshake message failed. */
+#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED            -0x6D80  /**< Session ticket has expired. */
+#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
+#define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unknown identity received (eg, PSK identity) */
+#define MBEDTLS_ERR_SSL_INTERNAL_ERROR                    -0x6C00  /**< Internal error (eg, unexpected failure in lower-level module) */
+#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */
+#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
+#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
+#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
+#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
+#define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< No data of requested type currently available on underlying transport. */
+#define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
+#define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
+#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */
+#define MBEDTLS_ERR_SSL_NON_FATAL                         -0x6680  /**< The alert message received indicates a non-fatal error. */
+#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH               -0x6600  /**< Couldn't set the hash for verifying CertificateVerify */
+#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING               -0x6580  /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS                 -0x6500  /**< The asynchronous operation is not completed yet. */
+#define MBEDTLS_ERR_SSL_EARLY_MESSAGE                     -0x6480  /**< Internal-only message signaling that a message arrived early. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_CID                    -0x6000  /**< An encrypted DTLS-frame with an unexpected CID was received. */
+#define MBEDTLS_ERR_SSL_VERSION_MISMATCH                  -0x5F00  /**< An operation failed due to an unexpected version or configuration. */
+#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS                -0x7000  /**< A cryptographic operation is in progress. Try again later. */
+#define MBEDTLS_ERR_SSL_BAD_CONFIG                        -0x5E80  /**< Invalid value in SSL config */
+
+/*
+ * Various constants
+ */
+#define MBEDTLS_SSL_MAJOR_VERSION_3             3
+#define MBEDTLS_SSL_MINOR_VERSION_0             0   /*!< SSL v3.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
+#define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
+#define MBEDTLS_SSL_MINOR_VERSION_4             4   /*!< TLS v1.3 (experimental) */
+
+#define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
+#define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
+
+#define MBEDTLS_SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
+#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN           255 /*!< Maximum size in bytes of a protocol name in alpn ext., RFC 7301 */
+
+#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN           65535 /*!< Maximum size in bytes of list in alpn ext., RFC 7301          */
+
+/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
+ * NONE must be zero so that memset()ing structure to zero works */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_512            1   /*!< MaxFragmentLength 2^9      */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_1024           2   /*!< MaxFragmentLength 2^10     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_2048           3   /*!< MaxFragmentLength 2^11     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_4096           4   /*!< MaxFragmentLength 2^12     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID        5   /*!< first invalid value        */
+
+#define MBEDTLS_SSL_IS_CLIENT                   0
+#define MBEDTLS_SSL_IS_SERVER                   1
+
+#define MBEDTLS_SSL_IS_NOT_FALLBACK             0
+#define MBEDTLS_SSL_IS_FALLBACK                 1
+
+#define MBEDTLS_SSL_EXTENDED_MS_DISABLED        0
+#define MBEDTLS_SSL_EXTENDED_MS_ENABLED         1
+
+#define MBEDTLS_SSL_CID_DISABLED                0
+#define MBEDTLS_SSL_CID_ENABLED                 1
+
+#define MBEDTLS_SSL_ETM_DISABLED                0
+#define MBEDTLS_SSL_ETM_ENABLED                 1
+
+#define MBEDTLS_SSL_COMPRESS_NULL               0
+#define MBEDTLS_SSL_COMPRESS_DEFLATE            1
+
+#define MBEDTLS_SSL_VERIFY_NONE                 0
+#define MBEDTLS_SSL_VERIFY_OPTIONAL             1
+#define MBEDTLS_SSL_VERIFY_REQUIRED             2
+#define MBEDTLS_SSL_VERIFY_UNSET                3 /* Used only for sni_authmode */
+
+#define MBEDTLS_SSL_LEGACY_RENEGOTIATION        0
+#define MBEDTLS_SSL_SECURE_RENEGOTIATION        1
+
+#define MBEDTLS_SSL_RENEGOTIATION_DISABLED      0
+#define MBEDTLS_SSL_RENEGOTIATION_ENABLED       1
+
+#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED        0
+#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED         1
+
+#define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED  -1
+#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT  16
+
+#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION     0
+#define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION  1
+#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE      2
+
+#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED         0
+#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED          1
+#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN          10  /* 80 bits, rfc 6066 section 7 */
+
+#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
+#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
+
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED    0
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED     1
+
+#define MBEDTLS_SSL_ARC4_ENABLED                0
+#define MBEDTLS_SSL_ARC4_DISABLED               1
+
+#define MBEDTLS_SSL_PRESET_DEFAULT              0
+#define MBEDTLS_SSL_PRESET_SUITEB               2
+
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED       1
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED      0
+
+#define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED    0
+#define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED      1
+
+/*
+ * Default range for DTLS retransmission timer value, in milliseconds.
+ * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
+ */
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN    1000
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
+#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+#endif
+
+/*
+ * Maximum fragment length in bytes,
+ * determines the size of each of the two internal I/O buffers.
+ *
+ * Note: the RFC defines the default size of SSL / TLS messages. If you
+ * change the value here, other clients / servers may not be able to
+ * communicate with you anymore. Only change this value if you control
+ * both sides of the connection and have it reduced at both sides, or
+ * if you're using the Max Fragment Length extension and you know all your
+ * peers are using it too!
+ */
+#if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
+#define MBEDTLS_SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
+#endif
+
+#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
+#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
+#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+/*
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ */
+#if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
+#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+#endif
+
+/*
+ * Maximum length of CIDs for incoming and outgoing messages.
+ */
+#if !defined(MBEDTLS_SSL_CID_IN_LEN_MAX)
+#define MBEDTLS_SSL_CID_IN_LEN_MAX          32
+#endif
+
+#if !defined(MBEDTLS_SSL_CID_OUT_LEN_MAX)
+#define MBEDTLS_SSL_CID_OUT_LEN_MAX         32
+#endif
+
+#if !defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY)
+#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
+#endif
+
+#if !defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY)
+#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
+#endif
+
+/* \} name SECTION: Module settings */
+
+/*
+ * Length of the verify data for secure renegotiation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 36
+#else
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
+#endif
+
+/*
+ * Signaling ciphersuite values (SCSV)
+ */
+#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
+#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< RFC 7507 section 2 */
+
+/*
+ * Supported Signature and Hash algorithms (For TLS 1.2)
+ * RFC 5246 section 7.4.1.4.1
+ */
+#define MBEDTLS_SSL_HASH_NONE                0
+#define MBEDTLS_SSL_HASH_MD5                 1
+#define MBEDTLS_SSL_HASH_SHA1                2
+#define MBEDTLS_SSL_HASH_SHA224              3
+#define MBEDTLS_SSL_HASH_SHA256              4
+#define MBEDTLS_SSL_HASH_SHA384              5
+#define MBEDTLS_SSL_HASH_SHA512              6
+
+#define MBEDTLS_SSL_SIG_ANON                 0
+#define MBEDTLS_SSL_SIG_RSA                  1
+#define MBEDTLS_SSL_SIG_ECDSA                3
+
+/*
+ * Client Certificate Types
+ * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
+ */
+#define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN       1
+#define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN    64
+
+/*
+ * Message, alert and handshake types
+ */
+#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC     20
+#define MBEDTLS_SSL_MSG_ALERT                  21
+#define MBEDTLS_SSL_MSG_HANDSHAKE              22
+#define MBEDTLS_SSL_MSG_APPLICATION_DATA       23
+#define MBEDTLS_SSL_MSG_CID                    25
+
+#define MBEDTLS_SSL_ALERT_LEVEL_WARNING         1
+#define MBEDTLS_SSL_ALERT_LEVEL_FATAL           2
+
+#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY           0  /* 0x00 */
+#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE    10  /* 0x0A */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC        20  /* 0x14 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED     21  /* 0x15 */
+#define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW       22  /* 0x16 */
+#define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30  /* 0x1E */
+#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE     40  /* 0x28 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_CERT               41  /* 0x29 */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT              42  /* 0x2A */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT      43  /* 0x2B */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED          44  /* 0x2C */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED          45  /* 0x2D */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN          46  /* 0x2E */
+#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER     47  /* 0x2F */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA            48  /* 0x30 */
+#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED         49  /* 0x31 */
+#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR          50  /* 0x32 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR         51  /* 0x33 */
+#define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION    60  /* 0x3C */
+#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
+#define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
+#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
+#define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86  /* 0x56 */
+#define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
+#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
+#define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115  /* 0x73 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
+
+#define MBEDTLS_SSL_HS_HELLO_REQUEST            0
+#define MBEDTLS_SSL_HS_CLIENT_HELLO             1
+#define MBEDTLS_SSL_HS_SERVER_HELLO             2
+#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST     3
+#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET       4
+#define MBEDTLS_SSL_HS_CERTIFICATE             11
+#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE     12
+#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST     13
+#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE       14
+#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY      15
+#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE     16
+#define MBEDTLS_SSL_HS_FINISHED                20
+
+/*
+ * TLS extensions
+ */
+#define MBEDTLS_TLS_EXT_SERVERNAME                   0
+#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME          0
+
+#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH          1
+
+#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC               4
+
+#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS     11
+
+#define MBEDTLS_TLS_EXT_SIG_ALG                     13
+
+#define MBEDTLS_TLS_EXT_USE_SRTP                    14
+
+#define MBEDTLS_TLS_EXT_ALPN                        16
+
+#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
+#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
+
+#define MBEDTLS_TLS_EXT_SESSION_TICKET              35
+
+/* The value of the CID extension is still TBD as of
+ * draft-ietf-tls-dtls-connection-id-05
+ * (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) */
+#define MBEDTLS_TLS_EXT_CID                        254 /* TBD */
+
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP               256 /* experimental */
+
+#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
+
+/*
+ * Size defines
+ */
+#if !defined(MBEDTLS_PSK_MAX_LEN)
+#define MBEDTLS_PSK_MAX_LEN            32 /* 256 bits */
+#endif
+
+/* Dummy type used only for its size */
+union mbedtls_ssl_premaster_secret {
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    unsigned char _pms_rsa[48];                         /* RFC 5246 8.1.1 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE];      /* RFC 5246 8.1.2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES];    /* RFC 4492 5.10 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
+                                 + MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 3 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN];      /* RFC 4279 4 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
+                                   + MBEDTLS_PSK_MAX_LEN];     /* RFC 5489 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    unsigned char _pms_ecjpake[32];     /* Thread spec: SHA-256 output */
+#endif
+};
+
+#define MBEDTLS_PREMASTER_SIZE     sizeof( union mbedtls_ssl_premaster_secret )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SSL state machine
+ */
+typedef enum {
+    MBEDTLS_SSL_HELLO_REQUEST,
+    MBEDTLS_SSL_CLIENT_HELLO,
+    MBEDTLS_SSL_SERVER_HELLO,
+    MBEDTLS_SSL_SERVER_CERTIFICATE,
+    MBEDTLS_SSL_SERVER_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_REQUEST,
+    MBEDTLS_SSL_SERVER_HELLO_DONE,
+    MBEDTLS_SSL_CLIENT_CERTIFICATE,
+    MBEDTLS_SSL_CLIENT_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_VERIFY,
+    MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_CLIENT_FINISHED,
+    MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_SERVER_FINISHED,
+    MBEDTLS_SSL_FLUSH_BUFFERS,
+    MBEDTLS_SSL_HANDSHAKE_WRAPUP,
+    MBEDTLS_SSL_HANDSHAKE_OVER,
+    MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
+    MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
+}
+mbedtls_ssl_states;
+
+/*
+ * The tls_prf function types.
+ */
+typedef enum {
+    MBEDTLS_SSL_TLS_PRF_NONE,
+    MBEDTLS_SSL_TLS_PRF_SSL3,
+    MBEDTLS_SSL_TLS_PRF_TLS1,
+    MBEDTLS_SSL_TLS_PRF_SHA384,
+    MBEDTLS_SSL_TLS_PRF_SHA256
+}
+mbedtls_tls_prf_types;
+/**
+ * \brief          Callback type: send data on the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the send callback (typically a file descriptor)
+ * \param buf      Buffer holding the data to send
+ * \param len      Length of the data to send
+ *
+ * \return         The callback must return the number of bytes sent if any,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback is allowed to send fewer bytes than requested.
+ *                 It must always return the number of bytes actually sent.
+ */
+typedef int mbedtls_ssl_send_t(void *ctx,
+                               const unsigned char *buf,
+                               size_t len);
+
+/**
+ * \brief          Callback type: receive data from the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the receive callback (typically a file
+ *                 descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_t(void *ctx,
+                               unsigned char *buf,
+                               size_t len);
+
+/**
+ * \brief          Callback type: receive data from the network, with timeout
+ *
+ * \note           That callback must block until data is received, or the
+ *                 timeout delay expires, or the operation is interrupted by a
+ *                 signal.
+ *
+ * \param ctx      Context for the receive callback (typically a file descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ * \param timeout  Maximum nomber of millisecondes to wait for data
+ *                 0 means no timeout (potentially waiting forever)
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code:
+ *                 \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_timeout_t(void *ctx,
+                                       unsigned char *buf,
+                                       size_t len,
+                                       uint32_t timeout);
+/**
+ * \brief          Callback type: set a pair of timers/delays to watch
+ *
+ * \param ctx      Context pointer
+ * \param int_ms   Intermediate delay in milliseconds
+ * \param fin_ms   Final delay in milliseconds
+ *                 0 cancels the current timer.
+ *
+ * \note           This callback must at least store the necessary information
+ *                 for the associated \c mbedtls_ssl_get_timer_t callback to
+ *                 return correct information.
+ *
+ * \note           If using a event-driven style of programming, an event must
+ *                 be generated when the final delay is passed. The event must
+ *                 cause a call to \c mbedtls_ssl_handshake() with the proper
+ *                 SSL context to be scheduled. Care must be taken to ensure
+ *                 that at most one such call happens at a time.
+ *
+ * \note           Only one timer at a time must be running. Calling this
+ *                 function while a timer is running must cancel it. Cancelled
+ *                 timers must not generate any event.
+ */
+typedef void mbedtls_ssl_set_timer_t(void *ctx,
+                                     uint32_t int_ms,
+                                     uint32_t fin_ms);
+
+/**
+ * \brief          Callback type: get status of timers/delays
+ *
+ * \param ctx      Context pointer
+ *
+ * \return         This callback must return:
+ *                 -1 if cancelled (fin_ms == 0),
+ *                  0 if none of the delays have passed,
+ *                  1 if only the intermediate delay has passed,
+ *                  2 if the final delay has passed.
+ */
+typedef int mbedtls_ssl_get_timer_t(void *ctx);
+
+/* Defined below */
+typedef struct mbedtls_ssl_session mbedtls_ssl_session;
+typedef struct mbedtls_ssl_context mbedtls_ssl_context;
+typedef struct mbedtls_ssl_config  mbedtls_ssl_config;
+
+/* Defined in ssl_internal.h */
+typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
+typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
+typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief           Callback type: start external signature operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  a signature decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p hash if the value
+ *                  is needed for later processing, because the \p hash buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \note            For RSA signatures, this function must produce output
+ *                  that is consistent with PKCS#1 v1.5 in the same way as
+ *                  mbedtls_rsa_pkcs1_sign(). Before the private key operation,
+ *                  apply the padding steps described in RFC 8017, section 9.2
+ *                  "EMSA-PKCS1-v1_5" as follows.
+ *                  - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the DigestInfo to be
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 3, with `T = hash` and `tLen = hash_len`.
+ *                  - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the hash to be encoded and
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 2, with `digestAlgorithm` obtained by calling
+ *                    mbedtls_oid_get_oid_by_md() on \p md_alg.
+ *
+ * \note            For ECDSA signatures, the output format is the DER encoding
+ *                  `Ecdsa-Sig-Value` defined in
+ *                  [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4).
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param md_alg          Hash algorithm.
+ * \param hash            Buffer containing the hash. This buffer is
+ *                        no longer valid when the function returns.
+ * \param hash_len        Size of the \c hash buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_sign_t(mbedtls_ssl_context *ssl,
+                                     mbedtls_x509_crt *cert,
+                                     mbedtls_md_type_t md_alg,
+                                     const unsigned char *hash,
+                                     size_t hash_len);
+
+/**
+ * \brief           Callback type: start external decryption operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  an RSA decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p input if the value
+ *                  is needed for later processing, because the \p input buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \warning         RSA decryption as used in TLS is subject to a potential
+ *                  timing side channel attack first discovered by Bleichenbacher
+ *                  in 1998. This attack can be remotely exploitable
+ *                  in practice. To avoid this attack, you must ensure that
+ *                  if the callback performs an RSA decryption, the time it
+ *                  takes to execute and return the result does not depend
+ *                  on whether the RSA decryption succeeded or reported
+ *                  invalid padding.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param input           Buffer containing the input ciphertext. This buffer
+ *                        is no longer valid when the function returns.
+ * \param input_len       Size of the \p input buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_decrypt_t(mbedtls_ssl_context *ssl,
+                                        mbedtls_x509_crt *cert,
+                                        const unsigned char *input,
+                                        size_t input_len);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief           Callback type: resume external operation.
+ *
+ *                  This callback is called during an SSL handshake to resume
+ *                  an external operation started by the
+ *                  ::mbedtls_ssl_async_sign_t or
+ *                  ::mbedtls_ssl_async_decrypt_t callback.
+ *
+ *                  This function typically checks the status of a pending
+ *                  request or causes the request queue to make progress, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *                  It may call mbedtls_ssl_set_async_operation_data() to modify
+ *                  this context.
+ *
+ *                  Note that when this function returns a status other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any
+ *                  resources associated with the operation.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param output          Buffer containing the output (signature or decrypted
+ *                        data) on success.
+ * \param output_len      On success, number of bytes written to \p output.
+ * \param output_size     Size of the \p output buffer in bytes.
+ *
+ * \return          0 if output of the operation is available in the
+ *                  \p output buffer.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  is still in progress. Subsequent requests for progress
+ *                  on the SSL connection will call the resume callback
+ *                  again.
+ * \return          Any other error means that the operation is aborted.
+ *                  The SSL handshake is aborted. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_resume_t(mbedtls_ssl_context *ssl,
+                                       unsigned char *output,
+                                       size_t *output_len,
+                                       size_t output_size);
+
+/**
+ * \brief           Callback type: cancel external operation.
+ *
+ *                  This callback is called if an SSL connection is closed
+ *                  while an asynchronous operation is in progress. Note that
+ *                  this callback is not called if the
+ *                  ::mbedtls_ssl_async_resume_t callback has run and has
+ *                  returned a value other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case
+ *                  the asynchronous operation has already completed.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified.
+ */
+typedef void mbedtls_ssl_async_cancel_t(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) &&        \
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN  48
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  32
+#elif defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  48
+#elif defined(MBEDTLS_SHA1_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  20
+#else
+/* This is already checked in check_config.h, but be sure. */
+#error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT."
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED &&
+          !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+
+#define MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH             255
+#define MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH    4
+/*
+ * For code readability use a typedef for DTLS-SRTP profiles
+ *
+ * Use_srtp extension protection profiles values as defined in
+ * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ *
+ * Reminder: if this list is expanded mbedtls_ssl_check_srtp_profile_value
+ * must be updated too.
+ */
+#define MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80     ( (uint16_t) 0x0001)
+#define MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32     ( (uint16_t) 0x0002)
+#define MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80          ( (uint16_t) 0x0005)
+#define MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32          ( (uint16_t) 0x0006)
+/* This one is not iana defined, but for code readability. */
+#define MBEDTLS_TLS_SRTP_UNSET                      ( (uint16_t) 0x0000)
+
+typedef uint16_t mbedtls_ssl_srtp_profile;
+
+typedef struct mbedtls_dtls_srtp_info_t {
+    /*! The SRTP profile that was negotiated. */
+    mbedtls_ssl_srtp_profile chosen_dtls_srtp_profile;
+    /*! The length of mki_value. */
+    uint16_t mki_len;
+    /*! The mki_value used, with max size of 256 bytes. */
+    unsigned char mki_value[MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH];
+}
+mbedtls_dtls_srtp_info;
+
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/*
+ * This structure is used for storing current session data.
+ *
+ * Note: when changing this definition, we need to check and update:
+ *  - in tests/suites/test_suite_ssl.function:
+ *      ssl_populate_session() and ssl_serialize_session_save_load()
+ *  - in library/ssl_tls.c:
+ *      mbedtls_ssl_session_init() and mbedtls_ssl_session_free()
+ *      mbedtls_ssl_session_save() and ssl_session_load()
+ *      ssl_session_copy()
+ */
+struct mbedtls_ssl_session {
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t start;       /*!< starting time      */
+#endif
+    int ciphersuite;            /*!< chosen ciphersuite */
+    int compression;            /*!< chosen compression */
+    size_t id_len;              /*!< session id length  */
+    unsigned char id[32];       /*!< session identifier */
+    unsigned char master[48];   /*!< the master secret  */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    mbedtls_x509_crt *peer_cert;       /*!< peer X.509 cert chain */
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    /*! The digest of the peer's end-CRT. This must be kept to detect CRT
+     *  changes during renegotiation, mitigating the triple handshake attack. */
+    unsigned char *peer_cert_digest;
+    size_t peer_cert_digest_len;
+    mbedtls_md_type_t peer_cert_digest_type;
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    uint32_t verify_result;          /*!<  verification result     */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ticket;      /*!< RFC 5077 session ticket */
+    size_t ticket_len;          /*!< session ticket length   */
+    uint32_t ticket_lifetime;   /*!< ticket lifetime hint    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    int trunc_hmac;             /*!< flag for truncated hmac activation   */
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    int encrypt_then_mac;       /*!< flag for EtM activation                */
+#endif
+};
+
+/**
+ * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
+ */
+struct mbedtls_ssl_config {
+    /* Group items by size (largest first) to minimize padding overhead */
+
+    /*
+     * Pointers
+     */
+
+    const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version   */
+
+    /** Callback for printing debug output                                  */
+    void (*f_dbg)(void *, int, const char *, int, const char *);
+    void *p_dbg;                    /*!< context for the debug function     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+    /** Callback to retrieve a session from the cache                       */
+    int (*f_get_cache)(void *, mbedtls_ssl_session *);
+    /** Callback to store a session into the cache                          */
+    int (*f_set_cache)(void *, const mbedtls_ssl_session *);
+    void *p_cache;                  /*!< context for cache callbacks        */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /** Callback for setting cert according to SNI extension                */
+    int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_sni;                    /*!< context for SNI callback           */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /** Callback to customize X.509 certificate chain verification          */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;                   /*!< context for X.509 verify calllback */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    /** Callback to retrieve PSK key from identity                          */
+    int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_psk;                    /*!< context for PSK callback           */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a cookie for ClientHello veirifcation    */
+    int (*f_cookie_write)(void *, unsigned char **, unsigned char *,
+                          const unsigned char *, size_t);
+    /** Callback to verify validity of a ClientHello cookie                 */
+    int (*f_cookie_check)(void *, const unsigned char *, size_t,
+                          const unsigned char *, size_t);
+    void *p_cookie;                 /*!< context for the cookie callbacks   */
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a session ticket                         */
+    int (*f_ticket_write)(void *, const mbedtls_ssl_session *,
+                          unsigned char *, const unsigned char *, size_t *, uint32_t *);
+    /** Callback to parse a session ticket into a session structure         */
+    int (*f_ticket_parse)(void *, mbedtls_ssl_session *, unsigned char *, size_t);
+    void *p_ticket;                 /*!< context for the ticket callbacks   */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    /** Callback to export key block and master secret                      */
+    int (*f_export_keys)(void *, const unsigned char *,
+                         const unsigned char *, size_t, size_t, size_t);
+    /** Callback to export key block, master secret,
+     *  tls_prf and random bytes. Should replace f_export_keys    */
+    int (*f_export_keys_ext)(void *, const unsigned char *,
+                             const unsigned char *, size_t, size_t, size_t,
+                             const unsigned char[32], const unsigned char[32],
+                             mbedtls_tls_prf_types);
+    void *p_export_keys;            /*!< context for key export callback    */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    size_t cid_len; /*!< The length of CIDs for incoming DTLS records.      */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */
+    mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s)        */
+    mbedtls_x509_crt *ca_chain;     /*!< trusted CAs                        */
+    mbedtls_x509_crl *ca_crl;       /*!< trusted CAs CRLs                   */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    mbedtls_x509_crt_ca_cb_t f_ca_cb;
+    void *p_ca_cb;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */
+    mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */
+    void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    const int *sig_hashes;          /*!< allowed signature hashes           */
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    const mbedtls_ecp_group_id *curve_list; /*!< allowed curves             */
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi dhm_P;              /*!< prime modulus for DHM              */
+    mbedtls_mpi dhm_G;              /*!< generator for DHM                  */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_key_id_t psk_opaque; /*!< PSA key slot holding opaque PSK. This field
+                              *   should only be set via
+                              *   mbedtls_ssl_conf_psk_opaque().
+                              *   If either no PSK or a raw PSK have been
+                              *   configured, this has value \c 0.
+                              */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    unsigned char *psk;      /*!< The raw pre-shared key. This field should
+                              *   only be set via mbedtls_ssl_conf_psk().
+                              *   If either no PSK or an opaque PSK
+                              *   have been configured, this has value NULL. */
+    size_t         psk_len;  /*!< The length of the raw pre-shared key.
+                              *   This field should only be set via
+                              *   mbedtls_ssl_conf_psk().
+                              *   Its value is non-zero if and only if
+                              *   \c psk is not \c NULL. */
+
+    unsigned char *psk_identity;    /*!< The PSK identity for PSK negotiation.
+                                     *   This field should only be set via
+                                     *   mbedtls_ssl_conf_psk().
+                                     *   This is set if and only if either
+                                     *   \c psk or \c psk_opaque are set. */
+    size_t         psk_identity_len;/*!< The length of PSK identity.
+                                     *   This field should only be set via
+                                     *   mbedtls_ssl_conf_psk().
+                                     *   Its value is non-zero if and only if
+                                     *   \c psk is not \c NULL or \c psk_opaque
+                                     *   is not \c 0. */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char **alpn_list;         /*!< ordered list of protocols          */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    /*! ordered list of supported srtp profile */
+    const mbedtls_ssl_srtp_profile *dtls_srtp_profile_list;
+    /*! number of supported profiles */
+    size_t dtls_srtp_profile_list_len;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+    /*
+     * Numerical settings (int then char)
+     */
+
+    uint32_t read_timeout;          /*!< timeout for mbedtls_ssl_read (ms)  */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint32_t hs_timeout_min;        /*!< initial value of the handshake
+                                         retransmission timeout (ms)        */
+    uint32_t hs_timeout_max;        /*!< maximum value of the handshake
+                                         retransmission timeout (ms)        */
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_max_records;         /*!< grace period for renegotiation     */
+    unsigned char renego_period[8]; /*!< value of the record counters
+                                         that triggers renegotiation        */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
+#endif
+
+    unsigned char max_major_ver;    /*!< max. major version used            */
+    unsigned char max_minor_ver;    /*!< max. minor version used            */
+    unsigned char min_major_ver;    /*!< min. major version used            */
+    unsigned char min_minor_ver;    /*!< min. minor version used            */
+
+    /*
+     * Flags (bitfields)
+     */
+
+    unsigned int endpoint : 1;      /*!< 0: client, 1: server               */
+    unsigned int transport : 1;     /*!< stream (TLS) or datagram (DTLS)    */
+    unsigned int authmode : 2;      /*!< MBEDTLS_SSL_VERIFY_XXX             */
+    /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE          */
+    unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX   */
+#if defined(MBEDTLS_ARC4_C)
+    unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites?        */
+#endif
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned int mfl_code : 3;      /*!< desired fragment length            */
+#endif
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac?    */
+#endif
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    unsigned int extended_ms : 1;   /*!< negotiate extended master secret?  */
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
+#endif
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    unsigned int cbc_record_splitting : 1;  /*!< do cbc record splitting    */
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    unsigned int disable_renegotiation : 1; /*!< disable renegotiation?     */
+#endif
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    unsigned int trunc_hmac : 1;    /*!< negotiate truncated hmac?          */
+#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    unsigned int session_tickets : 1;   /*!< use session tickets?           */
+#endif
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int fallback : 1;      /*!< is this a fallback?                */
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
+                                          Certificate Request messages?     */
+#endif
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
+                                             *   record with unexpected CID
+                                             *   should lead to failure.    */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    unsigned int dtls_srtp_mki_support : 1; /* support having mki_value
+                                               in the use_srtp extension     */
+#endif
+};
+
+struct mbedtls_ssl_context {
+    const mbedtls_ssl_config *conf; /*!< configuration information          */
+
+    /*
+     * Miscellaneous
+     */
+    int state;                  /*!< SSL handshake: current state     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_status;          /*!< Initial, in progress, pending?   */
+    int renego_records_seen;    /*!< Records since renego request, or with DTLS,
+                                  number of retransmissions of request if
+                                  renego_max_records is < 0           */
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
+    int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned badmac_seen;       /*!< records with a bad MAC received    */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /** Callback to customize X.509 certificate chain verification          */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;                   /*!< context for X.509 verify callback */
+#endif
+
+    mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
+    mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
+    mbedtls_ssl_recv_timeout_t *f_recv_timeout;
+    /*!< Callback for network receive with timeout */
+
+    void *p_bio;                /*!< context for I/O operations   */
+
+    /*
+     * Session layer
+     */
+    mbedtls_ssl_session *session_in;            /*!<  current session data (in)   */
+    mbedtls_ssl_session *session_out;           /*!<  current session data (out)  */
+    mbedtls_ssl_session *session;               /*!<  negotiated session data     */
+    mbedtls_ssl_session *session_negotiate;     /*!<  session data in negotiation */
+
+    mbedtls_ssl_handshake_params *handshake;    /*!<  params required only during
+                                              the handshake process        */
+
+    /*
+     * Record layer transformations
+     */
+    mbedtls_ssl_transform *transform_in;        /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform_out;       /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform;           /*!<  negotiated transform params     */
+    mbedtls_ssl_transform *transform_negotiate; /*!<  transform params in negotiation */
+
+    /*
+     * Timers
+     */
+    void *p_timer;              /*!< context for the timer callbacks */
+
+    mbedtls_ssl_set_timer_t *f_set_timer;       /*!< set timer callback */
+    mbedtls_ssl_get_timer_t *f_get_timer;       /*!< get timer callback */
+
+    /*
+     * Record layer (incoming data)
+     */
+    unsigned char *in_buf;      /*!< input buffer                     */
+    unsigned char *in_ctr;      /*!< 64-bit incoming message counter
+                                     TLS: maintained by us
+                                     DTLS: read from peer             */
+    unsigned char *in_hdr;      /*!< start of record header           */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    unsigned char *in_cid;      /*!< The start of the CID;
+                                 *   (the end is marked by in_len).   */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+    unsigned char *in_len;      /*!< two-bytes message length field   */
+    unsigned char *in_iv;       /*!< ivlen-byte IV                    */
+    unsigned char *in_msg;      /*!< message contents (in_iv+ivlen)   */
+    unsigned char *in_offt;     /*!< read offset in application data  */
+
+    int in_msgtype;             /*!< record header: message type      */
+    size_t in_msglen;           /*!< record header: message length    */
+    size_t in_left;             /*!< amount of data read so far       */
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t in_buf_len;          /*!< length of input buffer           */
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t in_epoch;          /*!< DTLS epoch for incoming records  */
+    size_t next_record_offset;  /*!< offset of the next record in datagram
+                                     (equal to in_left if none)       */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    uint64_t in_window_top;     /*!< last validated record seq_num    */
+    uint64_t in_window;         /*!< bitmask for replay detection     */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+    size_t in_hslen;            /*!< current handshake message length,
+                                     including the handshake header   */
+    int nb_zero;                /*!< # of 0-length encrypted messages */
+
+    int keep_current_message;   /*!< drop or reuse current message
+                                     on next call to record layer? */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint8_t disable_datagram_packing;  /*!< Disable packing multiple records
+                                        *   within a single datagram.  */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Record layer (outgoing data)
+     */
+    unsigned char *out_buf;     /*!< output buffer                    */
+    unsigned char *out_ctr;     /*!< 64-bit outgoing message counter  */
+    unsigned char *out_hdr;     /*!< start of record header           */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    unsigned char *out_cid;     /*!< The start of the CID;
+                                 *   (the end is marked by in_len).   */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+    unsigned char *out_len;     /*!< two-bytes message length field   */
+    unsigned char *out_iv;      /*!< ivlen-byte IV                    */
+    unsigned char *out_msg;     /*!< message contents (out_iv+ivlen)  */
+
+    int out_msgtype;            /*!< record header: message type      */
+    size_t out_msglen;          /*!< record header: message length    */
+    size_t out_left;            /*!< amount of data not yet written   */
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t out_buf_len;         /*!< length of output buffer          */
+#endif
+
+    unsigned char cur_out_ctr[8]; /*!<  Outgoing record sequence  number. */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t mtu;               /*!< path mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    unsigned char *compress_buf;        /*!<  zlib data buffer        */
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    signed char split_done;     /*!< current record already splitted? */
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+    /*
+     * PKI layer
+     */
+    int client_auth;                    /*!<  flag for client auth.   */
+
+    /*
+     * User settings
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    char *hostname;             /*!< expected peer CN for verification
+                                     (and SNI if available)                 */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char *alpn_chosen;    /*!<  negotiated protocol                   */
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    /*
+     * use_srtp extension
+     */
+    mbedtls_dtls_srtp_info dtls_srtp_info;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+    /*
+     * Information for DTLS hello verify
+     */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
+    size_t          cli_id_len;     /*!<  length of cli_id                  */
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+    /*
+     * Secure renegotiation
+     */
+    /* needed to know when to send extension on server */
+    int secure_renegotiation;           /*!<  does peer support legacy or
+                                              secure renegotiation           */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    size_t verify_data_len;             /*!<  length of verify data stored   */
+    char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+    char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    /* CID configuration to use in subsequent handshakes. */
+
+    /*! The next incoming CID, chosen by the user and applying to
+     *  all subsequent handshakes. This may be different from the
+     *  CID currently used in case the user has re-configured the CID
+     *  after an initial handshake. */
+    unsigned char own_cid[ MBEDTLS_SSL_CID_IN_LEN_MAX ];
+    uint8_t own_cid_len;   /*!< The length of \c own_cid. */
+    uint8_t negotiate_cid; /*!< This indicates whether the CID extension should
+                            *   be negotiated in the next handshake or not.
+                            *   Possible values are #MBEDTLS_SSL_CID_ENABLED
+                            *   and #MBEDTLS_SSL_CID_DISABLED. */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+};
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#define MBEDTLS_SSL_CHANNEL_OUTBOUND   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 0 )
+#define MBEDTLS_SSL_CHANNEL_INBOUND    MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 1 )
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_init)(
+    mbedtls_ssl_context *ssl,
+    const unsigned char *key_enc, const unsigned char *key_dec,
+    size_t keylen,
+    const unsigned char *iv_enc,  const unsigned char *iv_dec,
+    size_t ivlen,
+    const unsigned char *mac_enc, const unsigned char *mac_dec,
+    size_t maclen);
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_activate)(
+    mbedtls_ssl_context *ssl,
+    int direction);
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_reset)(
+    mbedtls_ssl_context *ssl);
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_write)(
+    mbedtls_ssl_context *ssl);
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_read)(
+    mbedtls_ssl_context *ssl);
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_finish)(
+    mbedtls_ssl_context *ssl);
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/**
+ * \brief               Return the name of the ciphersuite associated with the
+ *                      given ID
+ *
+ * \param ciphersuite_id SSL ciphersuite ID
+ *
+ * \return              a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id);
+
+/**
+ * \brief               Return the ID of the ciphersuite associated with the
+ *                      given name
+ *
+ * \param ciphersuite_name SSL ciphersuite name
+ *
+ * \return              the ID with the ciphersuite or 0 if not found
+ */
+int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name);
+
+/**
+ * \brief          Initialize an SSL context
+ *                 Just makes the context ready for mbedtls_ssl_setup() or
+ *                 mbedtls_ssl_free()
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_init(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Set up an SSL context for use
+ *
+ * \note           No copy of the configuration context is made, it can be
+ *                 shared by many mbedtls_ssl_context structures.
+ *
+ * \warning        The conf structure will be accessed during the session.
+ *                 It must not be modified or freed as long as the session
+ *                 is active.
+ *
+ * \warning        This function must be called exactly once per context.
+ *                 Calling mbedtls_ssl_setup again is not supported, even
+ *                 if no session is active.
+ *
+ * \param ssl      SSL context
+ * \param conf     SSL configuration to use
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
+ *                 memory allocation failed
+ */
+int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
+                      const mbedtls_ssl_config *conf);
+
+/**
+ * \brief          Reset an already initialized SSL context for re-use
+ *                 while retaining application-set variables, function
+ *                 pointers and data.
+ *
+ * \param ssl      SSL context
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
+                   MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
+ *                 MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+ */
+int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Set the current endpoint type
+ *
+ * \param conf     SSL configuration
+ * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ */
+void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint);
+
+/**
+ * \brief           Set the transport type (TLS or DTLS).
+ *                  Default: TLS
+ *
+ * \note            For DTLS, you must either provide a recv callback that
+ *                  doesn't block, or one that handles timeouts, see
+ *                  \c mbedtls_ssl_set_bio(). You also need to provide timer
+ *                  callbacks with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \param conf      SSL configuration
+ * \param transport transport type:
+ *                  MBEDTLS_SSL_TRANSPORT_STREAM for TLS,
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.
+ */
+void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport);
+
+/**
+ * \brief          Set the certificate verification mode
+ *                 Default: NONE on server, REQUIRED on client
+ *
+ * \param conf     SSL configuration
+ * \param authmode can be:
+ *
+ *  MBEDTLS_SSL_VERIFY_NONE:      peer certificate is not checked
+ *                        (default on server)
+ *                        (insecure on client)
+ *
+ *  MBEDTLS_SSL_VERIFY_OPTIONAL:  peer certificate is checked, however the
+ *                        handshake continues even if verification failed;
+ *                        mbedtls_ssl_get_verify_result() can be called after the
+ *                        handshake is complete.
+ *
+ *  MBEDTLS_SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
+ *                        handshake is aborted if verification failed.
+ *                        (default on client)
+ *
+ * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
+ * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
+ */
+void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode);
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the verification callback (Optional).
+ *
+ *                 If set, the provided verify callback is called for each
+ *                 certificate in the peer's CRT chain, including the trusted
+ *                 root. For more information, please see the documentation of
+ *                 \c mbedtls_x509_crt_verify().
+ *
+ * \note           For per context callbacks and contexts, please use
+ *                 mbedtls_ssl_set_verify() instead.
+ *
+ * \param conf     The SSL configuration to use.
+ * \param f_vrfy   The verification callback to use during CRT verification.
+ * \param p_vrfy   The opaque context to be passed to the callback.
+ */
+void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
+                             int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                             void *p_vrfy);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief          Set the random number generator callback
+ *
+ * \param conf     SSL configuration
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ */
+void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng);
+
+/**
+ * \brief          Set the debug callback
+ *
+ *                 The callback has the following argument:
+ *                 void *           opaque context for the callback
+ *                 int              debug level
+ *                 const char *     file name
+ *                 int              line number
+ *                 const char *     message
+ *
+ * \param conf     SSL configuration
+ * \param f_dbg    debug function
+ * \param p_dbg    debug parameter
+ */
+void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
+                          void (*f_dbg)(void *, int, const char *, int, const char *),
+                          void  *p_dbg);
+
+/**
+ * \brief          Set the underlying BIO callbacks for write, read and
+ *                 read-with-timeout.
+ *
+ * \param ssl      SSL context
+ * \param p_bio    parameter (context) shared by BIO callbacks
+ * \param f_send   write callback
+ * \param f_recv   read callback
+ * \param f_recv_timeout blocking read callback with timeout.
+ *
+ * \note           One of f_recv or f_recv_timeout can be NULL, in which case
+ *                 the other is used. If both are non-NULL, f_recv_timeout is
+ *                 used and f_recv is ignored (as if it were NULL).
+ *
+ * \note           The two most common use cases are:
+ *                 - non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL
+ *                 - blocking I/O, f_recv == NULL, f_recv_timout != NULL
+ *
+ * \note           For DTLS, you need to provide either a non-NULL
+ *                 f_recv_timeout callback, or a f_recv that doesn't block.
+ *
+ * \note           See the documentations of \c mbedtls_ssl_send_t,
+ *                 \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
+ *                 the conventions those callbacks must follow.
+ *
+ * \note           On some platforms, net_sockets.c provides
+ *                 \c mbedtls_net_send(), \c mbedtls_net_recv() and
+ *                 \c mbedtls_net_recv_timeout() that are suitable to be used
+ *                 here.
+ */
+void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
+                         void *p_bio,
+                         mbedtls_ssl_send_t *f_send,
+                         mbedtls_ssl_recv_t *f_recv,
+                         mbedtls_ssl_recv_timeout_t *f_recv_timeout);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+
+
+/**
+ * \brief             Configure the use of the Connection ID (CID)
+ *                    extension in the next handshake.
+ *
+ *                    Reference: draft-ietf-tls-dtls-connection-id-05
+ *                    https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+ *
+ *                    The DTLS CID extension allows the reliable association of
+ *                    DTLS records to DTLS connections across changes in the
+ *                    underlying transport (changed IP and Port metadata) by
+ *                    adding explicit connection identifiers (CIDs) to the
+ *                    headers of encrypted DTLS records. The desired CIDs are
+ *                    configured by the application layer and are exchanged in
+ *                    new `ClientHello` / `ServerHello` extensions during the
+ *                    handshake, where each side indicates the CID it wants the
+ *                    peer to use when writing encrypted messages. The CIDs are
+ *                    put to use once records get encrypted: the stack discards
+ *                    any incoming records that don't include the configured CID
+ *                    in their header, and adds the peer's requested CID to the
+ *                    headers of outgoing messages.
+ *
+ *                    This API enables or disables the use of the CID extension
+ *                    in the next handshake and sets the value of the CID to
+ *                    be used for incoming messages.
+ *
+ * \param ssl         The SSL context to configure. This must be initialized.
+ * \param enable      This value determines whether the CID extension should
+ *                    be used or not. Possible values are:
+ *                    - MBEDTLS_SSL_CID_ENABLED to enable the use of the CID.
+ *                    - MBEDTLS_SSL_CID_DISABLED (default) to disable the use
+ *                      of the CID.
+ * \param own_cid     The address of the readable buffer holding the CID we want
+ *                    the peer to use when sending encrypted messages to us.
+ *                    This may be \c NULL if \p own_cid_len is \c 0.
+ *                    This parameter is unused if \p enabled is set to
+ *                    MBEDTLS_SSL_CID_DISABLED.
+ * \param own_cid_len The length of \p own_cid.
+ *                    This parameter is unused if \p enabled is set to
+ *                    MBEDTLS_SSL_CID_DISABLED.
+ *
+ * \note              The value of \p own_cid_len must match the value of the
+ *                    \c len parameter passed to mbedtls_ssl_conf_cid()
+ *                    when configuring the ::mbedtls_ssl_config that \p ssl
+ *                    is bound to.
+ *
+ * \note              This CID configuration applies to subsequent handshakes
+ *                    performed on the SSL context \p ssl, but does not trigger
+ *                    one. You still have to call `mbedtls_ssl_handshake()`
+ *                    (for the initial handshake) or `mbedtls_ssl_renegotiate()`
+ *                    (for a renegotiation handshake) explicitly after a
+ *                    successful call to this function to run the handshake.
+ *
+ * \note              This call cannot guarantee that the use of the CID
+ *                    will be successfully negotiated in the next handshake,
+ *                    because the peer might not support it. Specifically:
+ *                    - On the Client, enabling the use of the CID through
+ *                      this call implies that the `ClientHello` in the next
+ *                      handshake will include the CID extension, thereby
+ *                      offering the use of the CID to the server. Only if
+ *                      the `ServerHello` contains the CID extension, too,
+ *                      the CID extension will actually be put to use.
+ *                    - On the Server, enabling the use of the CID through
+ *                      this call implies that that the server will look for
+ *                      the CID extension in a `ClientHello` from the client,
+ *                      and, if present, reply with a CID extension in its
+ *                      `ServerHello`.
+ *
+ * \note              To check whether the use of the CID was negotiated
+ *                    after the subsequent handshake has completed, please
+ *                    use the API mbedtls_ssl_get_peer_cid().
+ *
+ * \warning           If the use of the CID extension is enabled in this call
+ *                    and the subsequent handshake negotiates its use, Mbed TLS
+ *                    will silently drop every packet whose CID does not match
+ *                    the CID configured in \p own_cid. It is the responsibility
+ *                    of the user to adapt the underlying transport to take care
+ *                    of CID-based demultiplexing before handing datagrams to
+ *                    Mbed TLS.
+ *
+ * \return            \c 0 on success. In this case, the CID configuration
+ *                    applies to the next handshake.
+ * \return            A negative error code on failure.
+ */
+int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
+                        int enable,
+                        unsigned char const *own_cid,
+                        size_t own_cid_len);
+
+/**
+ * \brief              Get information about the use of the CID extension
+ *                     in the current connection.
+ *
+ * \param ssl          The SSL context to query.
+ * \param enabled      The address at which to store whether the CID extension
+ *                     is currently in use or not. If the CID is in use,
+ *                     `*enabled` is set to MBEDTLS_SSL_CID_ENABLED;
+ *                     otherwise, it is set to MBEDTLS_SSL_CID_DISABLED.
+ * \param peer_cid     The address of the buffer in which to store the CID
+ *                     chosen by the peer (if the CID extension is used).
+ *                     This may be \c NULL in case the value of peer CID
+ *                     isn't needed. If it is not \c NULL, \p peer_cid_len
+ *                     must not be \c NULL.
+ * \param peer_cid_len The address at which to store the size of the CID
+ *                     chosen by the peer (if the CID extension is used).
+ *                     This is also the number of Bytes in \p peer_cid that
+ *                     have been written.
+ *                     This may be \c NULL in case the length of the peer CID
+ *                     isn't needed. If it is \c NULL, \p peer_cid must be
+ *                     \c NULL, too.
+ *
+ * \note               This applies to the state of the CID negotiated in
+ *                     the last complete handshake. If a handshake is in
+ *                     progress, this function will attempt to complete
+ *                     the handshake first.
+ *
+ * \note               If CID extensions have been exchanged but both client
+ *                     and server chose to use an empty CID, this function
+ *                     sets `*enabled` to #MBEDTLS_SSL_CID_DISABLED
+ *                     (the rationale for this is that the resulting
+ *                     communication is the same as if the CID extensions
+ *                     hadn't been used).
+ *
+ * \return            \c 0 on success.
+ * \return            A negative error code on failure.
+ */
+int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
+                             int *enabled,
+                             unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
+                             size_t *peer_cid_len);
+
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+/**
+ * \brief          Set the Maximum Tranport Unit (MTU).
+ *                 Special value: 0 means unset (no limit).
+ *                 This represents the maximum size of a datagram payload
+ *                 handled by the transport layer (usually UDP) as determined
+ *                 by the network link and stack. In practice, this controls
+ *                 the maximum size datagram the DTLS layer will pass to the
+ *                 \c f_send() callback set using \c mbedtls_ssl_set_bio().
+ *
+ * \note           The limit on datagram size is converted to a limit on
+ *                 record payload by subtracting the current overhead of
+ *                 encapsulation and encryption/authentication if any.
+ *
+ * \note           This can be called at any point during the connection, for
+ *                 example when a Path Maximum Transfer Unit (PMTU)
+ *                 estimate becomes available from other sources,
+ *                 such as lower (or higher) protocol layers.
+ *
+ * \note           This setting only controls the size of the packets we send,
+ *                 and does not restrict the size of the datagrams we're
+ *                 willing to receive. Client-side, you can request the
+ *                 server to use smaller records with \c
+ *                 mbedtls_ssl_conf_max_frag_len().
+ *
+ * \note           If both a MTU and a maximum fragment length have been
+ *                 configured (or negotiated with the peer), the resulting
+ *                 lower limit on record payload (see first note) is used.
+ *
+ * \note           This can only be used to decrease the maximum size
+ *                 of datagrams (hence records, see first note) sent. It
+ *                 cannot be used to increase the maximum size of records over
+ *                 the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN.
+ *
+ * \note           Values lower than the current record layer expansion will
+ *                 result in an error when trying to send data.
+ *
+ * \note           Using record compression together with a non-zero MTU value
+ *                 will result in an error when trying to send data.
+ *
+ * \param ssl      SSL context
+ * \param mtu      Value of the path MTU in bytes
+ */
+void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set a connection-specific verification callback (optional).
+ *
+ *                 If set, the provided verify callback is called for each
+ *                 certificate in the peer's CRT chain, including the trusted
+ *                 root. For more information, please see the documentation of
+ *                 \c mbedtls_x509_crt_verify().
+ *
+ * \note           This call is analogous to mbedtls_ssl_conf_verify() but
+ *                 binds the verification callback and context to an SSL context
+ *                 as opposed to an SSL configuration.
+ *                 If mbedtls_ssl_conf_verify() and mbedtls_ssl_set_verify()
+ *                 are both used, mbedtls_ssl_set_verify() takes precedence.
+ *
+ * \param ssl      The SSL context to use.
+ * \param f_vrfy   The verification callback to use during CRT verification.
+ * \param p_vrfy   The opaque context to be passed to the callback.
+ */
+void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
+                            int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                            void *p_vrfy);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief          Set the timeout period for mbedtls_ssl_read()
+ *                 (Default: no timeout.)
+ *
+ * \param conf     SSL configuration context
+ * \param timeout  Timeout value in milliseconds.
+ *                 Use 0 for no timeout (default).
+ *
+ * \note           With blocking I/O, this will only work if a non-NULL
+ *                 \c f_recv_timeout was set with \c mbedtls_ssl_set_bio().
+ *                 With non-blocking I/O, this will only work if timer
+ *                 callbacks were set with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \note           With non-blocking I/O, you may also skip this function
+ *                 altogether and handle timeouts at the application layer.
+ */
+void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout);
+
+#if defined(MBEDTLS_SSL_RECORD_CHECKING)
+/**
+ * \brief          Check whether a buffer contains a valid and authentic record
+ *                 that has not been seen before. (DTLS only).
+ *
+ *                 This function does not change the user-visible state
+ *                 of the SSL context. Its sole purpose is to provide
+ *                 an indication of the legitimacy of an incoming record.
+ *
+ *                 This can be useful e.g. in distributed server environments
+ *                 using the DTLS Connection ID feature, in which connections
+ *                 might need to be passed between service instances on a change
+ *                 of peer address, but where such disruptive operations should
+ *                 only happen after the validity of incoming records has been
+ *                 confirmed.
+ *
+ * \param ssl      The SSL context to use.
+ * \param buf      The address of the buffer holding the record to be checked.
+ *                 This must be a read/write buffer of length \p buflen Bytes.
+ * \param buflen   The length of \p buf in Bytes.
+ *
+ * \note           This routine only checks whether the provided buffer begins
+ *                 with a valid and authentic record that has not been seen
+ *                 before, but does not check potential data following the
+ *                 initial record. In particular, it is possible to pass DTLS
+ *                 datagrams containing multiple records, in which case only
+ *                 the first record is checked.
+ *
+ * \note           This function modifies the input buffer \p buf. If you need
+ *                 to preserve the original record, you have to maintain a copy.
+ *
+ * \return         \c 0 if the record is valid and authentic and has not been
+ *                 seen before.
+ * \return         MBEDTLS_ERR_SSL_INVALID_MAC if the check completed
+ *                 successfully but the record was found to be not authentic.
+ * \return         MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed
+ *                 successfully but the record was found to be invalid for
+ *                 a reason different from authenticity checking.
+ * \return         MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed
+ *                 successfully but the record was found to be unexpected
+ *                 in the state of the SSL context, including replayed records.
+ * \return         Another negative error code on different kinds of failure.
+ *                 In this case, the SSL context becomes unusable and needs
+ *                 to be freed or reset before reuse.
+ */
+int mbedtls_ssl_check_record(mbedtls_ssl_context const *ssl,
+                             unsigned char *buf,
+                             size_t buflen);
+#endif /* MBEDTLS_SSL_RECORD_CHECKING */
+
+/**
+ * \brief          Set the timer callbacks (Mandatory for DTLS.)
+ *
+ * \param ssl      SSL context
+ * \param p_timer  parameter (context) shared by timer callbacks
+ * \param f_set_timer   set timer callback
+ * \param f_get_timer   get timer callback. Must return:
+ *
+ * \note           See the documentation of \c mbedtls_ssl_set_timer_t and
+ *                 \c mbedtls_ssl_get_timer_t for the conventions this pair of
+ *                 callbacks must follow.
+ *
+ * \note           On some platforms, timing.c provides
+ *                 \c mbedtls_timing_set_delay() and
+ *                 \c mbedtls_timing_get_delay() that are suitable for using
+ *                 here, except if using an event-driven style.
+ *
+ * \note           See also the "DTLS tutorial" article in our knowledge base.
+ *                 https://tls.mbed.org/kb/how-to/dtls-tutorial
+ */
+void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
+                              void *p_timer,
+                              mbedtls_ssl_set_timer_t *f_set_timer,
+                              mbedtls_ssl_get_timer_t *f_get_timer);
+
+/**
+ * \brief           Callback type: generate and write session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should generate an encrypted and
+ *                  authenticated ticket for the session and write it to the
+ *                  output buffer. Here, ticket means the opaque ticket part
+ *                  of the NewSessionTicket structure of RFC 5077.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be written in the ticket
+ * \param start     Start of the output buffer
+ * \param end       End of the output buffer
+ * \param tlen      On exit, holds the length written
+ * \param lifetime  On exit, holds the lifetime of the ticket in seconds
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_ticket_write_t(void *p_ticket,
+                                       const mbedtls_ssl_session *session,
+                                       unsigned char *start,
+                                       const unsigned char *end,
+                                       size_t *tlen,
+                                       uint32_t *lifetime);
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Callback type: Export key block and master secret
+ *
+ * \note            This is required for certain uses of TLS, e.g. EAP-TLS
+ *                  (RFC 5216) and Thread. The key pointers are ephemeral and
+ *                  therefore must not be stored. The master secret and keys
+ *                  should not be used directly except as an input to a key
+ *                  derivation function.
+ *
+ * \param p_expkey  Context for the callback
+ * \param ms        Pointer to master secret (fixed length: 48 bytes)
+ * \param kb        Pointer to key block, see RFC 5246 section 6.3
+ *                  (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * \param maclen    MAC length
+ * \param keylen    Key length
+ * \param ivlen     IV length
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_export_keys_t(void *p_expkey,
+                                      const unsigned char *ms,
+                                      const unsigned char *kb,
+                                      size_t maclen,
+                                      size_t keylen,
+                                      size_t ivlen);
+
+/**
+ * \brief           Callback type: Export key block, master secret,
+ *                                 handshake randbytes and the tls_prf function
+ *                                 used to derive keys.
+ *
+ * \note            This is required for certain uses of TLS, e.g. EAP-TLS
+ *                  (RFC 5216) and Thread. The key pointers are ephemeral and
+ *                  therefore must not be stored. The master secret and keys
+ *                  should not be used directly except as an input to a key
+ *                  derivation function.
+ *
+ * \param p_expkey  Context for the callback.
+ * \param ms        Pointer to master secret (fixed length: 48 bytes).
+ * \param kb            Pointer to key block, see RFC 5246 section 6.3.
+ *                      (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * \param maclen        MAC length.
+ * \param keylen        Key length.
+ * \param ivlen         IV length.
+ * \param client_random The client random bytes.
+ * \param server_random The server random bytes.
+ * \param tls_prf_type The tls_prf enum type.
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_export_keys_ext_t(void *p_expkey,
+                                          const unsigned char *ms,
+                                          const unsigned char *kb,
+                                          size_t maclen,
+                                          size_t keylen,
+                                          size_t ivlen,
+                                          const unsigned char client_random[32],
+                                          const unsigned char server_random[32],
+                                          mbedtls_tls_prf_types tls_prf_type);
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+/**
+ * \brief           Callback type: parse and load session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should parse a session ticket as generated
+ *                  by the corresponding mbedtls_ssl_ticket_write_t function,
+ *                  and, if the ticket is authentic and valid, load the
+ *                  session.
+ *
+ * \note            The implementation is allowed to modify the first len
+ *                  bytes of the input buffer, eg to use it as a temporary
+ *                  area for the decrypted ticket contents.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be loaded
+ * \param buf       Start of the buffer containing the ticket
+ * \param len       Length of the ticket.
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or
+ *                  MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or
+ *                  any other non-zero code for other failures.
+ */
+typedef int mbedtls_ssl_ticket_parse_t(void *p_ticket,
+                                       mbedtls_ssl_session *session,
+                                       unsigned char *buf,
+                                       size_t len);
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Configure SSL session ticket callbacks (server only).
+ *                  (Default: none.)
+ *
+ * \note            On server, session tickets are enabled by providing
+ *                  non-NULL callbacks.
+ *
+ * \note            On client, use \c mbedtls_ssl_conf_session_tickets().
+ *
+ * \param conf      SSL configuration context
+ * \param f_ticket_write    Callback for writing a ticket
+ * \param f_ticket_parse    Callback for parsing a ticket
+ * \param p_ticket          Context shared by the two callbacks
+ */
+void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
+                                         mbedtls_ssl_ticket_write_t *f_ticket_write,
+                                         mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+                                         void *p_ticket);
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Configure key export callback.
+ *                  (Default: none.)
+ *
+ * \note            See \c mbedtls_ssl_export_keys_t.
+ *
+ * \param conf      SSL configuration context
+ * \param f_export_keys     Callback for exporting keys
+ * \param p_export_keys     Context for the callback
+ */
+void mbedtls_ssl_conf_export_keys_cb(mbedtls_ssl_config *conf,
+                                     mbedtls_ssl_export_keys_t *f_export_keys,
+                                     void *p_export_keys);
+
+/**
+ * \brief           Configure extended key export callback.
+ *                  (Default: none.)
+ *
+ * \note            See \c mbedtls_ssl_export_keys_ext_t.
+ * \warning         Exported key material must not be used for any purpose
+ *                  before the (D)TLS handshake is completed
+ *
+ * \param conf      SSL configuration context
+ * \param f_export_keys_ext Callback for exporting keys
+ * \param p_export_keys     Context for the callback
+ */
+void mbedtls_ssl_conf_export_keys_ext_cb(mbedtls_ssl_config *conf,
+                                         mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
+                                         void *p_export_keys);
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+/**
+ * \brief           Configure asynchronous private key operation callbacks.
+ *
+ * \param conf              SSL configuration context
+ * \param f_async_sign      Callback to start a signature operation. See
+ *                          the description of ::mbedtls_ssl_async_sign_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any signature
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_decrypt   Callback to start a decryption operation. See
+ *                          the description of ::mbedtls_ssl_async_decrypt_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any decryption
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_resume    Callback to resume an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_resume_t
+ *                          for more information. This may not be \c NULL unless
+ *                          \p f_async_sign and \p f_async_decrypt are both
+ *                          \c NULL.
+ * \param f_async_cancel    Callback to cancel an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_cancel_t
+ *                          for more information. This may be \c NULL if
+ *                          no cleanup is needed.
+ * \param config_data       A pointer to configuration data which can be
+ *                          retrieved with
+ *                          mbedtls_ssl_conf_get_async_config_data(). The
+ *                          library stores this value without dereferencing it.
+ */
+void mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config *conf,
+                                       mbedtls_ssl_async_sign_t *f_async_sign,
+                                       mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+                                       mbedtls_ssl_async_resume_t *f_async_resume,
+                                       mbedtls_ssl_async_cancel_t *f_async_cancel,
+                                       void *config_data);
+
+/**
+ * \brief           Retrieve the configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ *
+ * \param conf      SSL configuration context
+ * \return          The configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ */
+void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf);
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ *
+ * \return          The asynchronous operation user context that was last
+ *                  set during the current handshake. If
+ *                  mbedtls_ssl_set_async_operation_data() has not yet been
+ *                  called during the current handshake, this function returns
+ *                  \c NULL.
+ */
+void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ * \param ctx       The new value of the asynchronous operation user context.
+ *                  Call mbedtls_ssl_get_async_operation_data() later during the
+ *                  same handshake to retrieve this value.
+ */
+void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
+                                          void *ctx);
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/**
+ * \brief          Callback type: generate a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param p        Buffer to write to,
+ *                 must be updated to point right after the cookie
+ * \param end      Pointer to one past the end of the output buffer
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 on success,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_write_t(void *ctx,
+                                       unsigned char **p, unsigned char *end,
+                                       const unsigned char *info, size_t ilen);
+
+/**
+ * \brief          Callback type: verify a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param cookie   Cookie to verify
+ * \param clen     Length of cookie
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 if cookie is valid,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_check_t(void *ctx,
+                                       const unsigned char *cookie, size_t clen,
+                                       const unsigned char *info, size_t ilen);
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Register callbacks for DTLS cookies
+ *                  (Server only. DTLS only.)
+ *
+ *                  Default: dummy callbacks that fail, in order to force you to
+ *                  register working callbacks (and initialize their context).
+ *
+ *                  To disable HelloVerifyRequest, register NULL callbacks.
+ *
+ * \warning         Disabling hello verification allows your server to be used
+ *                  for amplification in DoS attacks against other hosts.
+ *                  Only disable if you known this can't happen in your
+ *                  particular environment.
+ *
+ * \note            See comments on \c mbedtls_ssl_handshake() about handling
+ *                  the MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED that is expected
+ *                  on the first handshake attempt when this is enabled.
+ *
+ * \note            This is also necessary to handle client reconnection from
+ *                  the same port as described in RFC 6347 section 4.2.8 (only
+ *                  the variant with cookies is supported currently). See
+ *                  comments on \c mbedtls_ssl_read() for details.
+ *
+ * \param conf              SSL configuration
+ * \param f_cookie_write    Cookie write callback
+ * \param f_cookie_check    Cookie check callback
+ * \param p_cookie          Context for both callbacks
+ */
+void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
+                                   mbedtls_ssl_cookie_write_t *f_cookie_write,
+                                   mbedtls_ssl_cookie_check_t *f_cookie_check,
+                                   void *p_cookie);
+
+/**
+ * \brief          Set client's transport-level identification info.
+ *                 (Server only. DTLS only.)
+ *
+ *                 This is usually the IP address (and port), but could be
+ *                 anything identify the client depending on the underlying
+ *                 network stack. Used for HelloVerifyRequest with DTLS.
+ *                 This is *not* used to route the actual packets.
+ *
+ * \param ssl      SSL context
+ * \param info     Transport-level info identifying the client (eg IP + port)
+ * \param ilen     Length of info in bytes
+ *
+ * \note           An internal copy is made, so the info buffer can be reused.
+ *
+ * \return         0 on success,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
+ */
+int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
+                                        const unsigned char *info,
+                                        size_t ilen);
+
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+/**
+ * \brief          Enable or disable anti-replay protection for DTLS.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: enabled.
+ *
+ * \param conf     SSL configuration
+ * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning        Disabling this is a security risk unless the application
+ *                 protocol handles duplicated packets in a safe way. You
+ *                 should not disable this without careful consideration.
+ *                 However, if your application already detects duplicated
+ *                 packets and needs information about them to adjust its
+ *                 transmission strategy, then you'll want to disable this.
+ */
+void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode);
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+/**
+ * \brief          Set a limit on the number of records with a bad MAC
+ *                 before terminating the connection.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: 0 (disabled).
+ *
+ * \param conf     SSL configuration
+ * \param limit    Limit, or 0 to disable.
+ *
+ * \note           If the limit is N, then the connection is terminated when
+ *                 the Nth non-authentic record is seen.
+ *
+ * \note           Records with an invalid header are not counted, only the
+ *                 ones going through the authentication-decryption phase.
+ *
+ * \note           This is a security trade-off related to the fact that it's
+ *                 often relatively easy for an active attacker ot inject UDP
+ *                 datagrams. On one hand, setting a low limit here makes it
+ *                 easier for such an attacker to forcibly terminated a
+ *                 connection. On the other hand, a high limit or no limit
+ *                 might make us waste resources checking authentication on
+ *                 many bogus packets.
+ */
+void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit);
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/**
+ * \brief          Allow or disallow packing of multiple handshake records
+ *                 within a single datagram.
+ *
+ * \param ssl           The SSL context to configure.
+ * \param allow_packing This determines whether datagram packing may
+ *                      be used or not. A value of \c 0 means that every
+ *                      record will be sent in a separate datagram; a
+ *                      value of \c 1 means that, if space permits,
+ *                      multiple handshake messages (including CCS) belonging to
+ *                      a single flight may be packed within a single datagram.
+ *
+ * \note           This is enabled by default and should only be disabled
+ *                 for test purposes, or if datagram packing causes
+ *                 interoperability issues with peers that don't support it.
+ *
+ * \note           Allowing datagram packing reduces the network load since
+ *                 there's less overhead if multiple messages share the same
+ *                 datagram. Also, it increases the handshake efficiency
+ *                 since messages belonging to a single datagram will not
+ *                 be reordered in transit, and so future message buffering
+ *                 or flight retransmission (if no buffering is used) as
+ *                 means to deal with reordering are needed less frequently.
+ *
+ * \note           Application records are not affected by this option and
+ *                 are currently always sent in separate datagrams.
+ *
+ */
+void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
+                                      unsigned allow_packing);
+
+/**
+ * \brief          Set retransmit timeout values for the DTLS handshake.
+ *                 (DTLS only, no effect on TLS.)
+ *
+ * \param conf     SSL configuration
+ * \param min      Initial timeout value in milliseconds.
+ *                 Default: 1000 (1 second).
+ * \param max      Maximum timeout value in milliseconds.
+ *                 Default: 60000 (60 seconds).
+ *
+ * \note           Default values are from RFC 6347 section 4.2.4.1.
+ *
+ * \note           The 'min' value should typically be slightly above the
+ *                 expected round-trip time to your peer, plus whatever time
+ *                 it takes for the peer to process the message. For example,
+ *                 if your RTT is about 600ms and you peer needs up to 1s to
+ *                 do the cryptographic operations in the handshake, then you
+ *                 should set 'min' slightly above 1600. Lower values of 'min'
+ *                 might cause spurious resends which waste network resources,
+ *                 while larger value of 'min' will increase overall latency
+ *                 on unreliable network links.
+ *
+ * \note           The more unreliable your network connection is, the larger
+ *                 your max / min ratio needs to be in order to achieve
+ *                 reliable handshakes.
+ *
+ * \note           Messages are retransmitted up to log2(ceil(max/min)) times.
+ *                 For example, if min = 1s and max = 5s, the retransmit plan
+ *                 goes: send ... 1s -> resend ... 2s -> resend ... 4s ->
+ *                 resend ... 5s -> give up and return a timeout error.
+ */
+void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf, uint32_t min, uint32_t max);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Set the session cache callbacks (server-side only)
+ *                 If not set, no session resuming is done (except if session
+ *                 tickets are enabled too).
+ *
+ *                 The session cache has the responsibility to check for stale
+ *                 entries based on timeout. See RFC 5246 for recommendations.
+ *
+ *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ *                 connection shutdown, so do not cache the pointer! Either set
+ *                 it to NULL or make a full copy of the certificate.
+ *
+ *                 The get callback is called once during the initial handshake
+ *                 to enable session resuming. The get function has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_session *session)
+ *                 If a valid entry is found, it should fill the master of
+ *                 the session object with the cached values and return 0,
+ *                 return 1 otherwise. Optionally peer_cert can be set as well
+ *                 if it is properly present in cache entry.
+ *
+ *                 The set callback is called once during the initial handshake
+ *                 to enable session resuming after the entire handshake has
+ *                 been finished. The set function has the following parameters:
+ *                 (void *parameter, const mbedtls_ssl_session *session). The function
+ *                 should create a cache entry for future retrieval based on
+ *                 the data in the session structure and should keep in mind
+ *                 that the mbedtls_ssl_session object presented (and all its referenced
+ *                 data) is cleared by the SSL/TLS layer when the connection is
+ *                 terminated. It is recommended to add metadata to determine if
+ *                 an entry is still valid in the future. Return 0 if
+ *                 successfully cached, return 1 otherwise.
+ *
+ * \param conf           SSL configuration
+ * \param p_cache        parmater (context) for both callbacks
+ * \param f_get_cache    session get callback
+ * \param f_set_cache    session set callback
+ */
+void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
+                                    void *p_cache,
+                                    int (*f_get_cache)(void *, mbedtls_ssl_session *),
+                                    int (*f_set_cache)(void *, const mbedtls_ssl_session *));
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Request resumption of session (client-side only)
+ *                 Session data is copied from presented session structure.
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid
+ *
+ * \sa             mbedtls_ssl_get_session()
+ */
+int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session);
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief          Load serialized session data into a session structure.
+ *                 On client, this can be used for loading saved sessions
+ *                 before resuming them with mbedstls_ssl_set_session().
+ *                 On server, this can be used for alternative implementations
+ *                 of session cache or session tickets.
+ *
+ * \warning        If a peer certificate chain is associated with the session,
+ *                 the serialized state will only contain the peer's
+ *                 end-entity certificate and the result of the chain
+ *                 verification (unless verification was disabled), but not
+ *                 the rest of the chain.
+ *
+ * \see            mbedtls_ssl_session_save()
+ * \see            mbedtls_ssl_set_session()
+ *
+ * \param session  The session structure to be populated. It must have been
+ *                 initialised with mbedtls_ssl_session_init() but not
+ *                 populated yet.
+ * \param buf      The buffer holding the serialized session data. It must be a
+ *                 readable buffer of at least \p len bytes.
+ * \param len      The size of the serialized data in bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return         #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
+ *                 was generated in a different version or configuration of
+ *                 Mbed TLS.
+ * \return         Another negative value for other kinds of errors (for
+ *                 example, unsupported features in the embedded certificate).
+ */
+int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
+                             const unsigned char *buf,
+                             size_t len);
+
+/**
+ * \brief          Save session structure as serialized data in a buffer.
+ *                 On client, this can be used for saving session data,
+ *                 potentially in non-volatile storage, for resuming later.
+ *                 On server, this can be used for alternative implementations
+ *                 of session cache or session tickets.
+ *
+ * \see            mbedtls_ssl_session_load()
+ * \see            mbedtls_ssl_get_session_pointer()
+ *
+ * \param session  The session structure to be saved.
+ * \param buf      The buffer to write the serialized data to. It must be a
+ *                 writeable buffer of at least \p len bytes, or may be \c
+ *                 NULL if \p len is \c 0.
+ * \param buf_len  The number of bytes available for writing in \p buf.
+ * \param olen     The size in bytes of the data that has been or would have
+ *                 been written. It must point to a valid \c size_t.
+ *
+ * \note           \p olen is updated to the correct value regardless of
+ *                 whether \p buf_len was large enough. This makes it possible
+ *                 to determine the necessary size by calling this function
+ *                 with \p buf set to \c NULL and \p buf_len to \c 0.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
+ */
+int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
+                             unsigned char *buf,
+                             size_t buf_len,
+                             size_t *olen);
+
+/**
+ * \brief          Get a pointer to the current session structure, for example
+ *                 to serialize it.
+ *
+ * \warning        Ownership of the session remains with the SSL context, and
+ *                 the returned pointer is only guaranteed to be valid until
+ *                 the next API call operating on the same \p ssl context.
+ *
+ * \see            mbedtls_ssl_session_save()
+ *
+ * \param ssl      The SSL context.
+ *
+ * \return         A pointer to the current session if successful.
+ * \return         \c NULL if no session is active.
+ */
+const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the preference
+ *                      order. First in the list has the highest preference.
+ *                      (Overrides all version-specific lists)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ *                      Note: The server uses its own preferences
+ *                      over the preference of the client unless
+ *                      MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ */
+void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
+                                   const int *ciphersuites);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
+#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL   1
+/**
+ * \brief               Specify the length of Connection IDs for incoming
+ *                      encrypted DTLS records, as well as the behaviour
+ *                      on unexpected CIDs.
+ *
+ *                      By default, the CID length is set to \c 0,
+ *                      and unexpected CIDs are silently ignored.
+ *
+ * \param conf          The SSL configuration to modify.
+ * \param len           The length in Bytes of the CID fields in encrypted
+ *                      DTLS records using the CID mechanism. This must
+ *                      not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX.
+ * \param ignore_other_cids This determines the stack's behaviour when
+ *                          receiving a record with an unexpected CID.
+ *                          Possible values are:
+ *                          - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
+ *                            In this case, the record is silently ignored.
+ *                          - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL
+ *                            In this case, the stack fails with the specific
+ *                            error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID.
+ *
+ * \note                The CID specification allows implementations to either
+ *                      use a common length for all incoming connection IDs or
+ *                      allow variable-length incoming IDs. Mbed TLS currently
+ *                      requires a common length for all connections sharing the
+ *                      same SSL configuration; this allows simpler parsing of
+ *                      record headers.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
+ *                      is too large.
+ */
+int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len,
+                         int ignore_other_cids);
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the
+ *                      preference order for a specific version of the protocol.
+ *                      (Only useful on the server side)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ * \param major         Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
+ *                      supported)
+ * \param minor         Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                      MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                      MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ *
+ * \note                With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
+ *                      and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ */
+void mbedtls_ssl_conf_ciphersuites_for_version(mbedtls_ssl_config *conf,
+                                               const int *ciphersuites,
+                                               int major, int minor);
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the X.509 security profile used for verification
+ *
+ * \note           The restrictions are enforced for all certificates in the
+ *                 chain. However, signatures in the handshake are not covered
+ *                 by this setting but by \b mbedtls_ssl_conf_sig_hashes().
+ *
+ * \param conf     SSL configuration
+ * \param profile  Profile to use
+ */
+void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
+                                   const mbedtls_x509_crt_profile *profile);
+
+/**
+ * \brief          Set the data required to verify peer certificate
+ *
+ * \note           See \c mbedtls_x509_crt_verify() for notes regarding the
+ *                 parameters ca_chain (maps to trust_ca for that function)
+ *                 and ca_crl.
+ *
+ * \param conf     SSL configuration
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl);
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+/**
+ * \brief          Set the trusted certificate callback.
+ *
+ *                 This API allows to register the set of trusted certificates
+ *                 through a callback, instead of a linked list as configured
+ *                 by mbedtls_ssl_conf_ca_chain().
+ *
+ *                 This is useful for example in contexts where a large number
+ *                 of CAs are used, and the inefficiency of maintaining them
+ *                 in a linked list cannot be tolerated. It is also useful when
+ *                 the set of trusted CAs needs to be modified frequently.
+ *
+ *                 See the documentation of `mbedtls_x509_crt_ca_cb_t` for
+ *                 more information.
+ *
+ * \param conf     The SSL configuration to register the callback with.
+ * \param f_ca_cb  The trusted certificate callback to use when verifying
+ *                 certificate chains.
+ * \param p_ca_cb  The context to be passed to \p f_ca_cb (for example,
+ *                 a reference to a trusted CA database).
+ *
+ * \note           This API is incompatible with mbedtls_ssl_conf_ca_chain():
+ *                 Any call to this function overwrites the values set through
+ *                 earlier calls to mbedtls_ssl_conf_ca_chain() or
+ *                 mbedtls_ssl_conf_ca_cb().
+ *
+ * \note           This API is incompatible with CA indication in
+ *                 CertificateRequest messages: A server-side SSL context which
+ *                 is bound to an SSL configuration that uses a CA callback
+ *                 configured via mbedtls_ssl_conf_ca_cb(), and which requires
+ *                 client authentication, will send an empty CA list in the
+ *                 corresponding CertificateRequest message.
+ *
+ * \note           This API is incompatible with mbedtls_ssl_set_hs_ca_chain():
+ *                 If an SSL context is bound to an SSL configuration which uses
+ *                 CA callbacks configured via mbedtls_ssl_conf_ca_cb(), then
+ *                 calls to mbedtls_ssl_set_hs_ca_chain() have no effect.
+ *
+ * \note           The use of this API disables the use of restartable ECC
+ *                 during X.509 CRT signature verification (but doesn't affect
+ *                 other uses).
+ *
+ * \warning        This API is incompatible with the use of CRLs. Any call to
+ *                 mbedtls_ssl_conf_ca_cb() unsets CRLs configured through
+ *                 earlier calls to mbedtls_ssl_conf_ca_chain().
+ *
+ * \warning        In multi-threaded environments, the callback \p f_ca_cb
+ *                 must be thread-safe, and it is the user's responsibility
+ *                 to guarantee this (for example through a mutex
+ *                 contained in the callback context pointed to by \p p_ca_cb).
+ */
+void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
+                            mbedtls_x509_crt_ca_cb_t f_ca_cb,
+                            void *p_ca_cb);
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
+/**
+ * \brief          Set own certificate chain and private key
+ *
+ * \note           own_cert should contain in order from the bottom up your
+ *                 certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
+ *
+ * \note           On server, this function can be called multiple times to
+ *                 provision more than one cert/key pair (eg one ECDSA, one
+ *                 RSA with SHA-256, one RSA with SHA-1). An adequate
+ *                 certificate will be selected according to the client's
+ *                 advertised capabilities. In case multiple certificates are
+ *                 adequate, preference is given to the one set by the first
+ *                 call to this function, then second, etc.
+ *
+ * \note           On client, only the first call has any effect. That is,
+ *                 only one client certificate can be provisioned. The
+ *                 server's preferences in its CertficateRequest message will
+ *                 be ignored and our only cert will be sent regardless of
+ *                 whether it matches those preferences - the server can then
+ *                 decide what it wants to do with it.
+ *
+ * \note           The provided \p pk_key needs to match the public key in the
+ *                 first certificate in \p own_cert, or all handshakes using
+ *                 that certificate will fail. It is your responsibility
+ *                 to ensure that; this function will not perform any check.
+ *                 You may use mbedtls_pk_check_pair() in order to perform
+ *                 this check yourself, but be aware that this function can
+ *                 be computationally expensive on some key types.
+ *
+ * \param conf     SSL configuration
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+/**
+ * \brief          Configure a pre-shared key (PSK) and identity
+ *                 to be used in PSK-based ciphersuites.
+ *
+ * \note           This is mainly useful for clients. Servers will usually
+ *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
+ *
+ * \note           A PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
+ *                 takes precedence over a PSK configured by this function.
+ *
+ * \warning        Currently, clients can only register a single pre-shared key.
+ *                 Calling this function or mbedtls_ssl_conf_psk_opaque() more
+ *                 than once will overwrite values configured in previous calls.
+ *                 Support for setting multiple PSKs on clients and selecting
+ *                 one based on the identity hint is not a planned feature,
+ *                 but feedback is welcomed.
+ *
+ * \param conf     The SSL configuration to register the PSK with.
+ * \param psk      The pointer to the pre-shared key to use.
+ * \param psk_len  The length of the pre-shared key in bytes.
+ * \param psk_identity      The pointer to the pre-shared key identity.
+ * \param psk_identity_len  The length of the pre-shared key identity
+ *                          in bytes.
+ *
+ * \note           The PSK and its identity are copied internally and
+ *                 hence need not be preserved by the caller for the lifetime
+ *                 of the SSL configuration.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
+ */
+int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
+                         const unsigned char *psk, size_t psk_len,
+                         const unsigned char *psk_identity, size_t psk_identity_len);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief          Configure an opaque pre-shared key (PSK) and identity
+ *                 to be used in PSK-based ciphersuites.
+ *
+ * \note           This is mainly useful for clients. Servers will usually
+ *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
+ *
+ * \note           An opaque PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in
+ *                 the PSK callback takes precedence over an opaque PSK
+ *                 configured by this function.
+ *
+ * \warning        Currently, clients can only register a single pre-shared key.
+ *                 Calling this function or mbedtls_ssl_conf_psk() more than
+ *                 once will overwrite values configured in previous calls.
+ *                 Support for setting multiple PSKs on clients and selecting
+ *                 one based on the identity hint is not a planned feature,
+ *                 but feedback is welcomed.
+ *
+ * \param conf     The SSL configuration to register the PSK with.
+ * \param psk      The identifier of the key slot holding the PSK.
+ *                 Until \p conf is destroyed or this function is successfully
+ *                 called again, the key slot \p psk must be populated with a
+ *                 key of type PSA_ALG_CATEGORY_KEY_DERIVATION whose policy
+ *                 allows its use for the key derivation algorithm applied
+ *                 in the handshake.
+ * \param psk_identity      The pointer to the pre-shared key identity.
+ * \param psk_identity_len  The length of the pre-shared key identity
+ *                          in bytes.
+ *
+ * \note           The PSK identity hint is copied internally and hence need
+ *                 not be preserved by the caller for the lifetime of the
+ *                 SSL configuration.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
+ */
+int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
+                                psa_key_id_t psk,
+                                const unsigned char *psk_identity,
+                                size_t psk_identity_len);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/**
+ * \brief          Set the pre-shared Key (PSK) for the current handshake.
+ *
+ * \note           This should only be called inside the PSK callback,
+ *                 i.e. the function passed to \c mbedtls_ssl_conf_psk_cb().
+ *
+ * \note           A PSK set by this function takes precedence over a PSK
+ *                 configured by \c mbedtls_ssl_conf_psk().
+ *
+ * \param ssl      The SSL context to configure a PSK for.
+ * \param psk      The pointer to the pre-shared key.
+ * \param psk_len  The length of the pre-shared key in bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
+ */
+int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
+                           const unsigned char *psk, size_t psk_len);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief          Set an opaque pre-shared Key (PSK) for the current handshake.
+ *
+ * \note           This should only be called inside the PSK callback,
+ *                 i.e. the function passed to \c mbedtls_ssl_conf_psk_cb().
+ *
+ * \note           An opaque PSK set by this function takes precedence over an
+ *                 opaque PSK configured by \c mbedtls_ssl_conf_psk_opaque().
+ *
+ * \param ssl      The SSL context to configure a PSK for.
+ * \param psk      The identifier of the key slot holding the PSK.
+ *                 For the duration of the current handshake, the key slot
+ *                 must be populated with a key of type
+ *                 PSA_ALG_CATEGORY_KEY_DERIVATION whose policy allows its
+ *                 use for the key derivation algorithm
+ *                 applied in the handshake.
+  *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
+ */
+int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
+                                  psa_key_id_t psk);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/**
+ * \brief          Set the PSK callback (server-side only).
+ *
+ *                 If set, the PSK callback is called for each
+ *                 handshake where a PSK-based ciphersuite was negotiated.
+ *                 The caller provides the identity received and wants to
+ *                 receive the actual PSK data and length.
+ *
+ *                 The callback has the following parameters:
+ *                 - \c void*: The opaque pointer \p p_psk.
+ *                 - \c mbedtls_ssl_context*: The SSL context to which
+ *                                            the operation applies.
+ *                 - \c const unsigned char*: The PSK identity
+ *                                            selected by the client.
+ *                 - \c size_t: The length of the PSK identity
+ *                              selected by the client.
+ *
+ *                 If a valid PSK identity is found, the callback should use
+ *                 \c mbedtls_ssl_set_hs_psk() or
+ *                 \c mbedtls_ssl_set_hs_psk_opaque()
+ *                 on the SSL context to set the correct PSK and return \c 0.
+ *                 Any other return value will result in a denied PSK identity.
+ *
+ * \note           A dynamic PSK (i.e. set by the PSK callback) takes
+ *                 precedence over a static PSK (i.e. set by
+ *                 \c mbedtls_ssl_conf_psk() or
+ *                 \c mbedtls_ssl_conf_psk_opaque()).
+ *                 This means that if you set a PSK callback using this
+ *                 function, you don't need to set a PSK using
+ *                 \c mbedtls_ssl_conf_psk() or
+ *                 \c mbedtls_ssl_conf_psk_opaque()).
+ *
+ * \param conf     The SSL configuration to register the callback with.
+ * \param f_psk    The callback for selecting and setting the PSK based
+ *                 in the PSK identity chosen by the client.
+ * \param p_psk    A pointer to an opaque structure to be passed to
+ *                 the callback, for example a PSK store.
+ */
+void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
+                             int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                                          size_t),
+                             void *p_psk);
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read as hexadecimal strings (server-side only)
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator
+ *
+ * \deprecated     Superseded by \c mbedtls_ssl_conf_dh_param_bin.
+ *
+ * \return         0 if successful
+ */
+MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param(mbedtls_ssl_config *conf,
+                                                 const char *dhm_P,
+                                                 const char *dhm_G);
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values
+ *                 from big-endian binary presentations.
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus in big-endian binary form
+ * \param P_len    Length of DHM modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator in big-endian binary form
+ * \param G_len    Length of DHM generator
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
+                                  const unsigned char *dhm_P, size_t P_len,
+                                  const unsigned char *dhm_G,  size_t G_len);
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read from existing context (server-side only)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_ctx  Diffie-Hellman-Merkle context
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx);
+#endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the minimum length for Diffie-Hellman parameters.
+ *                 (Client-side only.)
+ *                 (Default: 1024 bits.)
+ *
+ * \param conf     SSL configuration
+ * \param bitlen   Minimum bit length of the DHM prime
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
+                                     unsigned int bitlen);
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Set the allowed curves in order of preference.
+ *                 (Default: all defined curves.)
+ *
+ *                 On server: this only affects selection of the ECDHE curve;
+ *                 the curves used for ECDH and ECDSA are determined by the
+ *                 list of available certificates instead.
+ *
+ *                 On client: this affects the list of curves offered for any
+ *                 use. The server can override our preference order.
+ *
+ *                 Both sides: limits the set of curves accepted for use in
+ *                 ECDHE and in the peer's end-entity certificate.
+ *
+ * \note           This has no influence on which curves are allowed inside the
+ *                 certificate chains, see \c mbedtls_ssl_conf_cert_profile()
+ *                 for that. For the end-entity certificate however, the key
+ *                 will be accepted only if it is allowed both by this list
+ *                 and by the cert profile.
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred curve first).
+ *
+ * \param conf     SSL configuration
+ * \param curves   Ordered list of allowed curves,
+ *                 terminated by MBEDTLS_ECP_DP_NONE.
+ */
+void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
+                             const mbedtls_ecp_group_id *curves);
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/**
+ * \brief          Set the allowed hashes for signatures during the handshake.
+ *                 (Default: all available hashes except MD5.)
+ *
+ * \note           This only affects which hashes are offered and can be used
+ *                 for signatures during the handshake. Hashes for message
+ *                 authentication and the TLS PRF are controlled by the
+ *                 ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes
+ *                 used for certificate signature are controlled by the
+ *                 verification profile, see \c mbedtls_ssl_conf_cert_profile().
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred hash first).
+ *
+ * \param conf     SSL configuration
+ * \param hashes   Ordered list of allowed signature hashes,
+ *                 terminated by \c MBEDTLS_MD_NONE.
+ */
+void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
+                                 const int *hashes);
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set or reset the hostname to check against the received
+ *                 server certificate. It sets the ServerName TLS extension,
+ *                 too, if that extension is enabled. (client-side only)
+ *
+ * \param ssl      SSL context
+ * \param hostname the server hostname, may be NULL to clear hostname
+
+ * \note           Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
+ *
+ * \return         0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
+ *                 allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ *                 too long input hostname.
+ *
+ *                 Hostname set to the one provided on success (cleared
+ *                 when NULL). On allocation failure hostname is cleared.
+ *                 On too long input failure, old hostname is unchanged.
+ */
+int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/**
+ * \brief          Set own certificate and key for the current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_own_cert() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
+                                mbedtls_x509_crt *own_cert,
+                                mbedtls_pk_context *pk_key);
+
+/**
+ * \brief          Set the data required to verify peer certificate for the
+ *                 current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_ca_chain() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *ca_chain,
+                                 mbedtls_x509_crl *ca_crl);
+
+/**
+ * \brief          Set authmode for the current handshake.
+ *
+ * \note           Same as \c mbedtls_ssl_conf_authmode() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
+ *                 MBEDTLS_SSL_VERIFY_REQUIRED
+ */
+void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
+                                 int authmode);
+
+/**
+ * \brief          Set server side ServerName TLS extension callback
+ *                 (optional, server-side only).
+ *
+ *                 If set, the ServerName callback is called whenever the
+ *                 server receives a ServerName TLS extension from the client
+ *                 during a handshake. The ServerName callback has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_context *ssl,
+ *                 const unsigned char *hostname, size_t len). If a suitable
+ *                 certificate is found, the callback must set the
+ *                 certificate(s) and key(s) to use with \c
+ *                 mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
+ *                 and may optionally adjust the CA and associated CRL with \c
+ *                 mbedtls_ssl_set_hs_ca_chain() as well as the client
+ *                 authentication mode with \c mbedtls_ssl_set_hs_authmode(),
+ *                 then must return 0. If no matching name is found, the
+ *                 callback must either set a default cert, or
+ *                 return non-zero to abort the handshake at this point.
+ *
+ * \param conf     SSL configuration
+ * \param f_sni    verification function
+ * \param p_sni    verification parameter
+ */
+void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
+                          int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
+                                       size_t),
+                          void *p_sni);
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/**
+ * \brief          Set the EC J-PAKE password for current handshake.
+ *
+ * \note           An internal copy is made, and destroyed as soon as the
+ *                 handshake is completed, or when the SSL context is reset or
+ *                 freed.
+ *
+ * \note           The SSL context needs to be already set up. The right place
+ *                 to call this function is between \c mbedtls_ssl_setup() or
+ *                 \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
+ *
+ * \param ssl      SSL context
+ * \param pw       EC J-PAKE password (pre-shared secret)
+ * \param pw_len   length of pw in bytes
+ *
+ * \return         0 on success, or a negative error code.
+ */
+int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
+                                        const unsigned char *pw,
+                                        size_t pw_len);
+#endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+/**
+ * \brief          Set the supported Application Layer Protocols.
+ *
+ * \param conf     SSL configuration
+ * \param protos   Pointer to a NULL-terminated list of supported protocols,
+ *                 in decreasing preference order. The pointer to the list is
+ *                 recorded by the library for later reference as required, so
+ *                 the lifetime of the table must be atleast as long as the
+ *                 lifetime of the SSL configuration structure.
+ *
+ * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
+ */
+int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos);
+
+/**
+ * \brief          Get the name of the negotiated Application Layer Protocol.
+ *                 This function should be called after the handshake is
+ *                 completed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Protcol name, or NULL if no protocol was negotiated.
+ */
+const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+#if defined(MBEDTLS_DEBUG_C)
+static inline const char *mbedtls_ssl_get_srtp_profile_as_string(mbedtls_ssl_srtp_profile profile) {
+    switch (profile) {
+        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
+            return ("MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80");
+        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
+            return ("MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32");
+        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
+            return ("MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80");
+        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
+            return ("MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32");
+        default:
+            break;
+    }
+    return ("");
+}
+#endif /* MBEDTLS_DEBUG_C */
+/**
+ * \brief                   Manage support for mki(master key id) value
+ *                          in use_srtp extension.
+ *                          MKI is an optional part of SRTP used for key management
+ *                          and re-keying. See RFC3711 section 3.1 for details.
+ *                          The default value is
+ *                          #MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED.
+ *
+ * \param conf              The SSL configuration to manage mki support.
+ * \param support_mki_value Enable or disable mki usage. Values are
+ *                          #MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED
+ *                          or #MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED.
+ */
+void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
+                                               int support_mki_value);
+
+/**
+ * \brief                   Set the supported DTLS-SRTP protection profiles.
+ *
+ * \param conf              SSL configuration
+ * \param profiles          Pointer to a List of MBEDTLS_TLS_SRTP_UNSET terminated
+ *                          supported protection profiles
+ *                          in decreasing preference order.
+ *                          The pointer to the list is recorded by the library
+ *                          for later reference as required, so the lifetime
+ *                          of the table must be at least as long as the lifetime
+ *                          of the SSL configuration structure.
+ *                          The list must not hold more than
+ *                          MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH elements
+ *                          (excluding the terminating MBEDTLS_TLS_SRTP_UNSET).
+ *
+ * \return                  0 on success
+ * \return                  #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of
+ *                          protection profiles is incorrect.
+ */
+int mbedtls_ssl_conf_dtls_srtp_protection_profiles
+(mbedtls_ssl_config *conf,
+ const mbedtls_ssl_srtp_profile *profiles);
+
+/**
+ * \brief                  Set the mki_value for the current DTLS-SRTP session.
+ *
+ * \param ssl              SSL context to use.
+ * \param mki_value        The MKI value to set.
+ * \param mki_len          The length of the MKI value.
+ *
+ * \note                   This function is relevant on client side only.
+ *                         The server discovers the mki value during handshake.
+ *                         A mki value set on server side using this function
+ *                         is ignored.
+ *
+ * \return                 0 on success
+ * \return                 #MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ * \return                 #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+ */
+int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
+                                        unsigned char *mki_value,
+                                        uint16_t mki_len);
+/**
+ * \brief                  Get the negotiated DTLS-SRTP informations:
+ *                         Protection profile and MKI value.
+ *
+ * \warning                This function must be called after the handshake is
+ *                         completed. The value returned by this function must
+ *                         not be trusted or acted upon before the handshake completes.
+ *
+ * \param ssl              The SSL context to query.
+ * \param dtls_srtp_info   The negotiated DTLS-SRTP informations:
+ *                         - Protection profile in use.
+ *                         A direct mapping of the iana defined value for protection
+ *                         profile on an uint16_t.
+                   http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ *                         #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
+ *                         or peer's Hello packet was not parsed yet.
+ *                         - mki size and value( if size is > 0 ).
+ */
+void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
+                                                  mbedtls_dtls_srtp_info *dtls_srtp_info);
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/**
+ * \brief          Set the maximum supported version sent from the client side
+ *                 and/or accepted at the server side
+ *                 (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
+ *
+ * \note           This ignores ciphersuites from higher versions.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor);
+
+/**
+ * \brief          Set the minimum accepted SSL/TLS protocol version
+ *                 (Default: TLS 1.0)
+ *
+ * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                 SSL_MIN_XXXXX_VERSION range is ignored.
+ *
+ * \note           MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor);
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the fallback flag (client-side only).
+ *                 (Default: MBEDTLS_SSL_IS_NOT_FALLBACK).
+ *
+ * \note           Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback
+ *                 connection, that is a connection with max_version set to a
+ *                 lower value than the value you're willing to use. Such
+ *                 fallback connections are not recommended but are sometimes
+ *                 necessary to interoperate with buggy (version-intolerant)
+ *                 servers.
+ *
+ * \warning        You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for
+ *                 non-fallback connections! This would appear to work for a
+ *                 while, then cause failures when the server is upgraded to
+ *                 support a newer TLS version.
+ *
+ * \param conf     SSL configuration
+ * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK
+ */
+void mbedtls_ssl_conf_fallback(mbedtls_ssl_config *conf, char fallback);
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief           Enable or disable Encrypt-then-MAC
+ *                  (Default: MBEDTLS_SSL_ETM_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security
+ *                  improvement, and should not cause any interoperability
+ *                  issue (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param etm       MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED
+ */
+void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm);
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+/**
+ * \brief           Enable or disable Extended Master Secret negotiation.
+ *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security fix to the
+ *                  protocol, and should not cause any interoperability issue
+ *                  (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param ems       MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
+ */
+void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems);
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_ARC4_C)
+/**
+ * \brief          Disable or enable support for RC4
+ *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
+ *
+ * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
+ *                 for security reasons. Use at your own risk.
+ *
+ * \note           This function is deprecated and will be removed in
+ *                 a future version of the library.
+ *                 RC4 is disabled by default at compile time and needs to be
+ *                 actively enabled for use with legacy systems.
+ *
+ * \param conf     SSL configuration
+ * \param arc4     MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
+ */
+void mbedtls_ssl_conf_arc4_support(mbedtls_ssl_config *conf, char arc4);
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Whether to send a list of acceptable CAs in
+ *                 CertificateRequest messages.
+ *                 (Default: do send)
+ *
+ * \param conf     SSL configuration
+ * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
+ *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
+ */
+void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
+                                       char cert_req_ca_list);
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
+ *                 (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and
+ *                 #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes)
+ *                 (Server: set maximum fragment length to emit,
+ *                 usually negotiated by the client during handshake)
+ *                 (Client: set maximum fragment length to emit *and*
+ *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
+ *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           This sets the maximum length for a record's payload,
+ *                 excluding record overhead that will be added to it, see
+ *                 \c mbedtls_ssl_get_record_expansion().
+ *
+ * \note           For DTLS, it is also possible to set a limit for the total
+ *                 size of daragrams passed to the transport layer, including
+ *                 record overhead, see \c mbedtls_ssl_set_mtu().
+ *
+ * \param conf     SSL configuration
+ * \param mfl_code Code for maximum fragment length (allowed values:
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ */
+int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code);
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+/**
+ * \brief          Activate negotiation of truncated HMAC
+ *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ *
+ * \param conf     SSL configuration
+ * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
+ *                                    MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ */
+void mbedtls_ssl_conf_truncated_hmac(mbedtls_ssl_config *conf, int truncate);
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+/**
+ * \brief          Enable / Disable 1/n-1 record splitting
+ *                 (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)
+ *
+ * \note           Only affects SSLv3 and TLS 1.0, not higher versions.
+ *                 Does not affect non-CBC ciphersuites in any version.
+ *
+ * \param conf     SSL configuration
+ * \param split    MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or
+ *                 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+ */
+void mbedtls_ssl_conf_cbc_record_splitting(mbedtls_ssl_config *conf, char split);
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Enable / Disable session tickets (client only).
+ *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ *
+ * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
+ *
+ * \param conf     SSL configuration
+ * \param use_tickets   Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enable / Disable renegotiation support for connection when
+ *                 initiated by peer
+ *                 (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ *
+ * \warning        It is recommended to always disable renegotation unless you
+ *                 know you need it and you know what you're doing. In the
+ *                 past, there have been several issues associated with
+ *                 renegotiation or a poor understanding of its properties.
+ *
+ * \note           Server-side, enabling renegotiation also makes the server
+ *                 susceptible to a resource DoS by a malicious client.
+ *
+ * \param conf    SSL configuration
+ * \param renegotiation     Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or
+ *                                             MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ */
+void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation);
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Prevent or allow legacy renegotiation.
+ *                 (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
+ *
+ *                 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to
+ *                 be established even if the peer does not support
+ *                 secure renegotiation, but does not allow renegotiation
+ *                 to take place if not secure.
+ *                 (Interoperable and secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
+ *                 with non-upgraded peers. Allowing legacy renegotiation
+ *                 makes the connection vulnerable to specific man in the
+ *                 middle attacks. (See RFC 5746)
+ *                 (Most interoperable and least secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
+ *                 if peer does not support secure renegotiation. Results
+ *                 in interoperability issues with non-upgraded peers
+ *                 that do not support renegotiation altogether.
+ *                 (Most secure option, interoperability issues)
+ *
+ * \param conf     SSL configuration
+ * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
+ *                                        SSL_ALLOW_LEGACY_RENEGOTIATION or
+ *                                        MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
+ */
+void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enforce renegotiation requests.
+ *                 (Default: enforced, max_records = 16)
+ *
+ *                 When we request a renegotiation, the peer can comply or
+ *                 ignore the request. This function allows us to decide
+ *                 whether to enforce our renegotiation requests by closing
+ *                 the connection if the peer doesn't comply.
+ *
+ *                 However, records could already be in transit from the peer
+ *                 when the request is emitted. In order to increase
+ *                 reliability, we can accept a number of records before the
+ *                 expected handshake records.
+ *
+ *                 The optimal value is highly dependent on the specific usage
+ *                 scenario.
+ *
+ * \note           With DTLS and server-initiated renegotiation, the
+ *                 HelloRequest is retransmited every time mbedtls_ssl_read() times
+ *                 out or receives Application Data, until:
+ *                 - max_records records have beens seen, if it is >= 0, or
+ *                 - the number of retransmits that would happen during an
+ *                 actual handshake has been reached.
+ *                 Please remember the request might be lost a few times
+ *                 if you consider setting max_records to a really low value.
+ *
+ * \warning        On client, the grace period can only happen during
+ *                 mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate()
+ *                 which always behave as if max_record was 0. The reason is,
+ *                 if we receive application data from the server, we need a
+ *                 place to write it, which only happens during mbedtls_ssl_read().
+ *
+ * \param conf     SSL configuration
+ * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
+ *                 enforce renegotiation, or a non-negative value to enforce
+ *                 it but allow for a grace period of max_records records.
+ */
+void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records);
+
+/**
+ * \brief          Set record counter threshold for periodic renegotiation.
+ *                 (Default: 2^48 - 1)
+ *
+ *                 Renegotiation is automatically triggered when a record
+ *                 counter (outgoing or incoming) crosses the defined
+ *                 threshold. The default value is meant to prevent the
+ *                 connection from being closed when the counter is about to
+ *                 reached its maximal value (it is not allowed to wrap).
+ *
+ *                 Lower values can be used to enforce policies such as "keys
+ *                 must be refreshed every N packets with cipher X".
+ *
+ *                 The renegotiation period can be disabled by setting
+ *                 conf->disable_renegotiation to
+ *                 MBEDTLS_SSL_RENEGOTIATION_DISABLED.
+ *
+ * \note           When the configured transport is
+ *                 MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation
+ *                 period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM,
+ *                 the maximum renegotiation period is 2^64 - 1.
+ *
+ * \param conf     SSL configuration
+ * \param period   The threshold value: a big-endian 64-bit number.
+ */
+void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
+                                           const unsigned char period[8]);
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Check if there is data already read from the
+ *                 underlying transport but not yet processed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if nothing's pending, 1 otherwise.
+ *
+ * \note           This is different in purpose and behaviour from
+ *                 \c mbedtls_ssl_get_bytes_avail in that it considers
+ *                 any kind of unprocessed data, not only unread
+ *                 application data. If \c mbedtls_ssl_get_bytes
+ *                 returns a non-zero value, this function will
+ *                 also signal pending data, but the converse does
+ *                 not hold. For example, in DTLS there might be
+ *                 further records waiting to be processed from
+ *                 the current underlying transport's datagram.
+ *
+ * \note           If this function returns 1 (data pending), this
+ *                 does not imply that a subsequent call to
+ *                 \c mbedtls_ssl_read will provide any data;
+ *                 e.g., the unprocessed data might turn out
+ *                 to be an alert or a handshake message.
+ *
+ * \note           This function is useful in the following situation:
+ *                 If the SSL/TLS module successfully returns from an
+ *                 operation - e.g. a handshake or an application record
+ *                 read - and you're awaiting incoming data next, you
+ *                 must not immediately idle on the underlying transport
+ *                 to have data ready, but you need to check the value
+ *                 of this function first. The reason is that the desired
+ *                 data might already be read but not yet processed.
+ *                 If, in contrast, a previous call to the SSL/TLS module
+ *                 returned MBEDTLS_ERR_SSL_WANT_READ, it is not necessary
+ *                 to call this function, as the latter error code entails
+ *                 that all internal data has been processed.
+ *
+ */
+int mbedtls_ssl_check_pending(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Return the number of application data bytes
+ *                 remaining to be read from the current record.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         How many bytes are available in the application
+ *                 data record read buffer.
+ *
+ * \note           When working over a datagram transport, this is
+ *                 useful to detect the current datagram's boundary
+ *                 in case \c mbedtls_ssl_read has written the maximal
+ *                 amount of data fitting into the input buffer.
+ *
+ */
+size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Return the result of the certificate verification
+ *
+ * \param ssl      The SSL context to use.
+ *
+ * \return         \c 0 if the certificate verification was successful.
+ * \return         \c -1u if the result is not available. This may happen
+ *                 e.g. if the handshake aborts early, or a verification
+ *                 callback returned a fatal error.
+ * \return         A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
+ *                 and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
+ */
+uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Return the name of the current ciphersuite
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Return the current SSL version (SSLv3/TLSv1/etc)
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the SSL version
+ */
+const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Return the (maximum) number of bytes added by the record
+ *                 layer: header + encryption/MAC overhead (inc. padding)
+ *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum record expansion in bytes, or
+ *                 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is
+ *                 enabled, which makes expansion much less predictable
+ */
+int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Return the maximum fragment length (payload, in bytes) for
+ *                 the output buffer. For the client, this is the configured
+ *                 value. For the server, it is the minimum of two - the
+ *                 configured value and the negotiated one.
+ *
+ * \sa             mbedtls_ssl_conf_max_frag_len()
+ * \sa             mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length for the output buffer.
+ */
+size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Return the maximum fragment length (payload, in bytes) for
+ *                 the input buffer. This is the negotiated maximum fragment
+ *                 length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *                 If it is not defined either, the value is 2^14. This function
+ *                 works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
+ *
+ * \sa             mbedtls_ssl_conf_max_frag_len()
+ * \sa             mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length for the output buffer.
+ */
+size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          This function is a deprecated approach to getting the max
+ *                 fragment length. Its an alias for
+ *                 \c mbedtls_ssl_get_output_max_frag_len(), as the behaviour
+ *                 is the same. See \c mbedtls_ssl_get_output_max_frag_len() for
+ *                 more detail.
+ *
+ * \sa             mbedtls_ssl_get_input_max_frag_len()
+ * \sa             mbedtls_ssl_get_output_max_frag_len()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length for the output buffer.
+ */
+MBEDTLS_DEPRECATED size_t mbedtls_ssl_get_max_frag_len(
+    const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+/**
+ * \brief          Return the current maximum outgoing record payload in bytes.
+ *                 This takes into account the config.h setting \c
+ *                 MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated
+ *                 max fragment length extension if used, and for DTLS the
+ *                 path MTU as configured and current record expansion.
+ *
+ * \note           With DTLS, \c mbedtls_ssl_write() will return an error if
+ *                 called with a larger length value.
+ *                 With TLS, \c mbedtls_ssl_write() will fragment the input if
+ *                 necessary and return the number of bytes written; it is up
+ *                 to the caller to call \c mbedtls_ssl_write() again in
+ *                 order to send the remaining bytes if any.
+ *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \sa             mbedtls_ssl_set_mtu()
+ * \sa             mbedtls_ssl_get_output_max_frag_len()
+ * \sa             mbedtls_ssl_get_input_max_frag_len()
+ * \sa             mbedtls_ssl_get_record_expansion()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum payload for an outgoing record,
+ *                 or a negative error code.
+ */
+int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Return the peer certificate from the current connection.
+ *
+ * \param  ssl     The SSL context to use. This must be initialized and setup.
+ *
+ * \return         The current peer certificate, if available.
+ *                 The returned certificate is owned by the SSL context and
+ *                 is valid only until the next call to the SSL API.
+ * \return         \c NULL if no peer certificate is available. This might
+ *                 be because the chosen ciphersuite doesn't use CRTs
+ *                 (PSK-based ciphersuites, for example), or because
+ *                 #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled,
+ *                 allowing the stack to free the peer's CRT to save memory.
+ *
+ * \note           For one-time inspection of the peer's certificate during
+ *                 the handshake, consider registering an X.509 CRT verification
+ *                 callback through mbedtls_ssl_conf_verify() instead of calling
+ *                 this function. Using mbedtls_ssl_conf_verify() also comes at
+ *                 the benefit of allowing you to influence the verification
+ *                 process, for example by masking expected and tolerated
+ *                 verification failures.
+ *
+ * \warning        You must not use the pointer returned by this function
+ *                 after any further call to the SSL API, including
+ *                 mbedtls_ssl_read() and mbedtls_ssl_write(); this is
+ *                 because the pointer might change during renegotiation,
+ *                 which happens transparently to the user.
+ *                 If you want to use the certificate across API calls,
+ *                 you must make a copy.
+ */
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Save session in order to resume it later (client-side only)
+ *                 Session data is copied to presented session structure.
+ *
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid.
+ *
+ * \note           Only the server certificate is copied, and not the full chain,
+ *                 so you should not attempt to validate the certificate again
+ *                 by calling \c mbedtls_x509_crt_verify() on it.
+ *                 Instead, you should use the results from the verification
+ *                 in the original handshake by calling \c mbedtls_ssl_get_verify_result()
+ *                 after loading the session again into a new SSL context
+ *                 using \c mbedtls_ssl_set_session().
+ *
+ * \note           Once the session object is not needed anymore, you should
+ *                 free it by calling \c mbedtls_ssl_session_free().
+ *
+ * \sa             mbedtls_ssl_set_session()
+ */
+int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session);
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief          Perform the SSL handshake
+ *
+ * \param ssl      SSL context
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
+ *                 and the client did not demonstrate reachability yet - in
+ *                 this case you must stop using the context (see below).
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           If DTLS is in use, then you may choose to handle
+ *                 #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
+ *                 purposes, as it is an expected return value rather than an
+ *                 actual error, but you still need to reset/free the context.
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                 from the underlying transport layer is currently being processed,
+ *                 and it is safe to idle until the timer or the underlying transport
+ *                 signal a new event. This is not true for a successful handshake,
+ *                 in which case the datagram of the underlying transport that is
+ *                 currently being processed might or might not contain further
+ *                 DTLS records.
+ */
+int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Perform a single step of the SSL handshake
+ *
+ * \note           The state of the context (ssl->state) will be at
+ *                 the next state after this function returns \c 0. Do not
+ *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         See mbedtls_ssl_handshake().
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ */
+int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Initiate an SSL renegotiation on the running connection.
+ *                 Client: perform the renegotiation right now.
+ *                 Server: request renegotiation, which will be performed
+ *                 during the next call to mbedtls_ssl_read() if honored by
+ *                 client.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if successful, or any mbedtls_ssl_handshake() return
+ *                 value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't
+ *                 happen during a renegotiation.
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ *
+ */
+int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Read at most 'len' application data bytes
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer that will hold the data
+ * \param len      maximum number of bytes to read
+ *
+ * \return         The (positive) number of bytes read if successful.
+ * \return         \c 0 if the read end of the underlying transport was closed
+ *                 without sending a CloseNotify beforehand, which might happen
+ *                 because of various reasons (internal error of an underlying
+ *                 stack, non-conformant peer not sending a CloseNotify and
+ *                 such) - in this case you must stop using the context
+ *                 (see below).
+ * \return         #MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY if the underlying
+ *                 transport is still functional, but the peer has
+ *                 acknowledged to not send anything anymore.
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
+ *                 side of a DTLS connection and the client is initiating a
+ *                 new connection using the same source port. See below.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a positive value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ *                 (which can only happen server-side), it means that a client
+ *                 is initiating a new connection using the same source port.
+ *                 You can either treat that as a connection close and wait
+ *                 for the client to resend a ClientHello, or directly
+ *                 continue with \c mbedtls_ssl_handshake() with the same
+ *                 context (as it has been reset internally). Either way, you
+ *                 must make sure this is seen by the application as a new
+ *                 connection: application state, if any, should be reset, and
+ *                 most importantly the identity of the client must be checked
+ *                 again. WARNING: not validating the identity of the client
+ *                 again, or not transmitting the new identity to the
+ *                 application layer, would allow authentication bypass!
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                   from the underlying transport layer is currently being processed,
+ *                   and it is safe to idle until the timer or the underlying transport
+ *                   signal a new event.
+ *                 - This function may return MBEDTLS_ERR_SSL_WANT_READ even if data was
+ *                   initially available on the underlying transport, as this data may have
+ *                   been only e.g. duplicated messages or a renegotiation request.
+ *                   Therefore, you must be prepared to receive MBEDTLS_ERR_SSL_WANT_READ even
+ *                   when reacting to an incoming-data event from the underlying transport.
+ *                 - On success, the datagram of the underlying transport that is currently
+ *                   being processed may contain further DTLS records. You should call
+ *                   \c mbedtls_ssl_check_pending to check for remaining records.
+ *
+ */
+int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len);
+
+/**
+ * \brief          Try to write exactly 'len' application data bytes
+ *
+ * \warning        This function will do partial writes in some cases. If the
+ *                 return value is non-negative but less than length, the
+ *                 function must be called again with updated arguments:
+ *                 buf + ret, len - ret (if ret is the return value) until
+ *                 it returns a value equal to the last 'len' argument.
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer holding the data
+ * \param len      how many bytes must be written
+ *
+ * \return         The (non-negative) number of bytes actually written if
+ *                 successful (may be less than \p len).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a non-negative value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ,
+ *                 it must be called later with the *same* arguments,
+ *                 until it returns a value greater that or equal to 0. When
+ *                 the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ *                 some partial data in the output buffer, however this is not
+ *                 yet sent.
+ *
+ * \note           If the requested length is greater than the maximum
+ *                 fragment length (either the built-in limit or the one set
+ *                 or negotiated with the peer), then:
+ *                 - with TLS, less bytes than requested are written.
+ *                 - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
+ *                 \c mbedtls_ssl_get_output_max_frag_len() may be used to
+ *                 query the active maximum fragment length.
+ *
+ * \note           Attempting to write 0 bytes will result in an empty TLS
+ *                 application record being sent.
+ */
+int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len);
+
+/**
+ * \brief           Send an alert message
+ *
+ * \param ssl       SSL context
+ * \param level     The alert level of the message
+ *                  (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL)
+ * \param message   The alert message (SSL_ALERT_MSG_*)
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl,
+                                   unsigned char level,
+                                   unsigned char message);
+/**
+ * \brief          Notify the peer that the connection is being closed
+ *
+ * \param ssl      SSL context
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief          Free referenced items in an SSL context and clear memory
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_free(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+/**
+ * \brief          Save an active connection as serialized data in a buffer.
+ *                 This allows the freeing or re-using of the SSL context
+ *                 while still picking up the connection later in a way that
+ *                 it entirely transparent to the peer.
+ *
+ * \see            mbedtls_ssl_context_load()
+ *
+ * \note           This feature is currently only available under certain
+ *                 conditions, see the documentation of the return value
+ *                 #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details.
+ *
+ * \note           When this function succeeds, it calls
+ *                 mbedtls_ssl_session_reset() on \p ssl which as a result is
+ *                 no longer associated with the connection that has been
+ *                 serialized. This avoids creating copies of the connection
+ *                 state. You're then free to either re-use the context
+ *                 structure for a different connection, or call
+ *                 mbedtls_ssl_free() on it. See the documentation of
+ *                 mbedtls_ssl_session_reset() for more details.
+ *
+ * \param ssl      The SSL context to save. On success, it is no longer
+ *                 associated with the connection that has been serialized.
+ * \param buf      The buffer to write the serialized data to. It must be a
+ *                 writeable buffer of at least \p buf_len bytes, or may be \c
+ *                 NULL if \p buf_len is \c 0.
+ * \param buf_len  The number of bytes available for writing in \p buf.
+ * \param olen     The size in bytes of the data that has been or would have
+ *                 been written. It must point to a valid \c size_t.
+ *
+ * \note           \p olen is updated to the correct value regardless of
+ *                 whether \p buf_len was large enough. This makes it possible
+ *                 to determine the necessary size by calling this function
+ *                 with \p buf set to \c NULL and \p buf_len to \c 0. However,
+ *                 the value of \p olen is only guaranteed to be correct when
+ *                 the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or
+ *                 \c 0. If the return value is different, then the value of
+ *                 \p olen is undefined.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
+ * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed
+ *                 while reseting the context.
+ * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in
+ *                 progress, or there is pending data for reading or sending,
+ *                 or the connection does not use DTLS 1.2 with an AEAD
+ *                 ciphersuite, or renegotiation is enabled.
+ */
+int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
+                             unsigned char *buf,
+                             size_t buf_len,
+                             size_t *olen);
+
+/**
+ * \brief          Load serialized connection data to an SSL context.
+ *
+ * \see            mbedtls_ssl_context_save()
+ *
+ * \warning        The same serialized data must never be loaded into more
+ *                 that one context. In order to ensure that, after
+ *                 successfully loading serialized data to an SSL context, you
+ *                 should immediately destroy or invalidate all copies of the
+ *                 serialized data that was loaded. Loading the same data in
+ *                 more than one context would cause severe security failures
+ *                 including but not limited to loss of confidentiality.
+ *
+ * \note           Before calling this function, the SSL context must be
+ *                 prepared in one of the two following ways. The first way is
+ *                 to take a context freshly initialised with
+ *                 mbedtls_ssl_init() and call mbedtls_ssl_setup() on it with
+ *                 the same ::mbedtls_ssl_config structure that was used in
+ *                 the original connection. The second way is to
+ *                 call mbedtls_ssl_session_reset() on a context that was
+ *                 previously prepared as above but used in the meantime.
+ *                 Either way, you must not use the context to perform a
+ *                 handshake between calling mbedtls_ssl_setup() or
+ *                 mbedtls_ssl_session_reset() and calling this function. You
+ *                 may however call other setter functions in that time frame
+ *                 as indicated in the note below.
+ *
+ * \note           Before or after calling this function successfully, you
+ *                 also need to configure some connection-specific callbacks
+ *                 and settings before you can use the connection again
+ *                 (unless they were already set before calling
+ *                 mbedtls_ssl_session_reset() and the values are suitable for
+ *                 the present connection). Specifically, you want to call
+ *                 at least mbedtls_ssl_set_bio() and
+ *                 mbedtls_ssl_set_timer_cb(). All other SSL setter functions
+ *                 are not necessary to call, either because they're only used
+ *                 in handshakes, or because the setting is already saved. You
+ *                 might choose to call them anyway, for example in order to
+ *                 share code between the cases of establishing a new
+ *                 connection and the case of loading an already-established
+ *                 connection.
+ *
+ * \note           If you have new information about the path MTU, you want to
+ *                 call mbedtls_ssl_set_mtu() after calling this function, as
+ *                 otherwise this function would overwrite your
+ *                 newly-configured value with the value that was active when
+ *                 the context was saved.
+ *
+ * \note           When this function returns an error code, it calls
+ *                 mbedtls_ssl_free() on \p ssl. In this case, you need to
+ *                 prepare the context with the usual sequence starting with a
+ *                 call to mbedtls_ssl_init() if you want to use it again.
+ *
+ * \param ssl      The SSL context structure to be populated. It must have
+ *                 been prepared as described in the note above.
+ * \param buf      The buffer holding the serialized connection data. It must
+ *                 be a readable buffer of at least \p len bytes.
+ * \param len      The size of the serialized data in bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
+ *                 comes from a different Mbed TLS version or build.
+ * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ */
+int mbedtls_ssl_context_load(mbedtls_ssl_context *ssl,
+                             const unsigned char *buf,
+                             size_t len);
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+
+/**
+ * \brief          Initialize an SSL configuration context
+ *                 Just makes the context ready for
+ *                 mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
+ *
+ * \note           You need to call mbedtls_ssl_config_defaults() unless you
+ *                 manually set all of the relevant fields yourself.
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_init(mbedtls_ssl_config *conf);
+
+/**
+ * \brief          Load reasonnable default SSL configuration values.
+ *                 (You need to call mbedtls_ssl_config_init() first.)
+ *
+ * \param conf     SSL configuration context
+ * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
+ * \param preset   a MBEDTLS_SSL_PRESET_XXX value
+ *
+ * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
+ */
+int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
+                                int endpoint, int transport, int preset);
+
+/**
+ * \brief          Free an SSL configuration context
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_free(mbedtls_ssl_config *conf);
+
+/**
+ * \brief          Initialize SSL session structure
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_init(mbedtls_ssl_session *session);
+
+/**
+ * \brief          Free referenced items in an SSL session including the
+ *                 peer certificate and clear memory
+ *
+ * \note           A session object can be freed even if the SSL context
+ *                 that was used to retrieve the session is still in use.
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_free(mbedtls_ssl_session *session);
+
+/**
+ * \brief          TLS-PRF function for key derivation.
+ *
+ * \param prf      The tls_prf type funtion type to be used.
+ * \param secret   Secret for the key derivation function.
+ * \param slen     Length of the secret.
+ * \param label    String label for the key derivation function,
+ *                 terminated with null character.
+ * \param random   Random bytes.
+ * \param rlen     Length of the random bytes buffer.
+ * \param dstbuf   The buffer holding the derived key.
+ * \param dlen     Length of the output buffer.
+ *
+ * \return         0 on sucess. An SSL specific error on failure.
+ */
+int  mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
+                         const unsigned char *secret, size_t slen,
+                         const char *label,
+                         const unsigned char *random, size_t rlen,
+                         unsigned char *dstbuf, size_t dlen);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl.h */
diff --git a/common/mbedtls/ssl_cache.c b/common/mbedtls/ssl_cache.c
new file mode 100644
index 000000000..16818b391
--- /dev/null
+++ b/common/mbedtls/ssl_cache.c
@@ -0,0 +1,321 @@
+/*
+ *  SSL session cache implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+void mbedtls_ssl_cache_init(mbedtls_ssl_cache_context *cache) {
+    memset(cache, 0, sizeof(mbedtls_ssl_cache_context));
+
+    cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
+    cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&cache->mutex);
+#endif
+}
+
+int mbedtls_ssl_cache_get(void *data, mbedtls_ssl_session *session) {
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time(NULL);
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *entry;
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_lock(&cache->mutex) != 0)
+        return (1);
+#endif
+
+    cur = cache->chain;
+    entry = NULL;
+
+    while (cur != NULL) {
+        entry = cur;
+        cur = cur->next;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if (cache->timeout != 0 &&
+                (int)(t - entry->timestamp) > cache->timeout)
+            continue;
+#endif
+
+        if (session->ciphersuite != entry->session.ciphersuite ||
+                session->compression != entry->session.compression ||
+                session->id_len != entry->session.id_len)
+            continue;
+
+        if (memcmp(session->id, entry->session.id,
+                   entry->session.id_len) != 0)
+            continue;
+
+        ret = mbedtls_ssl_session_copy(session, &entry->session);
+        if (ret != 0) {
+            ret = 1;
+            goto exit;
+        }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        /*
+         * Restore peer certificate (without rest of the original chain)
+         */
+        if (entry->peer_cert.p != NULL) {
+            /* `session->peer_cert` is NULL after the call to
+             * mbedtls_ssl_session_copy(), because cache entries
+             * have the `peer_cert` field set to NULL. */
+
+            if ((session->peer_cert = mbedtls_calloc(1,
+                                                     sizeof(mbedtls_x509_crt))) == NULL) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_x509_crt_init(session->peer_cert);
+            if (mbedtls_x509_crt_parse(session->peer_cert, entry->peer_cert.p,
+                                       entry->peer_cert.len) != 0) {
+                mbedtls_free(session->peer_cert);
+                session->peer_cert = NULL;
+                ret = 1;
+                goto exit;
+            }
+        }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+        ret = 0;
+        goto exit;
+    }
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&cache->mutex) != 0)
+        ret = 1;
+#endif
+
+    return (ret);
+}
+
+int mbedtls_ssl_cache_set(void *data, const mbedtls_ssl_session *session) {
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time(NULL), oldest = 0;
+    mbedtls_ssl_cache_entry *old = NULL;
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *prv;
+    int count = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&cache->mutex)) != 0)
+        return (ret);
+#endif
+
+    cur = cache->chain;
+    prv = NULL;
+
+    while (cur != NULL) {
+        count++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if (cache->timeout != 0 &&
+                (int)(t - cur->timestamp) > cache->timeout) {
+            cur->timestamp = t;
+            break; /* expired, reuse this slot, update timestamp */
+        }
+#endif
+
+        if (memcmp(session->id, cur->session.id, cur->session.id_len) == 0)
+            break; /* client reconnected, keep timestamp for session id */
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if (oldest == 0 || cur->timestamp < oldest) {
+            oldest = cur->timestamp;
+            old = cur;
+        }
+#endif
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    if (cur == NULL) {
+#if defined(MBEDTLS_HAVE_TIME)
+        /*
+         * Reuse oldest entry if max_entries reached
+         */
+        if (count >= cache->max_entries) {
+            if (old == NULL) {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = old;
+        }
+#else /* MBEDTLS_HAVE_TIME */
+        /*
+         * Reuse first entry in chain if max_entries reached,
+         * but move to last place
+         */
+        if (count >= cache->max_entries) {
+            if (cache->chain == NULL) {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = cache->chain;
+            cache->chain = cur->next;
+            cur->next = NULL;
+            prv->next = cur;
+        }
+#endif /* MBEDTLS_HAVE_TIME */
+        else {
+            /*
+             * max_entries not reached, create new entry
+             */
+            cur = mbedtls_calloc(1, sizeof(mbedtls_ssl_cache_entry));
+            if (cur == NULL) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (prv == NULL)
+                cache->chain = cur;
+            else
+                prv->next = cur;
+        }
+
+#if defined(MBEDTLS_HAVE_TIME)
+        cur->timestamp = t;
+#endif
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /*
+     * If we're reusing an entry, free its certificate first
+     */
+    if (cur->peer_cert.p != NULL) {
+        mbedtls_free(cur->peer_cert.p);
+        memset(&cur->peer_cert, 0, sizeof(mbedtls_x509_buf));
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    /* Copy the entire session; this temporarily makes a copy of the
+     * X.509 CRT structure even though we only want to store the raw CRT.
+     * This inefficiency will go away as soon as we implement on-demand
+     * parsing of CRTs, in which case there's no need for the `peer_cert`
+     * field anymore in the first place, and we're done after this call. */
+    ret = mbedtls_ssl_session_copy(&cur->session, session);
+    if (ret != 0) {
+        ret = 1;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* If present, free the X.509 structure and only store the raw CRT data. */
+    if (cur->session.peer_cert != NULL) {
+        cur->peer_cert.p =
+            mbedtls_calloc(1, cur->session.peer_cert->raw.len);
+        if (cur->peer_cert.p == NULL) {
+            ret = 1;
+            goto exit;
+        }
+
+        memcpy(cur->peer_cert.p,
+               cur->session.peer_cert->raw.p,
+               cur->session.peer_cert->raw.len);
+        cur->peer_cert.len = session->peer_cert->raw.len;
+
+        mbedtls_x509_crt_free(cur->session.peer_cert);
+        mbedtls_free(cur->session.peer_cert);
+        cur->session.peer_cert = NULL;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&cache->mutex) != 0)
+        ret = 1;
+#endif
+
+    return (ret);
+}
+
+#if defined(MBEDTLS_HAVE_TIME)
+void mbedtls_ssl_cache_set_timeout(mbedtls_ssl_cache_context *cache, int timeout) {
+    if (timeout < 0) timeout = 0;
+
+    cache->timeout = timeout;
+}
+#endif /* MBEDTLS_HAVE_TIME */
+
+void mbedtls_ssl_cache_set_max_entries(mbedtls_ssl_cache_context *cache, int max) {
+    if (max < 0) max = 0;
+
+    cache->max_entries = max;
+}
+
+void mbedtls_ssl_cache_free(mbedtls_ssl_cache_context *cache) {
+    mbedtls_ssl_cache_entry *cur, *prv;
+
+    cur = cache->chain;
+
+    while (cur != NULL) {
+        prv = cur;
+        cur = cur->next;
+
+        mbedtls_ssl_session_free(&prv->session);
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        mbedtls_free(prv->peer_cert.p);
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+        mbedtls_free(prv);
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free(&cache->mutex);
+#endif
+    cache->chain = NULL;
+}
+
+#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/common/mbedtls/ssl_cache.h b/common/mbedtls/ssl_cache.h
new file mode 100644
index 000000000..331e3beae
--- /dev/null
+++ b/common/mbedtls/ssl_cache.h
@@ -0,0 +1,147 @@
+/**
+ * \file ssl_cache.h
+ *
+ * \brief SSL session cache implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_CACHE_H
+#define MBEDTLS_SSL_CACHE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT)
+#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400   /*!< 1 day  */
+#endif
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES)
+#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50   /*!< Maximum entries in cache */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct mbedtls_ssl_cache_context mbedtls_ssl_cache_context;
+typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry;
+
+/**
+ * \brief   This structure is used for storing cache entries
+ */
+struct mbedtls_ssl_cache_entry {
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t timestamp;           /*!< entry timestamp    */
+#endif
+    mbedtls_ssl_session session;        /*!< entry session      */
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    mbedtls_x509_buf peer_cert;         /*!< entry peer_cert    */
+#endif
+    mbedtls_ssl_cache_entry *next;      /*!< chain pointer      */
+};
+
+/**
+ * \brief Cache context
+ */
+struct mbedtls_ssl_cache_context {
+    mbedtls_ssl_cache_entry *chain;     /*!< start of the chain     */
+    int timeout;                /*!< cache entry timeout    */
+    int max_entries;            /*!< maximum entries        */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+};
+
+/**
+ * \brief          Initialize an SSL cache context
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_init(mbedtls_ssl_cache_context *cache);
+
+/**
+ * \brief          Cache get callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to retrieve entry for
+ */
+int mbedtls_ssl_cache_get(void *data, mbedtls_ssl_session *session);
+
+/**
+ * \brief          Cache set callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to store entry for
+ */
+int mbedtls_ssl_cache_set(void *data, const mbedtls_ssl_session *session);
+
+#if defined(MBEDTLS_HAVE_TIME)
+/**
+ * \brief          Set the cache timeout
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT (1 day))
+ *
+ *                 A timeout of 0 indicates no timeout.
+ *
+ * \param cache    SSL cache context
+ * \param timeout  cache entry timeout in seconds
+ */
+void mbedtls_ssl_cache_set_timeout(mbedtls_ssl_cache_context *cache, int timeout);
+#endif /* MBEDTLS_HAVE_TIME */
+
+/**
+ * \brief          Set the maximum number of cache entries
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES (50))
+ *
+ * \param cache    SSL cache context
+ * \param max      cache entry maximum
+ */
+void mbedtls_ssl_cache_set_max_entries(mbedtls_ssl_cache_context *cache, int max);
+
+/**
+ * \brief          Free referenced items in a cache context and clear memory
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_free(mbedtls_ssl_cache_context *cache);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cache.h */
diff --git a/common/mbedtls/ssl_ciphersuites.c b/common/mbedtls/ssl_ciphersuites.c
new file mode 100644
index 000000000..54af7f556
--- /dev/null
+++ b/common/mbedtls/ssl_ciphersuites.c
@@ -0,0 +1,2760 @@
+/**
+ * \file ssl_ciphersuites.c
+ *
+ * \brief SSL ciphersuites for mbed TLS
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl.h"
+
+#include <string.h>
+
+/*
+ * Ordered from most preferred to least preferred in terms of security.
+ *
+ * Current rule (except RC4 and 3DES, weak and null which come last):
+ * 1. By key exchange:
+ *    Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
+ * 2. By key length and cipher:
+ *    ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
+ * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
+ * 4. By hash function used when relevant
+ * 5. By key exchange/auth again: EC > non-EC
+ */
+static const int ciphersuite_preference[] = {
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+    MBEDTLS_SSL_CIPHERSUITES,
+#else
+    /* Chacha-Poly ephemeral suites */
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
+    /* All AES-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+    /* All ARIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+
+    /* All AES-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+    /* All ARIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+
+    /* The PSK ephemeral suites */
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* The ECJPAKE suite */
+    MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
+
+    /* All AES-256 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+
+    /* All ARIA-256 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+
+    /* All AES-128 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+    /* All ARIA-128 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+
+    /* The RSA PSK suites */
+    MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* The PSK suites */
+    MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* 3DES suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+
+    /* RC4 suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_PSK_WITH_RC4_128_SHA,
+
+    /* Weak suites */
+    MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA,
+
+    /* NULL suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
+
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_WITH_NULL_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA,
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+    0
+};
+
+static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = {
+#if defined(MBEDTLS_CHACHAPOLY_C) && \
+    defined(MBEDTLS_SHA256_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    {
+        MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+        "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
+        MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+        MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#endif /* MBEDTLS_CHACHAPOLY_C &&
+          MBEDTLS_SHA256_C &&
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_CCM_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS-ECDHE-RSA-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_CCM_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_MD5_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_RC4_128_MD5, "TLS-RSA-WITH-RC4-128-MD5",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_RC4_128_SHA, "TLS-RSA-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA, "TLS-ECDH-RSA-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "TLS-ECDH-ECDSA-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-PSK-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_RC4_128_SHA, "TLS-PSK-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
+        MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA, "TLS-DHE-PSK-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA, "TLS-ECDHE-PSK-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
+        MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
+        MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
+        MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
+        MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
+        MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
+        MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_NODTLS
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CCM_C)
+    {
+        MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
+        MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_SHORT_TAG
+    },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_MD5_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
+        MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
+        MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
+        MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_CIPHERSUITE_WEAK
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+
+#if defined(MBEDTLS_ARIA_C)
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+        "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+        "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+        "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+        "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+        "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+        "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+        "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+        "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+        "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+        "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+        "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+        "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+        "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+        "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+        "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+        "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+        "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+        "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+        "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+        "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+        "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+        "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+        "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+        "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+        "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+        "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+        "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+        "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+        "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+        "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+        "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+        "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+        "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+        "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+        "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+        "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
+        MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+        "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    {
+        MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+        "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
+        MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+        0
+    },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#endif /* MBEDTLS_ARIA_C */
+
+
+    {
+        0, "",
+        MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
+        0, 0, 0, 0, 0
+    }
+};
+
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+const int *mbedtls_ssl_list_ciphersuites(void) {
+    return (ciphersuite_preference);
+}
+#else
+#define MAX_CIPHERSUITES    sizeof( ciphersuite_definitions     ) /         \
+                            sizeof( ciphersuite_definitions[0]  )
+static int supported_ciphersuites[MAX_CIPHERSUITES];
+static int supported_init = 0;
+
+static int ciphersuite_is_removed(const mbedtls_ssl_ciphersuite_t *cs_info) {
+    (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    if (cs_info->cipher == MBEDTLS_CIPHER_ARC4_128)
+        return (1);
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    if (cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+            cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC) {
+        return (1);
+    }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+    return (0);
+}
+
+const int *mbedtls_ssl_list_ciphersuites(void) {
+    /*
+     * On initial call filter out all ciphersuites not supported by current
+     * build based on presence in the ciphersuite_definitions.
+     */
+    if (supported_init == 0) {
+        const int *p;
+        int *q;
+
+        for (p = ciphersuite_preference, q = supported_ciphersuites;
+                *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
+                p++) {
+            const mbedtls_ssl_ciphersuite_t *cs_info;
+            if ((cs_info = mbedtls_ssl_ciphersuite_from_id(*p)) != NULL &&
+                    !ciphersuite_is_removed(cs_info)) {
+                *(q++) = *p;
+            }
+        }
+        *q = 0;
+
+        supported_init = 1;
+    }
+
+    return (supported_ciphersuites);
+}
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
+    const char *ciphersuite_name) {
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    if (NULL == ciphersuite_name)
+        return (NULL);
+
+    while (cur->id != 0) {
+        if (0 == strcmp(cur->name, ciphersuite_name))
+            return (cur);
+
+        cur++;
+    }
+
+    return (NULL);
+}
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite) {
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    while (cur->id != 0) {
+        if (cur->id == ciphersuite)
+            return (cur);
+
+        cur++;
+    }
+
+    return (NULL);
+}
+
+const char *mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id) {
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
+
+    if (cur == NULL)
+        return ("unknown");
+
+    return (cur->name);
+}
+
+int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name) {
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_string(ciphersuite_name);
+
+    if (cur == NULL)
+        return (0);
+
+    return (cur->id);
+}
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return (MBEDTLS_PK_RSA);
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return (MBEDTLS_PK_ECDSA);
+
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return (MBEDTLS_PK_ECKEY);
+
+        default:
+            return (MBEDTLS_PK_NONE);
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            return (MBEDTLS_PK_RSA);
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return (MBEDTLS_PK_ECDSA);
+
+        default:
+            return (MBEDTLS_PK_NONE);
+    }
+}
+
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/common/mbedtls/ssl_ciphersuites.h b/common/mbedtls/ssl_ciphersuites.h
new file mode 100644
index 000000000..c058d7ad2
--- /dev/null
+++ b/common/mbedtls/ssl_ciphersuites.h
@@ -0,0 +1,539 @@
+/**
+ * \file ssl_ciphersuites.h
+ *
+ * \brief SSL Ciphersuites for mbed TLS
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_H
+#define MBEDTLS_SSL_CIPHERSUITES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/pk.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Supported ciphersuites (Official IANA names)
+ */
+#define MBEDTLS_TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_MD5                 0x04
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_SHA                 0x05
+#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
+
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA                    0x2C   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA                0x2D   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA                0x2E   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA             0x2F
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA         0x33
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA             0x35
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA         0x39
+
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA256                 0x3B   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256          0x3C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        0x41
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    0x45
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      0x67   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      0x6B   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        0x84
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    0x88
+
+#define MBEDTLS_TLS_PSK_WITH_RC4_128_SHA                 0x8A
+#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA            0x8B
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA             0x8C
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA             0x8D
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA             0x8E
+#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        0x8F
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA         0x90
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA         0x91
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA             0x92
+#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        0x93
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA         0x94
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA         0x95
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256          0x9C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384          0x9D   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      0x9E   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      0x9F   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256          0xA8   /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384          0xA9   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      0xAA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      0xAB   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      0xAC   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      0xAD   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256          0xAE
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384          0xAF
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA256                 0xB0   /**< Weak! */
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA384                 0xB1   /**< Weak! */
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      0xB2
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      0xB3
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256             0xB4   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384             0xB5   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      0xB6
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      0xB7
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256             0xB8   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384             0xB9   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     0xBA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     0xC0   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA             0xC001 /**< Weak! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA          0xC002 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     0xC003 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      0xC004 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      0xC005 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA            0xC006 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         0xC007 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    0xC008 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     0xC00A /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA               0xC00B /**< Weak! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA            0xC00C /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       0xC00D /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        0xC00E /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        0xC00F /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA              0xC010 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA           0xC011 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      0xC012 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       0xC013 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       0xC014 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   0xC025 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   0xC026 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    0xC027 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    0xC028 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     0xC029 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     0xC02A /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   0xC02D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   0xC02E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    0xC02F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    0xC030 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA           0xC033 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      0xC034 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0xC038 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA              0xC039 /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B /**< Weak! No SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256         0xC03C /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384         0xC03D /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256     0xC044 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384     0xC045 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256  0xC04A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384  0xC04B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256   0xC04C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384   0xC04D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256    0xC04E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384    0xC04F /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256         0xC050 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384         0xC051 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256     0xC052 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384     0xC053 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256  0xC05E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384  0xC05F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256   0xC060 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384   0xC061 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256    0xC062 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384    0xC063 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256         0xC064 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384         0xC065 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256     0xC066 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384     0xC067 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256     0xC068 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384     0xC069 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256         0xC06A /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384         0xC06B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256     0xC06C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384     0xC06D /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256     0xC06E /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384     0xC06F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256   0xC070 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384   0xC071 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0xC075 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0xC076 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0xC077 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0xC078 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0xC079 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256         0xC07A /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384         0xC07B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256     0xC07C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384     0xC07D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  0xC088 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  0xC089 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256   0xC08A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384   0xC08B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256    0xC08C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384    0xC08D /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256       0xC08E /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384       0xC08F /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC090 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC091 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC092 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC093 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256       0xC094
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384       0xC095
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC096
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC097
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC098
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC099
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM                0xC09C  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM                0xC09D  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM            0xC09E  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM            0xC09F  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8              0xC0A0  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8              0xC0A1  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8          0xC0A2  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8          0xC0A3  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM                0xC0A4  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM                0xC0A5  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM            0xC0A6  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM            0xC0A7  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8              0xC0A8  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8              0xC0A9  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8          0xC0AA  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8          0xC0AB  /**< TLS 1.2 */
+/* The last two are named with PSK_DHE in the RFC, which looks like a typo */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM        0xC0AC  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM        0xC0AD  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8      0xC0AE  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8      0xC0AF  /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8          0xC0FF  /**< experimental */
+
+/* RFC 7905 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA8 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCAA /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256         0xCCAB /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   0xCCAC /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAD /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAE /**< TLS 1.2 */
+
+/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
+ * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
+ */
+typedef enum {
+    MBEDTLS_KEY_EXCHANGE_NONE = 0,
+    MBEDTLS_KEY_EXCHANGE_RSA,
+    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_PSK,
+    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+} mbedtls_key_exchange_type_t;
+
+/* Key exchanges using a certificate */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
+#endif
+
+/* Key exchanges allowing client certificate requests */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)    ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED
+#endif
+
+/* Key exchanges involving server signature in ServerKeyExchange */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED
+#endif
+
+/* Key exchanges using ECDH */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED
+#endif
+
+/* Key exchanges that don't involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED
+#endif
+
+/* Key exchanges that involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED
+#endif
+
+/* Key exchanges using a PSK */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
+#endif
+
+/* Key exchanges using DHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED
+#endif
+
+/* Key exchanges using ECDHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED
+#endif
+
+typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
+
+#define MBEDTLS_CIPHERSUITE_WEAK       0x01    /**< Weak ciphersuite flag  */
+#define MBEDTLS_CIPHERSUITE_SHORT_TAG  0x02    /**< Short authentication tag,
+                                                     eg for CCM_8 */
+#define MBEDTLS_CIPHERSUITE_NODTLS     0x04    /**< Can't be used with DTLS */
+
+/**
+ * \brief   This structure is used for storing ciphersuite information
+ */
+struct mbedtls_ssl_ciphersuite_t {
+    int id;
+    const char *name;
+
+    mbedtls_cipher_type_t cipher;
+    mbedtls_md_type_t mac;
+    mbedtls_key_exchange_type_t key_exchange;
+
+    int min_major_ver;
+    int min_minor_ver;
+    int max_major_ver;
+    int max_minor_ver;
+
+    unsigned char flags;
+};
+
+const int *mbedtls_ssl_list_ciphersuites(void);
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(const char *ciphersuite_name);
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite_id);
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
+#endif
+
+int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+
+static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature(const mbedtls_ssl_ciphersuite_t *info) {
+    switch (info->key_exchange) {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return (1);
+
+        default:
+            return (0);
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ciphersuites.h */
diff --git a/common/mbedtls/ssl_cli.c b/common/mbedtls/ssl_cli.c
new file mode 100644
index 000000000..b41b01167
--- /dev/null
+++ b/common/mbedtls/ssl_cli.c
@@ -0,0 +1,4215 @@
+/*
+ *  SSLv3/TLSv1 client-side functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_CLI_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#include <string.h>
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#include "mbedtls/platform_util.h"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+static int ssl_conf_has_static_psk(mbedtls_ssl_config const *conf) {
+    if (conf->psk_identity     == NULL ||
+            conf->psk_identity_len == 0) {
+        return (0);
+    }
+
+    if (conf->psk != NULL && conf->psk_len != 0)
+        return (1);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (! mbedtls_svc_key_id_is_null(conf->psk_opaque))
+        return (1);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    return (0);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int ssl_conf_has_static_raw_psk(mbedtls_ssl_config const *conf) {
+    if (conf->psk_identity     == NULL ||
+            conf->psk_identity_len == 0) {
+        return (0);
+    }
+
+    if (conf->psk != NULL && conf->psk_len != 0)
+        return (1);
+
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
+                                  unsigned char *buf,
+                                  const unsigned char *end,
+                                  size_t *olen) {
+    unsigned char *p = buf;
+    size_t hostname_len;
+
+    *olen = 0;
+
+    if (ssl->hostname == NULL)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding server name extension: %s",
+                           ssl->hostname));
+
+    hostname_len = strlen(ssl->hostname);
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
+
+    /*
+     * Sect. 3, RFC 6066 (TLS Extensions Definitions)
+     *
+     * In order to provide any of the server names, clients MAY include an
+     * extension of type "server_name" in the (extended) client hello. The
+     * "extension_data" field of this extension SHALL contain
+     * "ServerNameList" where:
+     *
+     * struct {
+     *     NameType name_type;
+     *     select (name_type) {
+     *         case host_name: HostName;
+     *     } name;
+     * } ServerName;
+     *
+     * enum {
+     *     host_name(0), (255)
+     * } NameType;
+     *
+     * opaque HostName<1..2^16-1>;
+     *
+     * struct {
+     *     ServerName server_name_list<1..2^16-1>
+     * } ServerNameList;
+     *
+     */
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME) & 0xFF);
+
+    *p++ = (unsigned char)(((hostname_len + 5) >> 8) & 0xFF);
+    *p++ = (unsigned char)(((hostname_len + 5)) & 0xFF);
+
+    *p++ = (unsigned char)(((hostname_len + 3) >> 8) & 0xFF);
+    *p++ = (unsigned char)(((hostname_len + 3)) & 0xFF);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) & 0xFF);
+    *p++ = (unsigned char)((hostname_len >> 8) & 0xFF);
+    *p++ = (unsigned char)((hostname_len) & 0xFF);
+
+    memcpy(p, ssl->hostname, hostname_len);
+
+    *olen = hostname_len + 9;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
+                                       unsigned char *buf,
+                                       const unsigned char *end,
+                                       size_t *olen) {
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
+     * initial ClientHello, in which case also adding the renegotiation
+     * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
+    if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding renegotiation extension"));
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
+
+    /*
+     * Secure renegotiation
+     */
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8)
+                           & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_RENEGOTIATION_INFO)
+                           & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = (ssl->verify_data_len + 1) & 0xFF;
+    *p++ = ssl->verify_data_len & 0xFF;
+
+    memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
+
+    *olen = 5 + ssl->verify_data_len;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Only if we handle at least one key exchange that needs signatures.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+static int ssl_write_signature_algorithms_ext(mbedtls_ssl_context *ssl,
+                                              unsigned char *buf,
+                                              const unsigned char *end,
+                                              size_t *olen) {
+    unsigned char *p = buf;
+    size_t sig_alg_len = 0;
+    const int *md;
+
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
+    unsigned char *sig_alg_list = buf + 6;
+#endif
+
+    *olen = 0;
+
+    if (ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding signature_algorithms extension"));
+
+    if (ssl->conf->sig_hashes == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+
+    for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_len += 2;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_len += 2;
+#endif
+        if (sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN) {
+            MBEDTLS_SSL_DEBUG_MSG(3,
+                                  ("length in bytes of sig-hash-alg extension too big"));
+            return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+        }
+    }
+
+    /* Empty signature algorithms list, this is a configuration error. */
+    if (sig_alg_len == 0)
+        return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, sig_alg_len + 6);
+
+    /*
+     * Prepare signature_algorithms extension (TLS 1.2)
+     */
+    sig_alg_len = 0;
+
+    for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md);
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md);
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+    }
+
+    /*
+     * enum {
+     *     none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+     *     sha512(6), (255)
+     * } HashAlgorithm;
+     *
+     * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+     *   SignatureAlgorithm;
+     *
+     * struct {
+     *     HashAlgorithm hash;
+     *     SignatureAlgorithm signature;
+     * } SignatureAndHashAlgorithm;
+     *
+     * SignatureAndHashAlgorithm
+     *   supported_signature_algorithms<2..2^16-2>;
+     */
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SIG_ALG >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SIG_ALG) & 0xFF);
+
+    *p++ = (unsigned char)(((sig_alg_len + 2) >> 8) & 0xFF);
+    *p++ = (unsigned char)(((sig_alg_len + 2)) & 0xFF);
+
+    *p++ = (unsigned char)((sig_alg_len >> 8) & 0xFF);
+    *p++ = (unsigned char)((sig_alg_len) & 0xFF);
+
+    *olen = 6 + sig_alg_len;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_write_supported_elliptic_curves_ext(mbedtls_ssl_context *ssl,
+                                                   unsigned char *buf,
+                                                   const unsigned char *end,
+                                                   size_t *olen) {
+    unsigned char *p = buf;
+    unsigned char *elliptic_curve_list = p + 6;
+    size_t elliptic_curve_len = 0;
+    const mbedtls_ecp_curve_info *info;
+    const mbedtls_ecp_group_id *grp_id;
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding supported_elliptic_curves extension"));
+
+    if (ssl->conf->curve_list == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+
+    for (grp_id = ssl->conf->curve_list;
+            *grp_id != MBEDTLS_ECP_DP_NONE;
+            grp_id++) {
+        info = mbedtls_ecp_curve_info_from_grp_id(*grp_id);
+        if (info == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1,
+                                  ("invalid curve in ssl configuration"));
+            return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+        }
+        elliptic_curve_len += 2;
+
+        if (elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN) {
+            MBEDTLS_SSL_DEBUG_MSG(3,
+                                  ("malformed supported_elliptic_curves extension in config"));
+            return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+        }
+    }
+
+    /* Empty elliptic curve list, this is a configuration error. */
+    if (elliptic_curve_len == 0)
+        return (MBEDTLS_ERR_SSL_BAD_CONFIG);
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + elliptic_curve_len);
+
+    elliptic_curve_len = 0;
+
+    for (grp_id = ssl->conf->curve_list;
+            *grp_id != MBEDTLS_ECP_DP_NONE;
+            grp_id++) {
+        info = mbedtls_ecp_curve_info_from_grp_id(*grp_id);
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
+    }
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8)
+                           & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES)
+                           & 0xFF);
+
+    *p++ = (unsigned char)(((elliptic_curve_len + 2) >> 8) & 0xFF);
+    *p++ = (unsigned char)(((elliptic_curve_len + 2)) & 0xFF);
+
+    *p++ = (unsigned char)(((elliptic_curve_len) >> 8) & 0xFF);
+    *p++ = (unsigned char)(((elliptic_curve_len)) & 0xFF);
+
+    *olen = 6 + elliptic_curve_len;
+
+    return (0);
+}
+
+static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
+                                                 unsigned char *buf,
+                                                 const unsigned char *end,
+                                                 size_t *olen) {
+    unsigned char *p = buf;
+    (void) ssl; /* ssl used for debugging only */
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding supported_point_formats extension"));
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8)
+                           & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS)
+                           & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+
+    return (0);
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
+                                      unsigned char *buf,
+                                      const unsigned char *end,
+                                      size_t *olen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = buf;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly extension if we can't use EC J-PAKE anyway */
+    if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding ecjpake_kkpp extension"));
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ECJPAKE_KKPP) & 0xFF);
+
+    /*
+     * We may need to send ClientHello multiple times for Hello verification.
+     * We don't want to compute fresh values every time (both for performance
+     * and consistency reasons), so cache the extension content.
+     */
+    if (ssl->handshake->ecjpake_cache == NULL ||
+            ssl->handshake->ecjpake_cache_len == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
+
+        ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
+                                              p + 2, end - p - 2, &kkpp_len,
+                                              ssl->conf->f_rng, ssl->conf->p_rng);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1,
+                                  "mbedtls_ecjpake_write_round_one", ret);
+            return (ret);
+        }
+
+        ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
+        if (ssl->handshake->ecjpake_cache == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+        }
+
+        memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
+        ssl->handshake->ecjpake_cache_len = kkpp_len;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
+
+        kkpp_len = ssl->handshake->ecjpake_cache_len;
+        MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
+
+        memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
+    }
+
+    *p++ = (unsigned char)((kkpp_len >> 8) & 0xFF);
+    *p++ = (unsigned char)((kkpp_len) & 0xFF);
+
+    *olen = kkpp_len + 4;
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
+                             unsigned char *buf,
+                             const unsigned char *end,
+                             size_t *olen) {
+    unsigned char *p = buf;
+    size_t ext_len;
+
+    /*
+     * Quoting draft-ietf-tls-dtls-connection-id-05
+     * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+     *
+     *   struct {
+     *      opaque cid<0..2^8-1>;
+     *   } ConnectionId;
+    */
+
+    *olen = 0;
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+            ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+        return (0);
+    }
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
+
+    /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
+     * which is at most 255, so the increment cannot overflow. */
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned)(ssl->own_cid_len + 5));
+
+    /* Add extension ID + size */
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID) & 0xFF);
+    ext_len = (size_t) ssl->own_cid_len + 1;
+    *p++ = (unsigned char)((ext_len >> 8) & 0xFF);
+    *p++ = (unsigned char)((ext_len) & 0xFF);
+
+    *p++ = (uint8_t) ssl->own_cid_len;
+    memcpy(p, ssl->own_cid, ssl->own_cid_len);
+
+    *olen = ssl->own_cid_len + 5;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+                                             unsigned char *buf,
+                                             const unsigned char *end,
+                                             size_t *olen) {
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding max_fragment_length extension"));
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8)
+                           & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH)
+                           & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->conf->mfl_code;
+
+    *olen = 5;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        const unsigned char *end,
+                                        size_t *olen) {
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding truncated_hmac extension"));
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_TRUNCATED_HMAC) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          const unsigned char *end,
+                                          size_t *olen) {
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+            ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding encrypt_then_mac extension"));
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
+                                     unsigned char *buf,
+                                     const unsigned char *end,
+                                     size_t *olen) {
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+            ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding extended_master_secret extension"));
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8)
+                           & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET)
+                           & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        const unsigned char *end,
+                                        size_t *olen) {
+    unsigned char *p = buf;
+    size_t tlen = ssl->session_negotiate->ticket_len;
+
+    *olen = 0;
+
+    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, adding session ticket extension"));
+
+    /* The addition is safe here since the ticket length is 16 bit. */
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SESSION_TICKET >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SESSION_TICKET) & 0xFF);
+
+    *p++ = (unsigned char)((tlen >> 8) & 0xFF);
+    *p++ = (unsigned char)((tlen) & 0xFF);
+
+    *olen = 4;
+
+    if (ssl->session_negotiate->ticket == NULL || tlen == 0)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
+
+    memcpy(p, ssl->session_negotiate->ticket, tlen);
+
+    *olen += tlen;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
+                              unsigned char *buf,
+                              const unsigned char *end,
+                              size_t *olen) {
+    unsigned char *p = buf;
+    size_t alpnlen = 0;
+    const char **cur;
+
+    *olen = 0;
+
+    if (ssl->conf->alpn_list == NULL)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension"));
+
+    for (cur = ssl->conf->alpn_list; *cur != NULL; cur++)
+        alpnlen += strlen(*cur) + 1;
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + alpnlen);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ALPN >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ALPN) & 0xFF);
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Skip writing extension and list length for now */
+    p += 4;
+
+    for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
+        /*
+         * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
+         * protocol names is less than 255.
+         */
+        *p = (unsigned char)strlen(*cur);
+        memcpy(p + 1, *cur, *p);
+        p += 1 + *p;
+    }
+
+    *olen = p - buf;
+
+    /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
+    buf[4] = (unsigned char)(((*olen - 6) >> 8) & 0xFF);
+    buf[5] = (unsigned char)(((*olen - 6)) & 0xFF);
+
+    /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
+    buf[2] = (unsigned char)(((*olen - 4) >> 8) & 0xFF);
+    buf[3] = (unsigned char)(((*olen - 4)) & 0xFF);
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
+                                  unsigned char *buf,
+                                  const unsigned char *end,
+                                  size_t *olen) {
+    unsigned char *p = buf;
+    size_t protection_profiles_index = 0, ext_len = 0;
+    uint16_t mki_len = 0, profile_value = 0;
+
+    *olen = 0;
+
+    if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+            (ssl->conf->dtls_srtp_profile_list == NULL) ||
+            (ssl->conf->dtls_srtp_profile_list_len == 0)) {
+        return (0);
+    }
+
+    /* RFC 5764 section 4.1.1
+     * uint8 SRTPProtectionProfile[2];
+     *
+     * struct {
+     *   SRTPProtectionProfiles SRTPProtectionProfiles;
+     *   opaque srtp_mki<0..255>;
+     * } UseSRTPData;
+     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+     */
+    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
+        mki_len = ssl->dtls_srtp_info.mki_len;
+    }
+    /* Extension length = 2 bytes for profiles length,
+     *                    ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
+     *                    1 byte for srtp_mki vector length and the mki_len value
+     */
+    ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
+
+    /* Check there is room in the buffer for the extension + 4 bytes
+     * - the extension tag (2 bytes)
+     * - the extension length (2 bytes)
+     */
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_USE_SRTP >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_USE_SRTP) & 0xFF);
+
+
+    *p++ = (unsigned char)(((ext_len & 0xFF00) >> 8) & 0xFF);
+    *p++ = (unsigned char)(ext_len & 0xFF);
+
+    /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
+    /* micro-optimization:
+     * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
+     * which is lower than 127, so the upper byte of the length is always 0
+     * For the documentation, the more generic code is left in comments
+     * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
+     *                        >> 8 ) & 0xFF );
+     */
+    *p++ = 0;
+    *p++ = (unsigned char)((2 * ssl->conf->dtls_srtp_profile_list_len)
+                           & 0xFF);
+
+    for (protection_profiles_index = 0;
+            protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
+            protection_profiles_index++) {
+        profile_value = mbedtls_ssl_check_srtp_profile_value
+                        (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
+        if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
+                                      profile_value));
+            *p++ = ((profile_value >> 8) & 0xFF);
+            *p++ = (profile_value & 0xFF);
+        } else {
+            /*
+             * Note: we shall never arrive here as protection profiles
+             * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
+             */
+            MBEDTLS_SSL_DEBUG_MSG(3,
+                                  ("client hello, "
+                                   "illegal DTLS-SRTP protection profile %d",
+                                   ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
+                                  ));
+            return (MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED);
+        }
+    }
+
+    *p++ = mki_len & 0xFF;
+
+    if (mki_len != 0) {
+        memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
+        /*
+         * Increment p to point to the current position.
+         */
+        p += mki_len;
+        MBEDTLS_SSL_DEBUG_BUF(3, "sending mki",  ssl->dtls_srtp_info.mki_value,
+                              ssl->dtls_srtp_info.mki_len);
+    }
+
+    /*
+     * total extension length: extension type (2 bytes)
+     *                         + extension length (2 bytes)
+     *                         + protection profile length (2 bytes)
+     *                         + 2 * number of protection profiles
+     *                         + srtp_mki vector length(1 byte)
+     *                         + mki value
+     */
+    *olen = p - buf;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/*
+ * Generate random bytes for ClientHello
+ */
+static int ssl_generate_random(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = ssl->handshake->randbytes;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+
+    /*
+     * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake->verify_cookie != NULL) {
+        return (0);
+    }
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time(NULL);
+    *p++ = (unsigned char)(t >> 24);
+    *p++ = (unsigned char)(t >> 16);
+    *p++ = (unsigned char)(t >>  8);
+    *p++ = (unsigned char)(t);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
+                              (long long) t));
+#else
+    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0)
+        return (ret);
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+/**
+ * \brief           Validate cipher suite against config in SSL context.
+ *
+ * \param suite_info    cipher suite to validate
+ * \param ssl           SSL context
+ * \param min_minor_ver Minimal minor version to accept a cipher suite
+ * \param max_minor_ver Maximal minor version to accept a cipher suite
+ *
+ * \return          0 if valid, else 1
+ */
+static int ssl_validate_ciphersuite(
+    const mbedtls_ssl_ciphersuite_t *suite_info,
+    const mbedtls_ssl_context *ssl,
+    int min_minor_ver, int max_minor_ver) {
+    (void) ssl;
+    if (suite_info == NULL)
+        return (1);
+
+    if (suite_info->min_minor_ver > max_minor_ver ||
+            suite_info->max_minor_ver < min_minor_ver)
+        return (1);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS))
+        return (1);
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128)
+        return (1);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+            mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
+        return (1);
+#endif
+
+    /* Don't suggest PSK-based ciphersuite if no PSK is available. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
+            ssl_conf_has_static_psk(ssl->conf) == 0) {
+        return (1);
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+    return (0);
+}
+
+static int ssl_write_client_hello(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i, n, olen, ext_len = 0;
+
+    unsigned char *buf;
+    unsigned char *p, *q;
+    const unsigned char *end;
+
+    unsigned char offer_compress;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    int uses_ec = 0;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello"));
+
+    if (ssl->conf->f_rng == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
+        return (MBEDTLS_ERR_SSL_NO_RNG);
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+    {
+        ssl->major_ver = ssl->conf->min_major_ver;
+        ssl->minor_ver = ssl->conf->min_minor_ver;
+    }
+
+    if (ssl->conf->max_major_ver == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("configured max major version is invalid, consider using mbedtls_ssl_config_defaults()"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    buf = ssl->out_msg;
+    end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    /*
+     * Check if there's enough space for the first part of the ClientHello
+     * consisting of the 38 bytes described below, the session identifier (at
+     * most 32 bytes) and its length (1 byte).
+     *
+     * Use static upper bounds instead of the actual values
+     * to allow the compiler to optimize this away.
+     */
+    MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 38 + 1 + 32);
+
+    /*
+     * The 38 first bytes of the ClientHello:
+     *     0  .   0   handshake type (written later)
+     *     1  .   3   handshake length (written later)
+     *     4  .   5   highest version supported
+     *     6  .   9   current UNIX time
+     *    10  .  37   random bytes
+     *
+     * The current UNIX time (4 bytes) and following 28 random bytes are written
+     * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
+     * copied from there into the output buffer.
+     */
+
+    p = buf + 4;
+    mbedtls_ssl_write_version(ssl->conf->max_major_ver,
+                              ssl->conf->max_minor_ver,
+                              ssl->conf->transport, p);
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, max version: [%d:%d]",
+                              buf[4], buf[5]));
+
+    if ((ret = ssl_generate_random(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_generate_random", ret);
+        return (ret);
+    }
+
+    memcpy(p, ssl->handshake->randbytes, 32);
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", p, 32);
+    p += 32;
+
+    /*
+     *    38  .  38   session id length
+     *    39  . 39+n  session id
+     *   39+n . 39+n  DTLS only: cookie length (1 byte)
+     *   40+n .  ..   DTLS only: cookie
+     *   ..   . ..    ciphersuitelist length (2 bytes)
+     *   ..   . ..    ciphersuitelist
+     *   ..   . ..    compression methods length (1 byte)
+     *   ..   . ..    compression methods
+     *   ..   . ..    extensions length (2 bytes)
+     *   ..   . ..    extensions
+     */
+    n = ssl->session_negotiate->id_len;
+
+    if (n < 16 || n > 32 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+            ssl->handshake->resume == 0) {
+        n = 0;
+    }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    /*
+     * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
+     * generate and include a Session ID in the TLS ClientHello."
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+    {
+        if (ssl->session_negotiate->ticket != NULL &&
+                ssl->session_negotiate->ticket_len != 0) {
+            ret = ssl->conf->f_rng(ssl->conf->p_rng,
+                                   ssl->session_negotiate->id, 32);
+
+            if (ret != 0)
+                return (ret);
+
+            ssl->session_negotiate->id_len = n = 32;
+        }
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+    /*
+     * The first check of the output buffer size above (
+     * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
+     * has checked that there is enough space in the output buffer for the
+     * session identifier length byte and the session identifier (n <= 32).
+     */
+    *p++ = (unsigned char) n;
+
+    for (i = 0; i < n; i++)
+        *p++ = ssl->session_negotiate->id[i];
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
+    MBEDTLS_SSL_DEBUG_BUF(3,   "client hello, session id", buf + 39, n);
+
+    /*
+     *   With 'n' being the length of the session identifier
+     *
+     *   39+n . 39+n  DTLS only: cookie length (1 byte)
+     *   40+n .  ..   DTLS only: cookie
+     *   ..   . ..    ciphersuitelist length (2 bytes)
+     *   ..   . ..    ciphersuitelist
+     *   ..   . ..    compression methods length (1 byte)
+     *   ..   . ..    compression methods
+     *   ..   . ..    extensions length (2 bytes)
+     *   ..   . ..    extensions
+     */
+
+    /*
+     * DTLS cookie
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
+
+        if (ssl->handshake->verify_cookie == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("no verify cookie to send"));
+            *p++ = 0;
+        } else {
+            MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
+                                  ssl->handshake->verify_cookie,
+                                  ssl->handshake->verify_cookie_len);
+
+            *p++ = ssl->handshake->verify_cookie_len;
+
+            MBEDTLS_SSL_CHK_BUF_PTR(p, end,
+                                    ssl->handshake->verify_cookie_len);
+            memcpy(p, ssl->handshake->verify_cookie,
+                   ssl->handshake->verify_cookie_len);
+            p += ssl->handshake->verify_cookie_len;
+        }
+    }
+#endif
+
+    /*
+     * Ciphersuite list
+     */
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+
+    /* Skip writing ciphersuite length for now */
+    n = 0;
+    q = p;
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+    p += 2;
+
+    for (i = 0; ciphersuites[i] != 0; i++) {
+        ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]);
+
+        if (ssl_validate_ciphersuite(ciphersuite_info, ssl,
+                                     ssl->conf->min_minor_ver,
+                                     ssl->conf->max_minor_ver) != 0)
+            continue;
+
+        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %#04x (%s)",
+                                  (unsigned int)ciphersuites[i], ciphersuite_info->name));
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
+#endif
+
+        MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+
+        n++;
+        *p++ = (unsigned char)(ciphersuites[i] >> 8);
+        *p++ = (unsigned char)(ciphersuites[i]);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("client hello, got %" MBEDTLS_PRINTF_SIZET " ciphersuites (excluding SCSVs)", n));
+
+    /*
+     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV"));
+        MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+        *p++ = (unsigned char)(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8);
+        *p++ = (unsigned char)(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO);
+        n++;
+    }
+
+    /* Some versions of OpenSSL don't handle it correctly if not at end */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    if (ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("adding FALLBACK_SCSV"));
+
+        MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+        *p++ = (unsigned char)(MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8);
+        *p++ = (unsigned char)(MBEDTLS_SSL_FALLBACK_SCSV_VALUE);
+        n++;
+    }
+#endif
+
+    *q++ = (unsigned char)(n >> 7);
+    *q++ = (unsigned char)(n << 1);
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    offer_compress = 1;
+#else
+    offer_compress = 0;
+#endif
+
+    /*
+     * We don't support compression with DTLS right now: if many records come
+     * in the same datagram, uncompressing one could overwrite the next one.
+     * We don't want to add complexity for handling that case unless there is
+     * an actual need for it.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        offer_compress = 0;
+#endif
+
+    if (offer_compress) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 2));
+        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d %d",
+                                  MBEDTLS_SSL_COMPRESS_DEFLATE,
+                                  MBEDTLS_SSL_COMPRESS_NULL));
+
+        MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
+        *p++ = 2;
+        *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 1));
+        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d",
+                                  MBEDTLS_SSL_COMPRESS_NULL));
+
+        MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+        *p++ = 1;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+
+    /* First write extensions, then the total length */
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if ((ret = ssl_write_hostname_ext(ssl, p + 2 + ext_len,
+                                      end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_hostname_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+    /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
+     * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if ((ret = ssl_write_renegotiation_ext(ssl, p + 2 + ext_len,
+                                           end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    if ((ret = ssl_write_signature_algorithms_ext(ssl, p + 2 + ext_len,
+                                                  end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_signature_algorithms_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if (uses_ec) {
+        if ((ret = ssl_write_supported_elliptic_curves_ext(ssl, p + 2 + ext_len,
+                                                           end, &olen)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_elliptic_curves_ext", ret);
+            return (ret);
+        }
+        ext_len += olen;
+
+        if ((ret = ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len,
+                                                         end, &olen)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
+            return (ret);
+        }
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len,
+                                          end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    if ((ret = ssl_write_cid_ext(ssl, p + 2 + ext_len, end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    if ((ret = ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len,
+                                                 end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    if ((ret = ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len,
+                                            end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_truncated_hmac_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len,
+                                              end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if ((ret = ssl_write_extended_ms_ext(ssl, p + 2 + ext_len,
+                                         end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    if ((ret = ssl_write_alpn_ext(ssl, p + 2 + ext_len,
+                                  end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_alpn_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    if ((ret = ssl_write_use_srtp_ext(ssl, p + 2 + ext_len,
+                                      end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if ((ret = ssl_write_session_ticket_ext(ssl, p + 2 + ext_len,
+                                            end, &olen)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
+        return (ret);
+    }
+    ext_len += olen;
+#endif
+
+    /* olen unused if all extensions are disabled */
+    ((void) olen);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
+                              ext_len));
+
+    if (ext_len > 0) {
+        /* No need to check for space here, because the extension
+         * writing functions already took care of that. */
+        *p++ = (unsigned char)((ext_len >> 8) & 0xFF);
+        *p++ = (unsigned char)((ext_len) & 0xFF);
+        p += ext_len;
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_HELLO;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        mbedtls_ssl_send_flight_completed(ssl);
+#endif
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+        return (ret);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
+
+    return (0);
+}
+
+static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf,
+                                        size_t len) {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if (len    != 1 + ssl->verify_data_len * 2 ||
+                buf[0] !=     ssl->verify_data_len * 2 ||
+                mbedtls_ssl_safer_memcmp(buf + 1,
+                                         ssl->own_verify_data, ssl->verify_data_len) != 0 ||
+                mbedtls_ssl_safer_memcmp(buf + 1 + ssl->verify_data_len,
+                                         ssl->peer_verify_data, ssl->verify_data_len) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+        }
+    } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if (len != 1 || buf[0] != 0x00) {
+            MBEDTLS_SSL_DEBUG_MSG(1,
+                                  ("non-zero length renegotiation info"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+                                             const unsigned char *buf,
+                                             size_t len) {
+    /*
+     * server should use the extension only if we did,
+     * and if so the server's value should match ours (and len is always 1)
+     */
+    if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
+            len != 1 ||
+            buf[0] != ssl->conf->mfl_code) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("non-matching max fragment length extension"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf,
+                                        size_t len) {
+    if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
+            len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("non-matching truncated HMAC extension"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
+                             const unsigned char *buf,
+                             size_t len) {
+    size_t peer_cid_len;
+
+    if (/* CID extension only makes sense in DTLS */
+        ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+        /* The server must only send the CID extension if we have offered it. */
+        ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    if (len == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    peer_cid_len = *buf++;
+    len--;
+
+    if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    if (len != peer_cid_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
+    ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
+    memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
+    MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+                                          const unsigned char *buf,
+                                          size_t len) {
+    if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+            len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("non-matching encrypt-then-MAC extension"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
+                                     const unsigned char *buf,
+                                     size_t len) {
+    if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+            len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("non-matching extended master secret extension"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    ((void) buf);
+
+    ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf,
+                                        size_t len) {
+    if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+            len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("non-matching session ticket extension"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    ((void) buf);
+
+    ssl->handshake->new_session_ticket = 1;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
+                                                 const unsigned char *buf,
+                                                 size_t len) {
+    size_t list_size;
+    const unsigned char *p;
+
+    if (len == 0 || (size_t)(buf[0] + 1) != len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while (list_size > 0) {
+        if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
+            return (0);
+        }
+
+        list_size--;
+        p++;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
+    mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                   MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+    return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
+                                  const unsigned char *buf,
+                                  size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ssl->handshake->ciphersuite_info->key_exchange !=
+            MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
+        return (0);
+    }
+
+    /* If we got here, we no longer need our cached extension */
+    mbedtls_free(ssl->handshake->ecjpake_cache);
+    ssl->handshake->ecjpake_cache = NULL;
+    ssl->handshake->ecjpake_cache_len = 0;
+
+    if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
+                                              buf, len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (ret);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
+                              const unsigned char *buf, size_t len) {
+    size_t list_len, name_len;
+    const char **p;
+
+    /* If we didn't send it, the server shouldn't send it */
+    if (ssl->conf->alpn_list == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     *
+     * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if (len < 4) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    list_len = (buf[0] << 8) | buf[1];
+    if (list_len != len - 2) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    name_len = buf[2];
+    if (name_len != list_len - 1) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    /* Check that the server chosen protocol was in our list and save it */
+    for (p = ssl->conf->alpn_list; *p != NULL; p++) {
+        if (name_len == strlen(*p) &&
+                memcmp(buf + 3, *p, name_len) == 0) {
+            ssl->alpn_chosen = *p;
+            return (0);
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
+    mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                   MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+    return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
+                                  const unsigned char *buf,
+                                  size_t len) {
+    mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
+    size_t i, mki_len = 0;
+    uint16_t server_protection_profile_value = 0;
+
+    /* If use_srtp is not configured, just ignore the extension */
+    if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+            (ssl->conf->dtls_srtp_profile_list == NULL) ||
+            (ssl->conf->dtls_srtp_profile_list_len == 0))
+        return (0);
+
+    /* RFC 5764 section 4.1.1
+     * uint8 SRTPProtectionProfile[2];
+     *
+     * struct {
+     *   SRTPProtectionProfiles SRTPProtectionProfiles;
+     *   opaque srtp_mki<0..255>;
+     * } UseSRTPData;
+
+     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+     *
+     */
+    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
+        mki_len = ssl->dtls_srtp_info.mki_len;
+    }
+
+    /*
+     * Length is 5 + optional mki_value : one protection profile length (2 bytes)
+     *                                      + protection profile (2 bytes)
+     *                                      + mki_len(1 byte)
+     *                                      and optional srtp_mki
+     */
+    if ((len < 5) || (len != (buf[4] + 5u)))
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+
+    /*
+     * get the server protection profile
+     */
+
+    /*
+     * protection profile length must be 0x0002 as we must have only
+     * one protection profile in server Hello
+     */
+    if ((buf[0] != 0) || (buf[1] != 2))
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+
+    server_protection_profile_value = (buf[2] << 8) | buf[3];
+    server_protection = mbedtls_ssl_check_srtp_profile_value(
+                            server_protection_profile_value);
+    if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
+                                  mbedtls_ssl_get_srtp_profile_as_string(
+                                      server_protection)));
+    }
+
+    ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
+
+    /*
+     * Check we have the server profile in our list
+     */
+    for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
+        if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
+            ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
+            MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
+                                      mbedtls_ssl_get_srtp_profile_as_string(
+                                          server_protection)));
+            break;
+        }
+    }
+
+    /* If no match was found : server problem, it shall never answer with incompatible profile */
+    if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    /* If server does not use mki in its reply, make sure the client won't keep
+     * one as negotiated */
+    if (len == 5) {
+        ssl->dtls_srtp_info.mki_len = 0;
+    }
+
+    /*
+     * RFC5764:
+     *  If the client detects a nonzero-length MKI in the server's response
+     *  that is different than the one the client offered, then the client
+     *  MUST abort the handshake and SHOULD send an invalid_parameter alert.
+     */
+    if (len > 5  && (buf[4] != mki_len ||
+                     (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+#if defined (MBEDTLS_DEBUG_C)
+    if (len > 5) {
+        MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
+                              ssl->dtls_srtp_info.mki_len);
+    }
+#endif
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/*
+ * Parse HelloVerifyRequest.  Only called after verifying the HS type.
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) {
+    const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+    int major_ver, minor_ver;
+    unsigned char cookie_len;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
+
+    /* Check that there is enough room for:
+     * - 2 bytes of version
+     * - 1 byte of cookie_len
+     */
+    if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("incoming HelloVerifyRequest message is too short"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+    MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
+    mbedtls_ssl_read_version(&major_ver, &minor_ver, ssl->conf->transport, p);
+    p += 2;
+
+    /*
+     * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
+     * even is lower than our min version.
+     */
+    if (major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
+            minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
+            major_ver > ssl->conf->max_major_ver  ||
+            minor_ver > ssl->conf->max_minor_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
+
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+
+        return (MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION);
+    }
+
+    cookie_len = *p++;
+    if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("cookie length does not match incoming message size"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+    MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
+
+    mbedtls_free(ssl->handshake->verify_cookie);
+
+    ssl->handshake->verify_cookie = mbedtls_calloc(1, cookie_len);
+    if (ssl->handshake->verify_cookie  == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    memcpy(ssl->handshake->verify_cookie, p, cookie_len);
+    ssl->handshake->verify_cookie_len = cookie_len;
+
+    /* Start over at ClientHello */
+    ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+    mbedtls_ssl_reset_checksum(ssl);
+
+    mbedtls_ssl_recv_flight_completed(ssl);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_parse_server_hello(mbedtls_ssl_context *ssl) {
+    int ret, i;
+    size_t n;
+    size_t ext_len;
+    unsigned char *buf, *ext;
+    unsigned char comp;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    int accept_comp;
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        /* No alert on a read error. */
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    buf = ssl->in_msg;
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+            ssl->renego_records_seen++;
+
+            if (ssl->conf->renego_max_records >= 0 &&
+                    ssl->renego_records_seen > ssl->conf->renego_max_records) {
+                MBEDTLS_SSL_DEBUG_MSG(1,
+                                      ("renegotiation requested, but not honored by server"));
+                return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG(1,
+                                  ("non-handshake message during renegotiation"));
+
+            ssl->keep_current_message = 1;
+            return (MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO);
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
+            MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
+            return (ssl_parse_hello_verify_request(ssl));
+        } else {
+            /* We made it through the verification process */
+            mbedtls_free(ssl->handshake->verify_cookie);
+            ssl->handshake->verify_cookie = NULL;
+            ssl->handshake->verify_cookie_len = 0;
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
+            buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    /*
+     *  0   .  1    server_version
+     *  2   . 33    random (maybe including 4 bytes of Unix time)
+     * 34   . 34    session_id length = n
+     * 35   . 34+n  session_id
+     * 35+n . 36+n  cipher_suite
+     * 37+n . 37+n  compression_method
+     *
+     * 38+n . 39+n  extensions length (optional)
+     * 40+n .  ..   extensions
+     */
+    buf += mbedtls_ssl_hs_hdr_len(ssl);
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf + 0, 2);
+    mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver,
+                             ssl->conf->transport, buf + 0);
+
+    if (ssl->major_ver < ssl->conf->min_major_ver ||
+            ssl->minor_ver < ssl->conf->min_minor_ver ||
+            ssl->major_ver > ssl->conf->max_major_ver ||
+            ssl->minor_ver > ssl->conf->max_minor_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("server version out of bounds -  min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+                               ssl->conf->min_major_ver,
+                               ssl->conf->min_minor_ver,
+                               ssl->major_ver, ssl->minor_ver,
+                               ssl->conf->max_major_ver,
+                               ssl->conf->max_minor_ver));
+
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+
+        return (MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
+                              ((unsigned long) buf[2] << 24) |
+                              ((unsigned long) buf[3] << 16) |
+                              ((unsigned long) buf[4] <<  8) |
+                              ((unsigned long) buf[5])));
+
+    memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
+
+    n = buf[34];
+
+    MBEDTLS_SSL_DEBUG_BUF(3,   "server hello, random bytes", buf + 2, 32);
+
+    if (n > 32) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
+        ext_len = ((buf[38 + n] <<  8)
+                   | (buf[39 + n]));
+
+        if ((ext_len > 0 && ext_len < 4) ||
+                ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+        }
+    } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
+        ext_len = 0;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    /* ciphersuite (used later) */
+    i = (buf[35 + n] << 8) | buf[36 + n];
+
+    /*
+     * Read and check compression
+     */
+    comp = buf[37 + n];
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        accept_comp = 0;
+    else
+#endif
+        accept_comp = 1;
+
+    if (comp != MBEDTLS_SSL_COMPRESS_NULL &&
+            (comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0))
+#else /* MBEDTLS_ZLIB_SUPPORT */
+    if (comp != MBEDTLS_SSL_COMPRESS_NULL)
+#endif/* MBEDTLS_ZLIB_SUPPORT */
+    {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("server hello, bad compression: %d", comp));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+    }
+
+    /*
+     * Initialize update checksum functions
+     */
+    ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
+    if (ssl->handshake->ciphersuite_info == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("ciphersuite info for %04x not found", (unsigned int)i));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
+    MBEDTLS_SSL_DEBUG_BUF(3,   "server hello, session id", buf + 35, n);
+
+    /*
+     * Check if the session can be resumed
+     */
+    if (ssl->handshake->resume == 0 || n == 0 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+            ssl->session_negotiate->ciphersuite != i ||
+            ssl->session_negotiate->compression != comp ||
+            ssl->session_negotiate->id_len != n ||
+            memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
+        ssl->state++;
+        ssl->handshake->resume = 0;
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time(NULL);
+#endif
+        ssl->session_negotiate->ciphersuite = i;
+        ssl->session_negotiate->compression = comp;
+        ssl->session_negotiate->id_len = n;
+        memcpy(ssl->session_negotiate->id, buf + 35, n);
+    } else {
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+            return (ret);
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
+                              ssl->handshake->resume ? "a" : "no"));
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
+                              buf[37 + n]));
+
+    /*
+     * Perform cipher suite validation in same way as in ssl_write_client_hello.
+     */
+    i = 0;
+    while (1) {
+        if (ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+        }
+
+        if (ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
+                ssl->session_negotiate->ciphersuite) {
+            break;
+        }
+    }
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id(
+                     ssl->session_negotiate->ciphersuite);
+    if (ssl_validate_ciphersuite(suite_info, ssl, ssl->minor_ver,
+                                 ssl->minor_ver) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3,
+                          ("server hello, chosen ciphersuite: %s", suite_info->name));
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        ssl->handshake->ecrs_enabled = 1;
+    }
+#endif
+
+    if (comp != MBEDTLS_SSL_COMPRESS_NULL
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+            && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
+#endif
+       ) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+    ssl->session_negotiate->compression = comp;
+
+    ext = buf + 40 + n;
+
+    MBEDTLS_SSL_DEBUG_MSG(2,
+                          ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, ext_len));
+
+    while (ext_len) {
+        unsigned int ext_id   = ((ext[0] <<  8)
+                                 | (ext[1]));
+        unsigned int ext_size = ((ext[2] <<  8)
+                                 | (ext[3]));
+
+        if (ext_size + 4 > ext_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+            mbedtls_ssl_send_alert_message(
+                ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+        }
+
+        switch (ext_id) {
+            case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                renegotiation_info_seen = 1;
+#endif
+
+                if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
+                                                        ext_size)) != 0)
+                    return (ret);
+
+                break;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+            case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+                MBEDTLS_SSL_DEBUG_MSG(3,
+                                      ("found max_fragment_length extension"));
+
+                if ((ret = ssl_parse_max_fragment_length_ext(ssl,
+                                                             ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+            case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated_hmac extension"));
+
+                if ((ret = ssl_parse_truncated_hmac_ext(ssl,
+                                                        ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+            case MBEDTLS_TLS_EXT_CID:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
+
+                if ((ret = ssl_parse_cid_ext(ssl,
+                                             ext + 4,
+                                             ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
+
+                if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
+                                                          ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+            case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+                MBEDTLS_SSL_DEBUG_MSG(3,
+                                      ("found extended_master_secret extension"));
+
+                if ((ret = ssl_parse_extended_ms_ext(ssl,
+                                                     ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            case MBEDTLS_TLS_EXT_SESSION_TICKET:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
+
+                if ((ret = ssl_parse_session_ticket_ext(ssl,
+                                                        ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+                MBEDTLS_SSL_DEBUG_MSG(3,
+                                      ("found supported_point_formats extension"));
+
+                if ((ret = ssl_parse_supported_point_formats_ext(ssl,
+                                                                 ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
+
+                if ((ret = ssl_parse_ecjpake_kkpp(ssl,
+                                                  ext + 4, ext_size)) != 0) {
+                    return (ret);
+                }
+
+                break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+            case MBEDTLS_TLS_EXT_ALPN:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
+
+                if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0)
+                    return (ret);
+
+                break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+            case MBEDTLS_TLS_EXT_USE_SRTP:
+                MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
+
+                if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0)
+                    return (ret);
+
+                break;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+            default:
+                MBEDTLS_SSL_DEBUG_MSG(3,
+                                      ("unknown extension found: %u (ignoring)", ext_id));
+        }
+
+        ext_len -= 4 + ext_size;
+        ext += 4 + ext_size;
+
+        if (ext_len > 0 && ext_len < 4) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+            ssl->conf->allow_legacy_renegotiation ==
+            MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("legacy renegotiation, breaking off handshake"));
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("renegotiation_info extension missing (secure)"));
+        handshake_failure = 1;
+    } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+               ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+               ssl->conf->allow_legacy_renegotiation ==
+               MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
+        handshake_failure = 1;
+    } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+               ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+               renegotiation_info_seen == 1) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("renegotiation_info extension present (legacy)"));
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if (handshake_failure == 1) {
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
+                                      unsigned char **p,
+                                      unsigned char *end) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral DH parameters:
+     *
+     * struct {
+     *     opaque dh_p<1..2^16-1>;
+     *     opaque dh_g<1..2^16-1>;
+     *     opaque dh_Ys<1..2^16-1>;
+     * } ServerDHParams;
+     */
+    if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
+                                       p, end)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
+        return (ret);
+    }
+
+    if (ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
+                                  ssl->handshake->dhm_ctx.len * 8,
+                                  ssl->conf->dhm_min_bitlen));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+
+    MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
+    MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
+    MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) {
+    const mbedtls_ecp_curve_info *curve_info;
+    mbedtls_ecp_group_id grp_id;
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    grp_id = ssl->handshake->ecdh_ctx.grp.id;
+#else
+    grp_id = ssl->handshake->ecdh_ctx.grp_id;
+#endif
+
+    curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id);
+    if (curve_info == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name));
+
+#if defined(MBEDTLS_ECP_C)
+    if (mbedtls_ssl_check_curve(ssl, grp_id) != 0)
+#else
+    if (ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
+            ssl->handshake->ecdh_ctx.grp.nbits > 521)
+#endif
+        return (-1);
+
+    MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                           MBEDTLS_DEBUG_ECDH_QP);
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) &&                           \
+        ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||     \
+          defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
+static int ssl_parse_server_ecdh_params_psa(mbedtls_ssl_context *ssl,
+                                            unsigned char **p,
+                                            unsigned char *end) {
+    uint16_t tls_id;
+    size_t ecdh_bits = 0;
+    uint8_t ecpoint_len;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    /*
+     * Parse ECC group
+     */
+
+    if (end - *p < 4)
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+
+    /* First byte is curve_type; only named_curve is handled */
+    if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE)
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+
+    /* Next two bytes are the namedcurve value */
+    tls_id = *(*p)++;
+    tls_id <<= 8;
+    tls_id |= *(*p)++;
+
+    /* Convert EC group to PSA key type. */
+    if ((handshake->ecdh_psa_type =
+                mbedtls_psa_parse_tls_ecc_group(tls_id, &ecdh_bits)) == 0) {
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+    if (ecdh_bits > 0xffff)
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    handshake->ecdh_bits = (uint16_t) ecdh_bits;
+
+    /*
+     * Put peer's ECDH public key in the format understood by PSA.
+     */
+
+    ecpoint_len = *(*p)++;
+    if ((size_t)(end - *p) < ecpoint_len)
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+
+    if (mbedtls_psa_tls_ecpoint_to_psa_ec(
+                *p, ecpoint_len,
+                handshake->ecdh_psa_peerkey,
+                sizeof(handshake->ecdh_psa_peerkey),
+                &handshake->ecdh_psa_peerkey_len) != 0) {
+        return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+    }
+
+    *p += ecpoint_len;
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+            ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+              MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
+                                        unsigned char **p,
+                                        unsigned char *end) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral ECDH parameters:
+     *
+     * struct {
+     *     ECParameters curve_params;
+     *     ECPoint      public;
+     * } ServerECDHParams;
+     */
+    if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
+                                        (const unsigned char **) p, end)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+        if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS)
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+        return (ret);
+    }
+
+    if (ssl_check_server_ecdh_params(ssl) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("bad server key exchange message (ECDHE curve)"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
+                                     unsigned char **p,
+                                     unsigned char *end) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    uint16_t  len;
+    ((void) ssl);
+
+    /*
+     * PSK parameters:
+     *
+     * opaque psk_identity_hint<0..2^16-1>;
+     */
+    if (end - (*p) < 2) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("bad server key exchange message (psk_identity_hint length)"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+    len = (*p)[0] << 8 | (*p)[1];
+    *p += 2;
+
+    if (end - (*p) < len) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("bad server key exchange message (psk_identity_hint length)"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+
+    /*
+     * Note: we currently ignore the PKS identity hint, as we only allow one
+     * PSK to be provisionned on the client. This could be changed later if
+     * someone needs that feature.
+     */
+    *p += len;
+    ret = 0;
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+/*
+ * Generate a pre-master secret and encrypt it with the server's RSA key
+ */
+static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
+                                   size_t offset, size_t *olen,
+                                   size_t pms_offset) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
+    unsigned char *p = ssl->handshake->premaster + pms_offset;
+    mbedtls_pk_context *peer_pk;
+
+    if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
+        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+    }
+
+    /*
+     * Generate (part of) the pre-master as
+     *  struct {
+     *      ProtocolVersion client_version;
+     *      opaque random[46];
+     *  } PreMasterSecret;
+     */
+    mbedtls_ssl_write_version(ssl->conf->max_major_ver,
+                              ssl->conf->max_minor_ver,
+                              ssl->conf->transport, p);
+
+    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
+        return (ret);
+    }
+
+    ssl->handshake->pmslen = 48;
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (ssl->session_negotiate->peer_cert == NULL) {
+        /* Should never happen */
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+    peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    /*
+     * Now write it out, encrypted
+     */
+    if (! mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
+        return (MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH);
+    }
+
+    if ((ret = mbedtls_pk_encrypt(peer_pk,
+                                  p, ssl->handshake->pmslen,
+                                  ssl->out_msg + offset + len_bytes, olen,
+                                  MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
+                                  ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
+        return (ret);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (len_bytes == 2) {
+        ssl->out_msg[offset + 0] = (unsigned char)(*olen >> 8);
+        ssl->out_msg[offset + 1] = (unsigned char)(*olen);
+        *olen += 2;
+    }
+#endif
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* We don't need the peer's public key anymore. Free it. */
+    mbedtls_pk_free(peer_pk);
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_signature_algorithm(mbedtls_ssl_context *ssl,
+                                         unsigned char **p,
+                                         unsigned char *end,
+                                         mbedtls_md_type_t *md_alg,
+                                         mbedtls_pk_type_t *pk_alg) {
+    ((void) ssl);
+    *md_alg = MBEDTLS_MD_NONE;
+    *pk_alg = MBEDTLS_PK_NONE;
+
+    /* Only in TLS 1.2 */
+    if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
+        return (0);
+    }
+
+    if ((*p) + 2 > end)
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+
+    /*
+     * Get hash algorithm
+     */
+    if ((*md_alg = mbedtls_ssl_md_alg_from_hash((*p)[0]))
+            == MBEDTLS_MD_NONE) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("Server used unsupported HashAlgorithm %d", *(p)[0]));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+
+    /*
+     * Get signature algorithm
+     */
+    if ((*pk_alg = mbedtls_ssl_pk_alg_from_sig((*p)[1]))
+            == MBEDTLS_PK_NONE) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("server used unsupported SignatureAlgorithm %d", (*p)[1]));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+
+    /*
+     * Check if the hash is acceptable
+     */
+    if (mbedtls_ssl_check_sig_hash(ssl, *md_alg) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("server used HashAlgorithm %d that was not offered", *(p)[0]));
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("Server used SignatureAlgorithm %d",
+                              (*p)[1]));
+    MBEDTLS_SSL_DEBUG_MSG(2, ("Server used HashAlgorithm %d",
+                              (*p)[0]));
+    *p += 2;
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_ecp_keypair *peer_key;
+    mbedtls_pk_context *peer_pk;
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (ssl->session_negotiate->peer_cert == NULL) {
+        /* Should never happen */
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+    peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    if (! mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
+        return (MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH);
+    }
+
+    peer_key = mbedtls_pk_ec(*peer_pk);
+
+    if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
+                                       MBEDTLS_ECDH_THEIRS)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
+        return (ret);
+    }
+
+    if (ssl_check_server_ecdh_params(ssl) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+    }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* We don't need the peer's public key anymore. Free it,
+     * so that more RAM is available for upcoming expensive
+     * operations like ECDHE. */
+    mbedtls_pk_free(peer_pk);
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+    unsigned char *p = NULL, *end = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
+        ssl->state++;
+        return (0);
+    }
+    ((void) p);
+    ((void) end);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
+        if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+            return (ret);
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
+        ssl->state++;
+        return (0);
+    }
+    ((void) p);
+    ((void) end);
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled &&
+            ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
+        goto start_processing;
+    }
+#endif
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    /*
+     * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
+     * doesn't use a psk_identity_hint
+     */
+    if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
+        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+                ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+            /* Current message is probably either
+             * CertificateRequest or ServerHelloDone */
+            ssl->keep_current_message = 1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(1,
+                              ("server key exchange message must not be skipped"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
+
+start_processing:
+#endif
+    p   = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+    end = ssl->in_msg + ssl->in_hslen;
+    MBEDTLS_SSL_DEBUG_BUF(3,   "server key exchange", p, end - p);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+        if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+        }
+    } /* FALLTROUGH */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK)
+        ; /* nothing more to do */
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
+                ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+            if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+                mbedtls_ssl_send_alert_message(
+                    ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+                return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+            }
+        } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) &&                           \
+        ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||     \
+          defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
+            if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+                    ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
+                if (ssl_parse_server_ecdh_params_psa(ssl, &p, end) != 0) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+                    mbedtls_ssl_send_alert_message(
+                        ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+                    return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+                }
+            } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+            ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+              MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+                if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+                        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+                        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
+                    if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+                        mbedtls_ssl_send_alert_message(
+                            ssl,
+                            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+                        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+                    }
+                } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+                    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+                        ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
+                                                             p, end - p);
+                        if (ret != 0) {
+                            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
+                            mbedtls_ssl_send_alert_message(
+                                ssl,
+                                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+                            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+                        }
+                    } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+    if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
+        size_t sig_len, hashlen;
+        unsigned char hash[64];
+        mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+        mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+        unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+        size_t params_len = p - params;
+        void *rs_ctx = NULL;
+
+        mbedtls_pk_context *peer_pk;
+
+        /*
+         * Handle the digitally-signed structure
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+            if (ssl_parse_signature_algorithm(ssl, &p, end,
+                                              &md_alg, &pk_alg) != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(1,
+                                      ("bad server key exchange message"));
+                mbedtls_ssl_send_alert_message(
+                    ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+                return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+            }
+
+            if (pk_alg !=
+                    mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info)) {
+                MBEDTLS_SSL_DEBUG_MSG(1,
+                                      ("bad server key exchange message"));
+                mbedtls_ssl_send_alert_message(
+                    ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+                return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+            }
+        } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+            if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
+                pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
+
+                /* Default hash for ECDSA is SHA-1 */
+                if (pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE)
+                    md_alg = MBEDTLS_MD_SHA1;
+            } else
+#endif
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+        /*
+         * Read signature
+         */
+
+        if (p > end - 2) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+        }
+        sig_len = (p[0] << 8) | p[1];
+        p += 2;
+
+        if (p != end - sig_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
+
+        /*
+         * Compute the hash that has been signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if (md_alg == MBEDTLS_MD_NONE) {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash, params,
+                                                          params_len);
+            if (ret != 0)
+                return (ret);
+        } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if (md_alg != MBEDTLS_MD_NONE) {
+                ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
+                                                             params, params_len,
+                                                             md_alg);
+                if (ret != 0)
+                    return (ret);
+            } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+        if (ssl->session_negotiate->peer_cert == NULL) {
+            /* Should never happen */
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+        peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+        /*
+         * Verify signature
+         */
+        if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+            return (MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH);
+        }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+        if (ssl->handshake->ecrs_enabled)
+            rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+        if ((ret = mbedtls_pk_verify_restartable(peer_pk,
+                                                 md_alg, hash, hashlen, p, sig_len, rs_ctx)) != 0) {
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+            if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS)
+#endif
+                mbedtls_ssl_send_alert_message(
+                    ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+            if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS)
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return (ret);
+        }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        /* We don't need the peer's public key anymore. Free it,
+         * so that more RAM is available for upcoming expensive
+         * operations like ECDHE. */
+        mbedtls_pk_free(peer_pk);
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+exit:
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
+
+    return (0);
+}
+
+#if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
+
+    if (! mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
+        ssl->state++;
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+}
+#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *buf;
+    size_t n = 0;
+    size_t cert_type_len = 0, dn_len = 0;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
+
+    if (! mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
+        ssl->state++;
+        return (0);
+    }
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    ssl->state++;
+    ssl->client_auth = (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
+                              ssl->client_auth ? "a" : "no"));
+
+    if (ssl->client_auth == 0) {
+        /* Current message is probably the ServerHelloDone */
+        ssl->keep_current_message = 1;
+        goto exit;
+    }
+
+    /*
+     *  struct {
+     *      ClientCertificateType certificate_types<1..2^8-1>;
+     *      SignatureAndHashAlgorithm
+     *        supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
+     *      DistinguishedName certificate_authorities<0..2^16-1>;
+     *  } CertificateRequest;
+     *
+     *  Since we only support a single certificate on clients, let's just
+     *  ignore all the information that's supposed to help us pick a
+     *  certificate.
+     *
+     *  We could check that our certificate matches the request, and bail out
+     *  if it doesn't, but it's simpler to just send the certificate anyway,
+     *  and give the server the opportunity to decide if it should terminate
+     *  the connection when it doesn't like our certificate.
+     *
+     *  Same goes for the hash in TLS 1.2's signature_algorithms: at this
+     *  point we only have one hash available (see comments in
+     *  write_certificate_verify), so let's just use what we have.
+     *
+     *  However, we still minimally parse the message to check it is at least
+     *  superficially sane.
+     */
+    buf = ssl->in_msg;
+
+    /* certificate_types */
+    if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST);
+    }
+    cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
+    n = cert_type_len;
+
+    /*
+     * In the subsequent code there are two paths that read from buf:
+     *     * the length of the signature algorithms field (if minor version of
+     *       SSL is 3),
+     *     * distinguished name length otherwise.
+     * Both reach at most the index:
+     *    ...hdr_len + 2 + n,
+     * therefore the buffer length at this point must be greater than that
+     * regardless of the actual code path.
+     */
+    if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST);
+    }
+
+    /* supported_signature_algorithms */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        size_t sig_alg_len =
+            ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] <<  8)
+             | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
+#if defined(MBEDTLS_DEBUG_C)
+        unsigned char *sig_alg;
+        size_t i;
+#endif
+
+        /*
+         * The furthest access in buf is in the loop few lines below:
+         *     sig_alg[i + 1],
+         * where:
+         *     sig_alg = buf + ...hdr_len + 3 + n,
+         *     max(i) = sig_alg_len - 1.
+         * Therefore the furthest access is:
+         *     buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
+         * which reduces to:
+         *     buf[...hdr_len + 3 + n + sig_alg_len],
+         * which is one less than we need the buf to be.
+         */
+        if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)
+                + 3 + n + sig_alg_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST);
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
+        for (i = 0; i < sig_alg_len; i += 2) {
+            MBEDTLS_SSL_DEBUG_MSG(3,
+                                  ("Supported Signature Algorithm found: %d,%d",
+                                   sig_alg[i], sig_alg[i + 1]));
+        }
+#endif
+
+        n += 2 + sig_alg_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /* certificate_authorities */
+    dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] <<  8)
+              | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
+
+    n += dn_len;
+    if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST);
+    }
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    if (ssl->in_hslen  != mbedtls_ssl_hs_hdr_len(ssl) ||
+            ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE);
+    }
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        mbedtls_ssl_recv_flight_completed(ssl);
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
+
+    return (0);
+}
+
+static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    size_t header_len;
+    size_t content_len;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
+        /*
+         * DHM key exchange -- send G^X mod P
+         */
+        content_len = ssl->handshake->dhm_ctx.len;
+
+        ssl->out_msg[4] = (unsigned char)(content_len >> 8);
+        ssl->out_msg[5] = (unsigned char)(content_len);
+        header_len = 6;
+
+        ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
+                                      (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
+                                      &ssl->out_msg[header_len], content_len,
+                                      ssl->conf->f_rng, ssl->conf->p_rng);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
+            return (ret);
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
+
+        if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+                                           ssl->handshake->premaster,
+                                           MBEDTLS_PREMASTER_SIZE,
+                                           &ssl->handshake->pmslen,
+                                           ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+            return (ret);
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+    } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) &&                           \
+        ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||     \
+          defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
+        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+                ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
+            psa_status_t status;
+            psa_key_attributes_t key_attributes;
+
+            mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+            unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+            size_t own_pubkey_len;
+            unsigned char *own_pubkey_ecpoint;
+            size_t own_pubkey_ecpoint_len;
+
+            header_len = 4;
+
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
+
+            /*
+             * Generate EC private key for ECDHE exchange.
+             */
+
+            /* The master secret is obtained from the shared ECDH secret by
+             * applying the TLS 1.2 PRF with a specific salt and label. While
+             * the PSA Crypto API encourages combining key agreement schemes
+             * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
+             * yet support the provisioning of salt + label to the KDF.
+             * For the time being, we therefore need to split the computation
+             * of the ECDH secret and the application of the TLS 1.2 PRF. */
+            key_attributes = psa_key_attributes_init();
+            psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+            psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+            psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
+            psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
+
+            /* Generate ECDH private key. */
+            status = psa_generate_key(&key_attributes,
+                                      &handshake->ecdh_psa_privkey);
+            if (status != PSA_SUCCESS)
+                return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+
+            /* Export the public part of the ECDH private key from PSA
+             * and convert it to ECPoint format used in ClientKeyExchange. */
+            status = psa_export_public_key(handshake->ecdh_psa_privkey,
+                                           own_pubkey, sizeof(own_pubkey),
+                                           &own_pubkey_len);
+            if (status != PSA_SUCCESS)
+                return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+
+            if (mbedtls_psa_tls_psa_ec_to_ecpoint(own_pubkey,
+                                                  own_pubkey_len,
+                                                  &own_pubkey_ecpoint,
+                                                  &own_pubkey_ecpoint_len) != 0) {
+                return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+            }
+
+            /* Copy ECPoint structure to outgoing message buffer. */
+            ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
+            memcpy(ssl->out_msg + header_len + 1,
+                   own_pubkey_ecpoint, own_pubkey_ecpoint_len);
+            content_len = own_pubkey_ecpoint_len + 1;
+
+            /* The ECDH secret is the premaster secret used for key derivation. */
+
+            /* Compute ECDH shared secret. */
+            status = psa_raw_key_agreement(PSA_ALG_ECDH,
+                                           handshake->ecdh_psa_privkey,
+                                           handshake->ecdh_psa_peerkey,
+                                           handshake->ecdh_psa_peerkey_len,
+                                           ssl->handshake->premaster,
+                                           sizeof(ssl->handshake->premaster),
+                                           &ssl->handshake->pmslen);
+            if (status != PSA_SUCCESS)
+                return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+
+            status = psa_destroy_key(handshake->ecdh_psa_privkey);
+            if (status != PSA_SUCCESS)
+                return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+            handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+        } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+            ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+              MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+            if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+                    ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+                    ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+                    ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
+                /*
+                 * ECDH key exchange -- send client public value
+                 */
+                header_len = 4;
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+                if (ssl->handshake->ecrs_enabled) {
+                    if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret)
+                        goto ecdh_calc_secret;
+
+                    mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
+                }
+#endif
+
+                ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
+                                               &content_len,
+                                               &ssl->out_msg[header_len], 1000,
+                                               ssl->conf->f_rng, ssl->conf->p_rng);
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+                    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS)
+                        ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+                    return (ret);
+                }
+
+                MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                       MBEDTLS_DEBUG_ECDH_Q);
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+                if (ssl->handshake->ecrs_enabled) {
+                    ssl->handshake->ecrs_n = content_len;
+                    ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
+                }
+
+ecdh_calc_secret:
+                if (ssl->handshake->ecrs_enabled)
+                    content_len = ssl->handshake->ecrs_n;
+#endif
+                if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
+                                                    &ssl->handshake->pmslen,
+                                                    ssl->handshake->premaster,
+                                                    MBEDTLS_MPI_MAX_SIZE,
+                                                    ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+                    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS)
+                        ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+                    return (ret);
+                }
+
+                MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                       MBEDTLS_DEBUG_ECDH_Z);
+            } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+                if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
+                    /*
+                     * opaque psk_identity<0..2^16-1>;
+                     */
+                    if (ssl_conf_has_static_psk(ssl->conf) == 0) {
+                        /* We don't offer PSK suites if we don't have a PSK,
+                         * and we check that the server's choice is among the
+                         * ciphersuites we offered, so this should never happen. */
+                        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                    }
+
+                    header_len = 4;
+                    content_len = ssl->conf->psk_identity_len;
+
+                    if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+                        MBEDTLS_SSL_DEBUG_MSG(1,
+                                              ("psk identity too long or SSL buffer too short"));
+                        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+                    }
+
+                    ssl->out_msg[header_len++] = (unsigned char)(content_len >> 8);
+                    ssl->out_msg[header_len++] = (unsigned char)(content_len);
+
+                    memcpy(ssl->out_msg + header_len,
+                           ssl->conf->psk_identity,
+                           ssl->conf->psk_identity_len);
+                    header_len += ssl->conf->psk_identity_len;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+                    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
+                        content_len = 0;
+                    } else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+                        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                            /* Opaque PSKs are currently only supported for PSK-only suites. */
+                            if (ssl_conf_has_static_raw_psk(ssl->conf) == 0)
+                                return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+                            if ((ret = ssl_write_encrypted_pms(ssl, header_len,
+                                                               &content_len, 2)) != 0)
+                                return (ret);
+                        } else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+                            if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                                /* Opaque PSKs are currently only supported for PSK-only suites. */
+                                if (ssl_conf_has_static_raw_psk(ssl->conf) == 0)
+                                    return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+                                /*
+                                 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
+                                 */
+                                content_len = ssl->handshake->dhm_ctx.len;
+
+                                if (header_len + 2 + content_len >
+                                        MBEDTLS_SSL_OUT_CONTENT_LEN) {
+                                    MBEDTLS_SSL_DEBUG_MSG(1,
+                                                          ("psk identity or DHM size too long or SSL buffer too short"));
+                                    return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+                                }
+
+                                ssl->out_msg[header_len++] = (unsigned char)(content_len >> 8);
+                                ssl->out_msg[header_len++] = (unsigned char)(content_len);
+
+                                ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
+                                                              (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
+                                                              &ssl->out_msg[header_len], content_len,
+                                                              ssl->conf->f_rng, ssl->conf->p_rng);
+                                if (ret != 0) {
+                                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
+                                    return (ret);
+                                }
+                            } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+                                if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                                    /* Opaque PSKs are currently only supported for PSK-only suites. */
+                                    if (ssl_conf_has_static_raw_psk(ssl->conf) == 0)
+                                        return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+                                    /*
+                                     * ClientECDiffieHellmanPublic public;
+                                     */
+                                    ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
+                                                                   &content_len,
+                                                                   &ssl->out_msg[header_len],
+                                                                   MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
+                                                                   ssl->conf->f_rng, ssl->conf->p_rng);
+                                    if (ret != 0) {
+                                        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
+                                        return (ret);
+                                    }
+
+                                    MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                                           MBEDTLS_DEBUG_ECDH_Q);
+                                } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+                                {
+                                    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                                }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) &&          \
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+                    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
+                            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+                            ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
+                        MBEDTLS_SSL_DEBUG_MSG(1,
+                                              ("skip PMS generation for opaque PSK"));
+                    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+          MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+                        if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+                                                                    ciphersuite_info->key_exchange)) != 0) {
+                            MBEDTLS_SSL_DEBUG_RET(1,
+                                                  "mbedtls_ssl_psk_derive_premaster", ret);
+                            return (ret);
+                        }
+                } else
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+                    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
+                        header_len = 4;
+                        if ((ret = ssl_write_encrypted_pms(ssl, header_len,
+                                                           &content_len, 0)) != 0)
+                            return (ret);
+                    } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+                        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+                            header_len = 4;
+
+                            ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
+                                                                  ssl->out_msg + header_len,
+                                                                  MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
+                                                                  &content_len,
+                                                                  ssl->conf->f_rng, ssl->conf->p_rng);
+                            if (ret != 0) {
+                                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
+                                return (ret);
+                            }
+
+                            ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
+                                                                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                                                                ssl->conf->f_rng, ssl->conf->p_rng);
+                            if (ret != 0) {
+                                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
+                                return (ret);
+                            }
+                        } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+                        {
+                            ((void) ciphersuite_info);
+                            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                        }
+
+    ssl->out_msglen  = header_len + content_len;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
+
+    if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+        return (ret);
+    }
+
+    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+}
+#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+    size_t n = 0, offset = 0;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+    size_t hashlen;
+    void *rs_ctx = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled &&
+            ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
+        goto sign;
+    }
+#endif
+
+    if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+        return (ret);
+    }
+
+    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+
+    if (ssl->client_auth == 0 || mbedtls_ssl_own_cert(ssl) == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+
+    if (mbedtls_ssl_own_key(ssl) == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
+        return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
+    }
+
+    /*
+     * Make a signature of the handshake digests
+     */
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
+
+sign:
+#endif
+
+    ssl->handshake->calc_verify(ssl, hash, &hashlen);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
+        /*
+         * digitally-signed struct {
+         *     opaque md5_hash[16];
+         *     opaque sha_hash[20];
+         * };
+         *
+         * md5_hash
+         *     MD5(handshake_messages);
+         *
+         * sha_hash
+         *     SHA(handshake_messages);
+         */
+        md_alg = MBEDTLS_MD_NONE;
+
+        /*
+         * For ECDSA, default hash is SHA-1 only
+         */
+        if (mbedtls_pk_can_do(mbedtls_ssl_own_key(ssl), MBEDTLS_PK_ECDSA)) {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+            /*
+             * digitally-signed struct {
+             *     opaque handshake_messages[handshake_messages_length];
+             * };
+             *
+             * Taking shortcut here. We assume that the server always allows the
+             * PRF Hash function and has sent it in the allowed signature
+             * algorithms list received in the Certificate Request message.
+             *
+             * Until we encounter a server that does not, we will take this
+             * shortcut.
+             *
+             * Reason: Otherwise we should have running hashes for SHA512 and
+             *         SHA224 in order to satisfy 'weird' needs from the server
+             *         side.
+             */
+            if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
+                md_alg = MBEDTLS_MD_SHA384;
+                ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
+            } else {
+                md_alg = MBEDTLS_MD_SHA256;
+                ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
+            }
+            ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
+
+            /* Info from md_alg will be used instead */
+            hashlen = 0;
+            offset = 2;
+        } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled)
+        rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+    if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
+                                           md_alg, hash_start, hashlen,
+                                           ssl->out_msg + 6 + offset, &n,
+                                           ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+        if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS)
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+        return (ret);
+    }
+
+    ssl->out_msg[4 + offset] = (unsigned char)(n >> 8);
+    ssl->out_msg[5 + offset] = (unsigned char)(n);
+
+    ssl->out_msglen  = 6 + n + offset;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
+
+    ssl->state++;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t lifetime;
+    size_t ticket_len;
+    unsigned char *ticket;
+    const unsigned char *msg;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 0  .  3   ticket_lifetime_hint
+     * 4  .  5   ticket_len (n)
+     * 6  .  5+n ticket content
+     */
+    if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
+            ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET);
+    }
+
+    msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+
+    lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
+               (msg[2] << 8) | (msg[3]);
+
+    ticket_len = (msg[4] << 8) | (msg[5]);
+
+    if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
+
+    /* We're not waiting for a NewSessionTicket message any more */
+    ssl->handshake->new_session_ticket = 0;
+    ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+    /*
+     * Zero-length ticket means the server changed his mind and doesn't want
+     * to send a ticket after all, so just forget it
+     */
+    if (ticket_len == 0)
+        return (0);
+
+    if (ssl->session != NULL && ssl->session->ticket != NULL) {
+        mbedtls_platform_zeroize(ssl->session->ticket,
+                                 ssl->session->ticket_len);
+        mbedtls_free(ssl->session->ticket);
+        ssl->session->ticket = NULL;
+        ssl->session->ticket_len = 0;
+    }
+
+    mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
+                             ssl->session_negotiate->ticket_len);
+    mbedtls_free(ssl->session_negotiate->ticket);
+    ssl->session_negotiate->ticket = NULL;
+    ssl->session_negotiate->ticket_len = 0;
+
+    if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    memcpy(ticket, msg + 6, ticket_len);
+
+    ssl->session_negotiate->ticket = ticket;
+    ssl->session_negotiate->ticket_len = ticket_len;
+    ssl->session_negotiate->ticket_lifetime = lifetime;
+
+    /*
+     * RFC 5077 section 3.4:
+     * "If the client receives a session ticket from the server, then it
+     * discards any Session ID that was sent in the ServerHello."
+     */
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
+    ssl->session_negotiate->id_len = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- client side -- single step
+ */
+int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) {
+    int ret = 0;
+
+    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %d", ssl->state));
+
+    if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
+        return (ret);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+        if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0)
+            return (ret);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
+     * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
+            ssl->handshake->new_session_ticket != 0) {
+        ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
+    }
+#endif
+
+    switch (ssl->state) {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+        /*
+         *  ==>   ClientHello
+         */
+        case MBEDTLS_SSL_CLIENT_HELLO:
+            ret = ssl_write_client_hello(ssl);
+            break;
+
+        /*
+         *  <==   ServerHello
+         *        Certificate
+         *      ( ServerKeyExchange  )
+         *      ( CertificateRequest )
+         *        ServerHelloDone
+         */
+        case MBEDTLS_SSL_SERVER_HELLO:
+            ret = ssl_parse_server_hello(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_CERTIFICATE:
+            ret = mbedtls_ssl_parse_certificate(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+            ret = ssl_parse_server_key_exchange(ssl);
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+            ret = ssl_parse_certificate_request(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_HELLO_DONE:
+            ret = ssl_parse_server_hello_done(ssl);
+            break;
+
+        /*
+         *  ==> ( Certificate/Alert  )
+         *        ClientKeyExchange
+         *      ( CertificateVerify  )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+            ret = mbedtls_ssl_write_certificate(ssl);
+            break;
+
+        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+            ret = ssl_write_client_key_exchange(ssl);
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+            ret = ssl_write_certificate_verify(ssl);
+            break;
+
+        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+            ret = mbedtls_ssl_write_change_cipher_spec(ssl);
+            break;
+
+        case MBEDTLS_SSL_CLIENT_FINISHED:
+            ret = mbedtls_ssl_write_finished(ssl);
+            break;
+
+            /*
+             *  <==   ( NewSessionTicket )
+             *        ChangeCipherSpec
+             *        Finished
+             */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
+            ret = ssl_parse_new_session_ticket(ssl);
+            break;
+#endif
+
+        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+            ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_FINISHED:
+            ret = mbedtls_ssl_parse_finished(ssl);
+            break;
+
+        case MBEDTLS_SSL_FLUSH_BUFFERS:
+            MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+            break;
+
+        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+            mbedtls_ssl_handshake_wrapup(ssl);
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_CLI_C */
diff --git a/common/mbedtls/ssl_cookie.c b/common/mbedtls/ssl_cookie.c
new file mode 100644
index 000000000..98b180e0d
--- /dev/null
+++ b/common/mbedtls/ssl_cookie.c
@@ -0,0 +1,241 @@
+/*
+ *  DTLS cookie callbacks implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_COOKIE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/*
+ * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
+ * available. Try SHA-256 first, 512 wastes resources since we need to stay
+ * with max 32 bytes of cookie for DTLS 1.0
+ */
+#if defined(MBEDTLS_SHA256_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA224
+#define COOKIE_MD_OUTLEN    32
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA512_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA384
+#define COOKIE_MD_OUTLEN    48
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA1_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA1
+#define COOKIE_MD_OUTLEN    20
+#define COOKIE_HMAC_LEN     20
+#else
+#error "DTLS hello verify needs SHA-1 or SHA-2"
+#endif
+
+/*
+ * Cookies are formed of a 4-bytes timestamp (or serial number) and
+ * an HMAC of timestemp and client ID.
+ */
+#define COOKIE_LEN      ( 4 + COOKIE_HMAC_LEN )
+
+void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx) {
+    mbedtls_md_init(&ctx->hmac_ctx);
+#if !defined(MBEDTLS_HAVE_TIME)
+    ctx->serial = 0;
+#endif
+    ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+}
+
+void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay) {
+    ctx->timeout = delay;
+}
+
+void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx) {
+    mbedtls_md_free(&ctx->hmac_ctx);
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free(&ctx->mutex);
+#endif
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
+}
+
+int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char key[COOKIE_MD_OUTLEN];
+
+    if ((ret = f_rng(p_rng, key, sizeof(key))) != 0)
+        return (ret);
+
+    ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
+    if (ret != 0)
+        return (ret);
+
+    ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
+    if (ret != 0)
+        return (ret);
+
+    mbedtls_platform_zeroize(key, sizeof(key));
+
+    return (0);
+}
+
+/*
+ * Generate the HMAC part of a cookie
+ */
+static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
+                           const unsigned char time[4],
+                           unsigned char **p, unsigned char *end,
+                           const unsigned char *cli_id, size_t cli_id_len) {
+    unsigned char hmac_out[COOKIE_MD_OUTLEN];
+
+    MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
+
+    if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
+            mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
+            mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
+            mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
+    *p += COOKIE_HMAC_LEN;
+
+    return (0);
+}
+
+/*
+ * Generate cookie for DTLS ClientHello verification
+ */
+int mbedtls_ssl_cookie_write(void *p_ctx,
+                             unsigned char **p, unsigned char *end,
+                             const unsigned char *cli_id, size_t cli_id_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long t;
+
+    if (ctx == NULL || cli_id == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_LEN);
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = (unsigned long) mbedtls_time(NULL);
+#else
+    t = ctx->serial++;
+#endif
+
+    (*p)[0] = (unsigned char)(t >> 24);
+    (*p)[1] = (unsigned char)(t >> 16);
+    (*p)[2] = (unsigned char)(t >>  8);
+    (*p)[3] = (unsigned char)(t);
+    *p += 4;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret);
+#endif
+
+    ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
+                          p, end, cli_id, cli_id_len);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0)
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+#endif
+
+    return (ret);
+}
+
+/*
+ * Check a cookie
+ */
+int mbedtls_ssl_cookie_check(void *p_ctx,
+                             const unsigned char *cookie, size_t cookie_len,
+                             const unsigned char *cli_id, size_t cli_id_len) {
+    unsigned char ref_hmac[COOKIE_HMAC_LEN];
+    int ret = 0;
+    unsigned char *p = ref_hmac;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long cur_time, cookie_time;
+
+    if (ctx == NULL || cli_id == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (cookie_len != COOKIE_LEN)
+        return (-1);
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret);
+#endif
+
+    if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
+                        &p, p + sizeof(ref_hmac),
+                        cli_id, cli_id_len) != 0)
+        ret = -1;
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0)
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+#endif
+
+    if (ret != 0)
+        return (ret);
+
+    if (mbedtls_ssl_safer_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0)
+        return (-1);
+
+#if defined(MBEDTLS_HAVE_TIME)
+    cur_time = (unsigned long) mbedtls_time(NULL);
+#else
+    cur_time = ctx->serial;
+#endif
+
+    cookie_time = ((unsigned long) cookie[0] << 24) |
+                  ((unsigned long) cookie[1] << 16) |
+                  ((unsigned long) cookie[2] <<  8) |
+                  ((unsigned long) cookie[3]);
+
+    if (ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout)
+        return (-1);
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_COOKIE_C */
diff --git a/common/mbedtls/ssl_cookie.h b/common/mbedtls/ssl_cookie.h
new file mode 100644
index 000000000..b2e9f0afa
--- /dev/null
+++ b/common/mbedtls/ssl_cookie.h
@@ -0,0 +1,112 @@
+/**
+ * \file ssl_cookie.h
+ *
+ * \brief DTLS cookie callbacks implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_COOKIE_H
+#define MBEDTLS_SSL_COOKIE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+#ifndef MBEDTLS_SSL_COOKIE_TIMEOUT
+#define MBEDTLS_SSL_COOKIE_TIMEOUT     60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Context for the default cookie functions.
+ */
+typedef struct mbedtls_ssl_cookie_ctx {
+    mbedtls_md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
+#if !defined(MBEDTLS_HAVE_TIME)
+    unsigned long   serial;     /*!< serial number for expiration   */
+#endif
+    unsigned long   timeout;    /*!< timeout delay, in seconds if HAVE_TIME,
+                                     or in number of tickets issued */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_ssl_cookie_ctx;
+
+/**
+ * \brief          Initialize cookie context
+ */
+void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx);
+
+/**
+ * \brief          Setup cookie context (generate keys)
+ */
+int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+/**
+ * \brief          Set expiration delay for cookies
+ *                 (Default MBEDTLS_SSL_COOKIE_TIMEOUT)
+ *
+ * \param ctx      Cookie contex
+ * \param delay    Delay, in seconds if HAVE_TIME, or in number of cookies
+ *                 issued in the meantime.
+ *                 0 to disable expiration (NOT recommended)
+ */
+void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay);
+
+/**
+ * \brief          Free cookie context
+ */
+void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx);
+
+/**
+ * \brief          Generate cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_write_t mbedtls_ssl_cookie_write;
+
+/**
+ * \brief          Verify cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_check_t mbedtls_ssl_cookie_check;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cookie.h */
diff --git a/common/mbedtls/ssl_internal.h b/common/mbedtls/ssl_internal.h
new file mode 100644
index 000000000..6e95605e3
--- /dev/null
+++ b/common/mbedtls/ssl_internal.h
@@ -0,0 +1,1278 @@
+/**
+ * \file ssl_internal.h
+ *
+ * \brief Internal functions shared by the SSL modules
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_INTERNAL_H
+#define MBEDTLS_SSL_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#include "mbedtls/ecjpake.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Determine minimum supported version */
+#define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+
+#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
+#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
+
+/* Determine maximum supported version */
+#define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+/* Shorthand for restartable ECC */
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+    defined(MBEDTLS_SSL_CLI_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
+#endif
+
+#define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
+#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
+#define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
+#define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
+
+/*
+ * DTLS retransmission states, see RFC 6347 4.2.4
+ *
+ * The SENDING state is merged in PREPARING for initial sends,
+ * but is distinct for resends.
+ *
+ * Note: initial state is wrong for server, but is not used anyway.
+ */
+#define MBEDTLS_SSL_RETRANS_PREPARING       0
+#define MBEDTLS_SSL_RETRANS_SENDING         1
+#define MBEDTLS_SSL_RETRANS_WAITING         2
+#define MBEDTLS_SSL_RETRANS_FINISHED        3
+
+/*
+ * Allow extra bytes for record, authentication and encryption overhead:
+ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
+ * and allow for a maximum of 1024 of compression expansion if
+ * enabled.
+ */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+#define MBEDTLS_SSL_COMPRESSION_ADD          1024
+#else
+#define MBEDTLS_SSL_COMPRESSION_ADD             0
+#endif
+
+/* This macro determines whether CBC is supported. */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
+    ( defined(MBEDTLS_AES_C)      ||                                  \
+      defined(MBEDTLS_CAMELLIA_C) ||                                  \
+      defined(MBEDTLS_ARIA_C)     ||                                  \
+      defined(MBEDTLS_DES_C) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
+#endif
+
+/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
+ * opposed to the very different CBC construct used in SSLv3) is supported. */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+    ( defined(MBEDTLS_SSL_PROTO_TLS1) ||        \
+      defined(MBEDTLS_SSL_PROTO_TLS1_1) ||      \
+      defined(MBEDTLS_SSL_PROTO_TLS1_2) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||   \
+    defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+#define MBEDTLS_SSL_SOME_MODES_USE_MAC
+#endif
+
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+/* Ciphersuites using HMAC */
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
+#elif defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
+#else
+#define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
+#endif
+#else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
+#define MBEDTLS_SSL_MAC_ADD                 16
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_SSL_PADDING_ADD            256
+#else
+#define MBEDTLS_SSL_PADDING_ADD              0
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_MAX_CID_EXPANSION      MBEDTLS_SSL_CID_PADDING_GRANULARITY
+#else
+#define MBEDTLS_SSL_MAX_CID_EXPANSION        0
+#endif
+
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
+                                       MBEDTLS_MAX_IV_LENGTH +          \
+                                       MBEDTLS_SSL_MAC_ADD +            \
+                                       MBEDTLS_SSL_PADDING_ADD +        \
+                                       MBEDTLS_SSL_MAX_CID_EXPANSION    \
+                                       )
+
+#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                     ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
+
+#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                      ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
+
+/* The maximum number of buffered handshake messages. */
+#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
+
+/* Maximum length we can advertise as our max content length for
+   RFC 6066 max_fragment_length extension negotiation purposes
+   (the lesser of both sizes, if they are unequal.)
+ */
+#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
+        (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
+        ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
+        : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
+        )
+
+/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
+#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN  65534
+
+/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
+#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
+
+/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
+#error "Bad configuration - record content too large."
+#endif
+
+#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - incoming protected record payload too large."
+#endif
+
+#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - outgoing protected record payload too large."
+#endif
+
+/* Calculate buffer sizes */
+
+/* Note: Even though the TLS record header is only 5 bytes
+   long, we're internally using 8 bytes to store the
+   implicit sequence number. */
+#define MBEDTLS_SSL_HEADER_LEN 13
+
+#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_IN_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
+#else
+#define MBEDTLS_SSL_IN_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
+      + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
+#endif
+
+#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_OUT_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
+#else
+#define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN )    \
+      + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
+#endif
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) {
+#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    return mbedtls_ssl_get_output_max_frag_len(ctx)
+           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+           + MBEDTLS_SSL_CID_OUT_LEN_MAX;
+#else
+    return mbedtls_ssl_get_output_max_frag_len(ctx)
+           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
+#endif
+}
+
+static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) {
+#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    return mbedtls_ssl_get_input_max_frag_len(ctx)
+           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+           + MBEDTLS_SSL_CID_IN_LEN_MAX;
+#else
+    return mbedtls_ssl_get_input_max_frag_len(ctx)
+           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
+#endif
+}
+#endif
+
+#ifdef MBEDTLS_ZLIB_SUPPORT
+/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
+#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
+        ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
+        ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
+        : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
+        )
+#endif
+
+/*
+ * TLS extension flags (for extensions with outgoing ServerHello content
+ * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
+ * of state of the renegotiation flag, so no indicator is required)
+ */
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
+
+/**
+ * \brief        This function checks if the remaining size in a buffer is
+ *               greater or equal than a needed space.
+ *
+ * \param cur    Pointer to the current position in the buffer.
+ * \param end    Pointer to one past the end of the buffer.
+ * \param need   Needed space in bytes.
+ *
+ * \return       Zero if the needed space is available in the buffer, non-zero
+ *               otherwise.
+ */
+static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
+                                          const uint8_t *end, size_t need) {
+    return ((cur > end) || (need > (size_t)(end - cur)));
+}
+
+/**
+ * \brief        This macro checks if the remaining size in a buffer is
+ *               greater or equal than a needed space. If it is not the case,
+ *               it returns an SSL_BUFFER_TOO_SMALL error.
+ *
+ * \param cur    Pointer to the current position in the buffer.
+ * \param end    Pointer to one past the end of the buffer.
+ * \param need   Needed space in bytes.
+ *
+ */
+#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need )                        \
+    do {                                                                 \
+        if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
+        {                                                                \
+            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );                  \
+        }                                                                \
+    } while( 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/*
+ * Abstraction for a grid of allowed signature-hash-algorithm pairs.
+ */
+struct mbedtls_ssl_sig_hash_set_t {
+    /* At the moment, we only need to remember a single suitable
+     * hash algorithm per signature algorithm. As long as that's
+     * the case - and we don't need a general lookup function -
+     * we can implement the sig-hash-set as a map from signatures
+     * to hash algorithms. */
+    mbedtls_md_type_t rsa;
+    mbedtls_md_type_t ecdsa;
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+typedef int  mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
+                                    const char *label,
+                                    const unsigned char *random, size_t rlen,
+                                    unsigned char *dstbuf, size_t dlen);
+
+/* cipher.h exports the maximum IV, key and block length from
+ * all ciphers enabled in the config, regardless of whether those
+ * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
+ * in the default configuration and uses 64 Byte keys, but it is
+ * not used for record protection in SSL/TLS.
+ *
+ * In order to prevent unnecessary inflation of key structures,
+ * we introduce SSL-specific variants of the max-{key,block,IV}
+ * macros here which are meant to only take those ciphers into
+ * account which can be negotiated in SSL/TLS.
+ *
+ * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
+ * in cipher.h are rough overapproximations of the real maxima, here
+ * we content ourselves with replicating those overapproximations
+ * for the maximum block and IV length, and excluding XTS from the
+ * computation of the maximum key length. */
+#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
+#define MBEDTLS_SSL_MAX_IV_LENGTH    16
+#define MBEDTLS_SSL_MAX_KEY_LENGTH   32
+
+/**
+ * \brief   The data structure holding the cryptographic material (key and IV)
+ *          used for record protection in TLS 1.3.
+ */
+struct mbedtls_ssl_key_set {
+    /*! The key for client->server records. */
+    unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
+    /*! The key for server->client records. */
+    unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
+    /*! The IV  for client->server records. */
+    unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
+    /*! The IV  for server->client records. */
+    unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
+
+    size_t key_len; /*!< The length of client_write_key and
+                     *   server_write_key, in Bytes. */
+    size_t iv_len;  /*!< The length of client_write_iv and
+                     *   server_write_iv, in Bytes. */
+};
+typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
+
+/*
+ * This structure contains the parameters only needed during handshake.
+ */
+struct mbedtls_ssl_handshake_params {
+    /*
+     * Handshake specific crypto variables
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
+#endif
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
+#endif
+    /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
+     * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
+     * in functionality that access to ecdh_ctx structure is needed for
+     * MBEDTLS_ECDSA_C which does not seem correct.
+     */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+    mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_key_type_t ecdh_psa_type;
+    uint16_t ecdh_bits;
+    psa_key_id_t ecdh_psa_privkey;
+    unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+    size_t ecdh_psa_peerkey_len;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
+#if defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
+    size_t ecjpake_cache_len;                   /*!< Length of cached data */
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_key_id_t psk_opaque;            /*!< Opaque PSK from the callback   */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    unsigned char *psk;                 /*!<  PSK from the callback         */
+    size_t psk_len;                     /*!<  Length of PSK from callback   */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    int sni_authmode;                   /*!< authmode from SNI callback     */
+    mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
+    mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
+    mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    int ecrs_enabled;                   /*!< Handshake supports EC restart? */
+    mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
+    enum { /* this complements ssl->state with info on intra-state operations */
+        ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
+        ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
+        ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
+        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
+        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
+    } ecrs_state;                       /*!< current (or last) operation    */
+    mbedtls_x509_crt *ecrs_peer_cert;   /*!< The peer's CRT chain.          */
+    size_t ecrs_n;                      /*!< place for saving a length      */
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    mbedtls_pk_context peer_pubkey;     /*!< The public key from the peer.  */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
+    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
+
+    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
+                                              Srv: unused                    */
+    unsigned char verify_cookie_len;    /*!<  Cli: cookie length
+                                              Srv: flag for sending a cookie */
+
+    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
+    unsigned char retransmit_state;     /*!<  Retransmission state           */
+    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
+    mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
+    unsigned char *cur_msg_p;           /*!<  Position in current message    */
+    unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
+                                              flight being received          */
+    mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
+                                              resending messages             */
+    unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
+                                              for resending messages         */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    /* The state of CID configuration in this handshake. */
+
+    uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
+                         *   has been negotiated. Possible values are
+                         *   #MBEDTLS_SSL_CID_ENABLED and
+                         *   #MBEDTLS_SSL_CID_DISABLED. */
+    unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
+    uint8_t peer_cid_len;                                  /*!< The length of
+                                                            *   \c peer_cid.  */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    struct {
+        size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
+                                      *   buffers used for message buffering. */
+
+        uint8_t seen_ccs;               /*!< Indicates if a CCS message has
+                                         *   been seen in the current flight. */
+
+        struct mbedtls_ssl_hs_buffer {
+            unsigned is_valid      : 1;
+            unsigned is_fragmented : 1;
+            unsigned is_complete   : 1;
+            unsigned char *data;
+            size_t data_len;
+        } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
+
+        struct {
+            unsigned char *data;
+            size_t len;
+            unsigned epoch;
+        } future_record;
+
+    } buffering;
+
+    uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Checksum contexts
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_context fin_md5;
+    mbedtls_sha1_context fin_sha1;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_operation_t fin_sha256_psa;
+#else
+    mbedtls_sha256_context fin_sha256;
+#endif
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_operation_t fin_sha384_psa;
+#else
+    mbedtls_sha512_context fin_sha512;
+#endif
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
+    void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
+    void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
+    mbedtls_ssl_tls_prf_cb *tls_prf;
+
+    mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
+
+    size_t pmslen;                      /*!<  premaster length        */
+
+    unsigned char randbytes[64];        /*!<  random bytes            */
+    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
+    /*!<  premaster secret        */
+
+    int resume;                         /*!<  session resume indicator*/
+    int max_major_ver;                  /*!< max. major version client*/
+    int max_minor_ver;                  /*!< max. minor version client*/
+    int cli_exts;                       /*!< client extension presence*/
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    int new_session_ticket;             /*!< use NewSessionTicket?    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    int extended_ms;                    /*!< use Extended Master Secret? */
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /** Asynchronous operation context. This field is meant for use by the
+     * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
+     * mbedtls_ssl_config::f_async_decrypt_start,
+     * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
+     * The library does not use it internally. */
+    void *user_async_ctx;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+};
+
+typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
+
+/*
+ * Representation of decryption/encryption transformations on records
+ *
+ * There are the following general types of record transformations:
+ * - Stream transformations (TLS versions <= 1.2 only)
+ *   Transformation adding a MAC and applying a stream-cipher
+ *   to the authenticated message.
+ * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
+ *   In addition to the distinction of the order of encryption and
+ *   authentication, there's a fundamental difference between the
+ *   handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
+ *   and TLS 1.0, the final IV after processing a record is used
+ *   as the IV for the next record. No explicit IV is contained
+ *   in an encrypted record. The IV for the first record is extracted
+ *   at key extraction time. In contrast, for TLS 1.1 and 1.2, no
+ *   IV is generated at key extraction time, but every encrypted
+ *   record is explicitly prefixed by the IV with which it was encrypted.
+ * - AEAD transformations ([D]TLS versions >= 1.2 only)
+ *   These come in two fundamentally different versions, the first one
+ *   used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
+ *   one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
+ *   In the first transformation, the IV to be used for a record is obtained
+ *   as the concatenation of an explicit, static 4-byte IV and the 8-byte
+ *   record sequence number, and explicitly prepending this sequence number
+ *   to the encrypted record. In contrast, in the second transformation
+ *   the IV is obtained by XOR'ing a static IV obtained at key extraction
+ *   time with the 8-byte record sequence number, without prepending the
+ *   latter to the encrypted record.
+ *
+ * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
+ * which allows to add flexible length padding and to hide a record's true
+ * content type.
+ *
+ * In addition to type and version, the following parameters are relevant:
+ * - The symmetric cipher algorithm to be used.
+ * - The (static) encryption/decryption keys for the cipher.
+ * - For stream/CBC, the type of message digest to be used.
+ * - For stream/CBC, (static) encryption/decryption keys for the digest.
+ * - For AEAD transformations, the size (potentially 0) of an explicit,
+ *   random initialization vector placed in encrypted records.
+ * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
+ *   an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
+ *   and (if present) is combined with the explicit IV in a transformation-
+ *   dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
+ * - For stream/CBC, a flag determining the order of encryption and MAC.
+ * - The details of the transformation depend on the SSL/TLS version.
+ * - The length of the authentication tag.
+ *
+ * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
+ *       constant across multiple encryption/decryption operations.
+ *       For CBC, the implicit IV needs to be updated after each
+ *       operation.
+ *
+ * The struct below refines this abstract view as follows:
+ * - The cipher underlying the transformation is managed in
+ *   cipher contexts cipher_ctx_{enc/dec}, which must have the
+ *   same cipher type. The mode of these cipher contexts determines
+ *   the type of the transformation in the sense above: e.g., if
+ *   the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
+ *   then the transformation has type CBC resp. AEAD.
+ * - The cipher keys are never stored explicitly but
+ *   are maintained within cipher_ctx_{enc/dec}.
+ * - For stream/CBC transformations, the message digest contexts
+ *   used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
+ *   are unused for AEAD transformations.
+ * - For stream/CBC transformations and versions > SSL3, the
+ *   MAC keys are not stored explicitly but maintained within
+ *   md_ctx_{enc/dec}.
+ * - For stream/CBC transformations and version SSL3, the MAC
+ *   keys are stored explicitly in mac_enc, mac_dec and have
+ *   a fixed size of 20 bytes. These fields are unused for
+ *   AEAD transformations or transformations >= TLS 1.0.
+ * - For transformations using an implicit IV maintained within
+ *   the transformation context, its contents are stored within
+ *   iv_{enc/dec}.
+ * - The value of ivlen indicates the length of the IV.
+ *   This is redundant in case of stream/CBC transformations
+ *   which always use 0 resp. the cipher's block length as the
+ *   IV length, but is needed for AEAD ciphers and may be
+ *   different from the underlying cipher's block length
+ *   in this case.
+ * - The field fixed_ivlen is nonzero for AEAD transformations only
+ *   and indicates the length of the static part of the IV which is
+ *   constant throughout the communication, and which is stored in
+ *   the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
+ *   Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
+ *   still store IV's for continued use across multiple transformations,
+ *   so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
+ *   not being used!
+ * - minor_ver denotes the SSL/TLS version
+ * - For stream/CBC transformations, maclen denotes the length of the
+ *   authentication tag, while taglen is unused and 0.
+ * - For AEAD transformations, taglen denotes the length of the
+ *   authentication tag, while maclen is unused and 0.
+ * - For CBC transformations, encrypt_then_mac determines the
+ *   order of encryption and authentication. This field is unused
+ *   in other transformations.
+ *
+ */
+struct mbedtls_ssl_transform {
+    /*
+     * Session specific crypto layer
+     */
+    size_t minlen;                      /*!<  min. ciphertext length  */
+    size_t ivlen;                       /*!<  IV length               */
+    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
+    size_t maclen;                      /*!<  MAC(CBC) len            */
+    size_t taglen;                      /*!<  TAG(AEAD) len           */
+
+    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
+    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
+
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /* Needed only for SSL v3.0 secret */
+    unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
+    unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
+    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    int encrypt_then_mac;       /*!< flag for EtM activation                */
+#endif
+
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+
+    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
+    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
+    int minor_ver;
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    uint8_t in_cid_len;
+    uint8_t out_cid_len;
+    unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+    unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    /*
+     * Session specific compression layer
+     */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    z_stream ctx_deflate;               /*!<  compression context     */
+    z_stream ctx_inflate;               /*!<  decompression context   */
+#endif
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+    /* We need the Hello random bytes in order to re-derive keys from the
+     * Master Secret and other session info, see ssl_populate_transform() */
+    unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+};
+
+/*
+ * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
+ * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
+ */
+static inline int mbedtls_ssl_transform_uses_aead(
+    const mbedtls_ssl_transform *transform) {
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    return (transform->maclen == 0 && transform->taglen != 0);
+#else
+    (void) transform;
+    return (1);
+#endif
+}
+
+/*
+ * Internal representation of record frames
+ *
+ * Instances come in two flavors:
+ * (1) Encrypted
+ *     These always have data_offset = 0
+ * (2) Unencrypted
+ *     These have data_offset set to the amount of
+ *     pre-expansion during record protection. Concretely,
+ *     this is the length of the fixed part of the explicit IV
+ *     used for encryption, or 0 if no explicit IV is used
+ *     (e.g. for CBC in TLS 1.0, or stream ciphers).
+ *
+ * The reason for the data_offset in the unencrypted case
+ * is to allow for in-place conversion of an unencrypted to
+ * an encrypted record. If the offset wasn't included, the
+ * encrypted content would need to be shifted afterwards to
+ * make space for the fixed IV.
+ *
+ */
+#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
+#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
+#else
+#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
+#endif
+
+typedef struct {
+    uint8_t ctr[8];         /* In TLS:  The implicit record sequence number.
+                             * In DTLS: The 2-byte epoch followed by
+                             *          the 6-byte sequence number.
+                             * This is stored as a raw big endian byte array
+                             * as opposed to a uint64_t because we rarely
+                             * need to perform arithmetic on this, but do
+                             * need it as a Byte array for the purpose of
+                             * MAC computations.                             */
+    uint8_t type;           /* The record content type.                      */
+    uint8_t ver[2];         /* SSL/TLS version as present on the wire.
+                             * Convert to internal presentation of versions
+                             * using mbedtls_ssl_read_version() and
+                             * mbedtls_ssl_write_version().
+                             * Keep wire-format for MAC computations.        */
+
+    unsigned char *buf;     /* Memory buffer enclosing the record content    */
+    size_t buf_len;         /* Buffer length                                 */
+    size_t data_offset;     /* Offset of record content                      */
+    size_t data_len;        /* Length of record content                      */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    uint8_t cid_len;        /* Length of the CID (0 if not present)          */
+    unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID                 */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+} mbedtls_record;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * List of certificate + private key pairs
+ */
+struct mbedtls_ssl_key_cert {
+    mbedtls_x509_crt *cert;                 /*!< cert                       */
+    mbedtls_pk_context *key;                /*!< private key                */
+    mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * List of handshake messages kept around for resending
+ */
+struct mbedtls_ssl_flight_item {
+    unsigned char *p;       /*!< message, including handshake headers   */
+    size_t len;             /*!< length of p                            */
+    unsigned char type;     /*!< type of the message: handshake or CCS  */
+    mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
+};
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set,
+                                                mbedtls_pk_type_t sig_alg);
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set,
+                                  mbedtls_pk_type_t sig_alg,
+                                  mbedtls_md_type_t md_alg);
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set,
+                                         mbedtls_md_type_t md_alg);
+
+/* Setup an empty signature-hash set */
+static inline void mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t *set) {
+    mbedtls_ssl_sig_hash_set_const_hash(set, MBEDTLS_MD_NONE);
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+/**
+ * \brief           Free referenced items in an SSL transform context and clear
+ *                  memory
+ *
+ * \param transform SSL transform context
+ */
+void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
+
+/**
+ * \brief           Free referenced items in an SSL handshake context and clear
+ *                  memory
+ *
+ * \param ssl       SSL context
+ */
+void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
+
+void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief       Update record layer
+ *
+ *              This function roughly separates the implementation
+ *              of the logic of (D)TLS from the implementation
+ *              of the secure transport.
+ *
+ * \param  ssl              The SSL context to use.
+ * \param  update_hs_digest This indicates if the handshake digest
+ *                          should be automatically updated in case
+ *                          a handshake message is found.
+ *
+ * \return      0 or non-zero error code.
+ *
+ * \note        A clarification on what is called 'record layer' here
+ *              is in order, as many sensible definitions are possible:
+ *
+ *              The record layer takes as input an untrusted underlying
+ *              transport (stream or datagram) and transforms it into
+ *              a serially multiplexed, secure transport, which
+ *              conceptually provides the following:
+ *
+ *              (1) Three datagram based, content-agnostic transports
+ *                  for handshake, alert and CCS messages.
+ *              (2) One stream- or datagram-based transport
+ *                  for application data.
+ *              (3) Functionality for changing the underlying transform
+ *                  securing the contents.
+ *
+ *              The interface to this functionality is given as follows:
+ *
+ *              a Updating
+ *                [Currently implemented by mbedtls_ssl_read_record]
+ *
+ *                Check if and on which of the four 'ports' data is pending:
+ *                Nothing, a controlling datagram of type (1), or application
+ *                data (2). In any case data is present, internal buffers
+ *                provide access to the data for the user to process it.
+ *                Consumption of type (1) datagrams is done automatically
+ *                on the next update, invalidating that the internal buffers
+ *                for previous datagrams, while consumption of application
+ *                data (2) is user-controlled.
+ *
+ *              b Reading of application data
+ *                [Currently manual adaption of ssl->in_offt pointer]
+ *
+ *                As mentioned in the last paragraph, consumption of data
+ *                is different from the automatic consumption of control
+ *                datagrams (1) because application data is treated as a stream.
+ *
+ *              c Tracking availability of application data
+ *                [Currently manually through decreasing ssl->in_msglen]
+ *
+ *                For efficiency and to retain datagram semantics for
+ *                application data in case of DTLS, the record layer
+ *                provides functionality for checking how much application
+ *                data is still available in the internal buffer.
+ *
+ *              d Changing the transformation securing the communication.
+ *
+ *              Given an opaque implementation of the record layer in the
+ *              above sense, it should be possible to implement the logic
+ *              of (D)TLS on top of it without the need to know anything
+ *              about the record layer's internals. This is done e.g.
+ *              in all the handshake handling functions, and in the
+ *              application data reading function mbedtls_ssl_read.
+ *
+ * \note        The above tries to give a conceptual picture of the
+ *              record layer, but the current implementation deviates
+ *              from it in some places. For example, our implementation of
+ *              the update functionality through mbedtls_ssl_read_record
+ *              discards datagrams depending on the current state, which
+ *              wouldn't fall under the record layer's responsibility
+ *              following the above definition.
+ *
+ */
+int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
+                            unsigned update_hs_digest);
+int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
+
+int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush);
+int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
+
+void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
+                                   const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex);
+
+/**
+ * Get the first defined PSK by order of precedence:
+ * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
+ * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
+ * Return a code and update the pair (PSK, PSK length) passed to this function
+ */
+static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
+                                      const unsigned char **psk, size_t *psk_len) {
+    if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
+        *psk = ssl->handshake->psk;
+        *psk_len = ssl->handshake->psk_len;
+    }
+
+    else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
+        *psk = ssl->conf->psk;
+        *psk_len = ssl->conf->psk_len;
+    }
+
+    else {
+        *psk = NULL;
+        *psk_len = 0;
+        return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
+    }
+
+    return (0);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * Get the first defined opaque PSK by order of precedence:
+ * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
+ *    callback
+ * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
+ * Return an opaque PSK
+ */
+static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
+    const mbedtls_ssl_context *ssl) {
+    if (! mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque))
+        return (ssl->handshake->psk_opaque);
+
+    if (! mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque))
+        return (ssl->conf->psk_opaque);
+
+    return (MBEDTLS_SVC_KEY_ID_INIT);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_PK_C)
+unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
+unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
+#endif
+
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
+unsigned char mbedtls_ssl_hash_from_md_alg(int md);
+int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
+
+#if defined(MBEDTLS_ECP_C)
+int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl,
+                               mbedtls_md_type_t md);
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
+(const uint16_t srtp_profile_value) {
+    switch (srtp_profile_value) {
+        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
+        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
+        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
+        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
+            return srtp_profile_value;
+        default:
+            break;
+    }
+    return (MBEDTLS_TLS_SRTP_UNSET);
+}
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_key_cert *key_cert;
+
+    if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL)
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return (key_cert == NULL ? NULL : key_cert->key);
+}
+
+static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_key_cert *key_cert;
+
+    if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL)
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return (key_cert == NULL ? NULL : key_cert->cert);
+}
+
+/*
+ * Check usage of a certificate wrt extensions:
+ * keyUsage, extendedKeyUsage (later), and nSCertType (later).
+ *
+ * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
+ * check a cert we received from them)!
+ *
+ * Return 0 if everything is OK, -1 if not.
+ */
+int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
+                                 const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                                 int cert_endpoint,
+                                 uint32_t *flags);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_write_version(int major, int minor, int transport,
+                               unsigned char ver[2]);
+void mbedtls_ssl_read_version(int *major, int *minor, int transport,
+                              const unsigned char ver[2]);
+
+static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) {
+#if !defined(MBEDTLS_SSL_PROTO_DTLS)
+    ((void) ssl);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        return (13);
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        return (5);
+    }
+}
+
+static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) {
+    return ((size_t)(ssl->out_iv - ssl->out_hdr));
+}
+
+static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        return (12);
+#else
+    ((void) ssl);
+#endif
+    return (4);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
+int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
+#endif
+
+/* Visible for testing purposes only */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
+void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
+#endif
+
+int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
+                             const mbedtls_ssl_session *src);
+
+/* constant-time buffer comparison */
+static inline int mbedtls_ssl_safer_memcmp(const void *a, const void *b, size_t n) {
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for (i = 0; i < n; i++) {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return (diff);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl,
+                                            unsigned char *output,
+                                            unsigned char *data, size_t data_len);
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
+int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
+                                           unsigned char *hash, size_t *hashlen,
+                                           unsigned char *data, size_t data_len,
+                                           mbedtls_md_type_t md_alg);
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#ifdef __cplusplus
+}
+#endif
+
+void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
+int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
+                            mbedtls_ssl_transform *transform,
+                            mbedtls_record *rec,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
+                            mbedtls_ssl_transform *transform,
+                            mbedtls_record *rec);
+
+/* Length of the "epoch" field in the record header */
+static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        return (2);
+#else
+    ((void) ssl);
+#endif
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
+int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
+
+void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform);
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
+#endif
+
+void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
+void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#endif /* ssl_internal.h */
diff --git a/common/mbedtls/ssl_invasive.h b/common/mbedtls/ssl_invasive.h
new file mode 100644
index 000000000..2637d88d4
--- /dev/null
+++ b/common/mbedtls/ssl_invasive.h
@@ -0,0 +1,100 @@
+/**
+ * \file ssl_invasive.h
+ *
+ * \brief SSL module: interfaces for invasive testing only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They SHOULD NOT be made available in library integrations except when
+ * building the library for testing.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_INVASIVE_H
+#define MBEDTLS_SSL_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_TEST_HOOKS) &&              \
+    defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/** \brief Compute the HMAC of variable-length data with constant flow.
+ *
+ * This function computes the HMAC of the concatenation of \p add_data and \p
+ * data, and does with a code flow and memory access pattern that does not
+ * depend on \p data_len_secret, but only on \p min_data_len and \p
+ * max_data_len. In particular, this function always reads exactly \p
+ * max_data_len bytes from \p data.
+ *
+ * \param ctx               The HMAC context. It must have keys configured
+ *                          with mbedtls_md_hmac_starts() and use one of the
+ *                          following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
+ *                          It is reset using mbedtls_md_hmac_reset() after
+ *                          the computation is complete to prepare for the
+ *                          next computation.
+ * \param add_data          The additional data prepended to \p data. This
+ *                          must point to a readable buffer of \p add_data_len
+ *                          bytes.
+ * \param add_data_len      The length of \p add_data in bytes.
+ * \param data              The data appended to \p add_data. This must point
+ *                          to a readable buffer of \p max_data_len bytes.
+ * \param data_len_secret   The length of the data to process in \p data.
+ *                          This must be no less than \p min_data_len and no
+ *                          greater than \p max_data_len.
+ * \param min_data_len      The minimal length of \p data in bytes.
+ * \param max_data_len      The maximal length of \p data in bytes.
+ * \param output            The HMAC will be written here. This must point to
+ *                          a writable buffer of sufficient size to hold the
+ *                          HMAC value.
+ *
+ * \retval 0
+ *         Success.
+ * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
+ *         The hardware accelerator failed.
+ */
+int mbedtls_ssl_cf_hmac(
+    mbedtls_md_context_t *ctx,
+    const unsigned char *add_data, size_t add_data_len,
+    const unsigned char *data, size_t data_len_secret,
+    size_t min_data_len, size_t max_data_len,
+    unsigned char *output);
+
+/** \brief Copy data from a secret position with constant flow.
+ *
+ * This function copies \p len bytes from \p src_base + \p offset_secret to \p
+ * dst, with a code flow and memory access pattern that does not depend on \p
+ * offset_secret, but only on \p offset_min, \p offset_max and \p len.
+ *
+ * \param dst           The destination buffer. This must point to a writable
+ *                      buffer of at least \p len bytes.
+ * \param src_base      The base of the source buffer. This must point to a
+ *                      readable buffer of at least \p offset_max + \p len
+ *                      bytes.
+ * \param offset_secret The offset in the source buffer from which to copy.
+ *                      This must be no less than \p offset_min and no greater
+ *                      than \p offset_max.
+ * \param offset_min    The minimal value of \p offset_secret.
+ * \param offset_max    The maximal value of \p offset_secret.
+ * \param len           The number of bytes to copy.
+ */
+void mbedtls_ssl_cf_memcpy_offset(unsigned char *dst,
+                                  const unsigned char *src_base,
+                                  size_t offset_secret,
+                                  size_t offset_min, size_t offset_max,
+                                  size_t len);
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
+#endif /* MBEDTLS_SSL_INVASIVE_H */
diff --git a/common/mbedtls/ssl_msg.c b/common/mbedtls/ssl_msg.c
new file mode 100644
index 000000000..d13be766f
--- /dev/null
+++ b/common/mbedtls/ssl_msg.c
@@ -0,0 +1,5557 @@
+/*
+ *  Generic SSL/TLS messaging layer functions
+ *  (record layer + retransmission state machine)
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The SSL 3.0 specification was drafted by Netscape in 1996,
+ *  and became an IETF standard in 1999.
+ *
+ *  http://wp.netscape.com/eng/ssl3/
+ *  http://www.ietf.org/rfc/rfc2246.txt
+ *  http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/version.h"
+
+#include "ssl_invasive.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);
+
+/*
+ * Start a timer.
+ * Passing millisecs = 0 cancels a running timer.
+ */
+void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs) {
+    if (ssl->f_set_timer == NULL)
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("set_timer to %d ms", (int) millisecs));
+    ssl->f_set_timer(ssl->p_timer, millisecs / 4, millisecs);
+}
+
+/*
+ * Return -1 is timer is expired, 0 if it isn't.
+ */
+int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl) {
+    if (ssl->f_get_timer == NULL)
+        return (0);
+
+    if (ssl->f_get_timer(ssl->p_timer) == 2) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("timer expired"));
+        return (-1);
+    }
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_RECORD_CHECKING)
+static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
+                                   unsigned char *buf,
+                                   size_t len,
+                                   mbedtls_record *rec);
+
+int mbedtls_ssl_check_record(mbedtls_ssl_context const *ssl,
+                             unsigned char *buf,
+                             size_t buflen) {
+    int ret = 0;
+    MBEDTLS_SSL_DEBUG_MSG(1, ("=> mbedtls_ssl_check_record"));
+    MBEDTLS_SSL_DEBUG_BUF(3, "record buffer", buf, buflen);
+
+    /* We don't support record checking in TLS because
+     * (a) there doesn't seem to be a usecase for it, and
+     * (b) In SSLv3 and TLS 1.0, CBC record decryption has state
+     *     and we'd need to backup the transform here.
+     */
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
+        ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    else {
+        mbedtls_record rec;
+
+        ret = ssl_parse_record_header(ssl, buf, buflen, &rec);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(3, "ssl_parse_record_header", ret);
+            goto exit;
+        }
+
+        if (ssl->transform_in != NULL) {
+            ret = mbedtls_ssl_decrypt_buf(ssl, ssl->transform_in, &rec);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(3, "mbedtls_ssl_decrypt_buf", ret);
+                goto exit;
+            }
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+exit:
+    /* On success, we have decrypted the buffer in-place, so make
+     * sure we don't leak any plaintext data. */
+    mbedtls_platform_zeroize(buf, buflen);
+
+    /* For the purpose of this API, treat messages with unexpected CID
+     * as well as such from future epochs as unexpected. */
+    if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
+            ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
+        ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("<= mbedtls_ssl_check_record"));
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_RECORD_CHECKING */
+
+#define SSL_DONT_FORCE_FLUSH 0
+#define SSL_FORCE_FLUSH      1
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/* Forward declarations for functions related to message buffering. */
+static void ssl_buffering_free_slot(mbedtls_ssl_context *ssl,
+                                    uint8_t slot);
+static void ssl_free_buffered_record(mbedtls_ssl_context *ssl);
+static int ssl_load_buffered_message(mbedtls_ssl_context *ssl);
+static int ssl_load_buffered_record(mbedtls_ssl_context *ssl);
+static int ssl_buffer_message(mbedtls_ssl_context *ssl);
+static int ssl_buffer_future_record(mbedtls_ssl_context *ssl,
+                                    mbedtls_record const *rec);
+static int ssl_next_record_is_in_datagram(mbedtls_ssl_context *ssl);
+
+static size_t ssl_get_maximum_datagram_size(mbedtls_ssl_context const *ssl) {
+    size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t out_buf_len = ssl->out_buf_len;
+#else
+    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+    if (mtu != 0 && mtu < out_buf_len)
+        return (mtu);
+
+    return (out_buf_len);
+}
+
+static int ssl_get_remaining_space_in_datagram(mbedtls_ssl_context const *ssl) {
+    size_t const bytes_written = ssl->out_left;
+    size_t const mtu           = ssl_get_maximum_datagram_size(ssl);
+
+    /* Double-check that the write-index hasn't gone
+     * past what we can transmit in a single datagram. */
+    if (bytes_written > mtu) {
+        /* Should never happen... */
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    return ((int)(mtu - bytes_written));
+}
+
+static int ssl_get_remaining_payload_in_datagram(mbedtls_ssl_context const *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t remaining, expansion;
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
+
+    if (max_len > mfl)
+        max_len = mfl;
+
+    /* By the standard (RFC 6066 Sect. 4), the MFL extension
+     * only limits the maximum record payload size, so in theory
+     * we would be allowed to pack multiple records of payload size
+     * MFL into a single datagram. However, this would mean that there's
+     * no way to explicitly communicate MTU restrictions to the peer.
+     *
+     * The following reduction of max_len makes sure that we never
+     * write datagrams larger than MFL + Record Expansion Overhead.
+     */
+    if (max_len <= ssl->out_left)
+        return (0);
+
+    max_len -= ssl->out_left;
+#endif
+
+    ret = ssl_get_remaining_space_in_datagram(ssl);
+    if (ret < 0)
+        return (ret);
+    remaining = (size_t) ret;
+
+    ret = mbedtls_ssl_get_record_expansion(ssl);
+    if (ret < 0)
+        return (ret);
+    expansion = (size_t) ret;
+
+    if (remaining <= expansion)
+        return (0);
+
+    remaining -= expansion;
+    if (remaining >= max_len)
+        remaining = max_len;
+
+    return ((int) remaining);
+}
+
+/*
+ * Double the retransmit timeout value, within the allowed range,
+ * returning -1 if the maximum value has already been reached.
+ */
+static int ssl_double_retransmit_timeout(mbedtls_ssl_context *ssl) {
+    uint32_t new_timeout;
+
+    if (ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max)
+        return (-1);
+
+    /* Implement the final paragraph of RFC 6347 section 4.1.1.1
+     * in the following way: after the initial transmission and a first
+     * retransmission, back off to a temporary estimated MTU of 508 bytes.
+     * This value is guaranteed to be deliverable (if not guaranteed to be
+     * delivered) of any compliant IPv4 (and IPv6) network, and should work
+     * on most non-IP stacks too. */
+    if (ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min) {
+        ssl->handshake->mtu = 508;
+        MBEDTLS_SSL_DEBUG_MSG(2, ("mtu autoreduction to %d bytes", ssl->handshake->mtu));
+    }
+
+    new_timeout = 2 * ssl->handshake->retransmit_timeout;
+
+    /* Avoid arithmetic overflow and range overflow */
+    if (new_timeout < ssl->handshake->retransmit_timeout ||
+            new_timeout > ssl->conf->hs_timeout_max) {
+        new_timeout = ssl->conf->hs_timeout_max;
+    }
+
+    ssl->handshake->retransmit_timeout = new_timeout;
+    MBEDTLS_SSL_DEBUG_MSG(3, ("update timeout value to %lu millisecs",
+                              (unsigned long) ssl->handshake->retransmit_timeout));
+
+    return (0);
+}
+
+static void ssl_reset_retransmit_timeout(mbedtls_ssl_context *ssl) {
+    ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
+    MBEDTLS_SSL_DEBUG_MSG(3, ("update timeout value to %lu millisecs",
+                              (unsigned long) ssl->handshake->retransmit_timeout));
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
+                                  const unsigned char *key_enc, const unsigned char *key_dec,
+                                  size_t keylen,
+                                  const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                                  size_t ivlen,
+                                  const unsigned char *mac_enc, const unsigned char *mac_dec,
+                                  size_t maclen) = NULL;
+int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction) = NULL;
+int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl) = NULL;
+int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl) = NULL;
+int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl) = NULL;
+int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl) = NULL;
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/*
+ * Encryption/decryption functions
+ */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ||  \
+    defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+
+static size_t ssl_compute_padding_length(size_t len,
+                                         size_t granularity) {
+    return ((granularity - (len + 1) % granularity) % granularity);
+}
+
+/* This functions transforms a (D)TLS plaintext fragment and a record content
+ * type into an instance of the (D)TLSInnerPlaintext structure. This is used
+ * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
+ * a record's content type.
+ *
+ *        struct {
+ *            opaque content[DTLSPlaintext.length];
+ *            ContentType real_type;
+ *            uint8 zeros[length_of_padding];
+ *        } (D)TLSInnerPlaintext;
+ *
+ *  Input:
+ *  - `content`: The beginning of the buffer holding the
+ *               plaintext to be wrapped.
+ *  - `*content_size`: The length of the plaintext in Bytes.
+ *  - `max_len`: The number of Bytes available starting from
+ *               `content`. This must be `>= *content_size`.
+ *  - `rec_type`: The desired record content type.
+ *
+ *  Output:
+ *  - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
+ *  - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
+ *
+ *  Returns:
+ *  - `0` on success.
+ *  - A negative error code if `max_len` didn't offer enough space
+ *    for the expansion.
+ */
+static int ssl_build_inner_plaintext(unsigned char *content,
+                                     size_t *content_size,
+                                     size_t remaining,
+                                     uint8_t rec_type,
+                                     size_t pad) {
+    size_t len = *content_size;
+
+    /* Write real content type */
+    if (remaining == 0)
+        return (-1);
+    content[ len ] = rec_type;
+    len++;
+    remaining--;
+
+    if (remaining < pad)
+        return (-1);
+    memset(content + len, 0, pad);
+    len += pad;
+    remaining -= pad;
+
+    *content_size = len;
+    return (0);
+}
+
+/* This function parses a (D)TLSInnerPlaintext structure.
+ * See ssl_build_inner_plaintext() for details. */
+static int ssl_parse_inner_plaintext(unsigned char const *content,
+                                     size_t *content_size,
+                                     uint8_t *rec_type) {
+    size_t remaining = *content_size;
+
+    /* Determine length of padding by skipping zeroes from the back. */
+    do {
+        if (remaining == 0)
+            return (-1);
+        remaining--;
+    } while (content[ remaining ] == 0);
+
+    *content_size = remaining;
+    *rec_type = content[ remaining ];
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
+          MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
+/* `add_data` must have size 13 Bytes if the CID extension is disabled,
+ * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
+static void ssl_extract_add_data_from_record(unsigned char *add_data,
+                                             size_t *add_data_len,
+                                             mbedtls_record *rec,
+                                             unsigned minor_ver) {
+    /* Quoting RFC 5246 (TLS 1.2):
+     *
+     *    additional_data = seq_num + TLSCompressed.type +
+     *                      TLSCompressed.version + TLSCompressed.length;
+     *
+     * For the CID extension, this is extended as follows
+     * (quoting draft-ietf-tls-dtls-connection-id-05,
+     *  https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
+     *
+     *       additional_data = seq_num + DTLSPlaintext.type +
+     *                         DTLSPlaintext.version +
+     *                         cid +
+     *                         cid_length +
+     *                         length_of_DTLSInnerPlaintext;
+     *
+     * For TLS 1.3, the record sequence number is dropped from the AAD
+     * and encoded within the nonce of the AEAD operation instead.
+     */
+
+    unsigned char *cur = add_data;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+    if (minor_ver != MBEDTLS_SSL_MINOR_VERSION_4)
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+    {
+        ((void) minor_ver);
+        memcpy(cur, rec->ctr, sizeof(rec->ctr));
+        cur += sizeof(rec->ctr);
+    }
+
+    *cur = rec->type;
+    cur++;
+
+    memcpy(cur, rec->ver, sizeof(rec->ver));
+    cur += sizeof(rec->ver);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    if (rec->cid_len != 0) {
+        memcpy(cur, rec->cid, rec->cid_len);
+        cur += rec->cid_len;
+
+        *cur = rec->cid_len;
+        cur++;
+
+        cur[0] = (rec->data_len >> 8) & 0xFF;
+        cur[1] = (rec->data_len >> 0) & 0xFF;
+        cur += 2;
+    } else
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+    {
+        cur[0] = (rec->data_len >> 8) & 0xFF;
+        cur[1] = (rec->data_len >> 0) & 0xFF;
+        cur += 2;
+    }
+
+    *add_data_len = cur - add_data;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+
+#define SSL3_MAC_MAX_BYTES   20  /* MD-5 or SHA-1 */
+
+/*
+ * SSLv3.0 MAC functions
+ */
+static void ssl_mac(mbedtls_md_context_t *md_ctx,
+                    const unsigned char *secret,
+                    const unsigned char *buf, size_t len,
+                    const unsigned char *ctr, int type,
+                    unsigned char out[SSL3_MAC_MAX_BYTES]) {
+    unsigned char header[11];
+    unsigned char padding[48];
+    int padlen;
+    int md_size = mbedtls_md_get_size(md_ctx->md_info);
+    int md_type = mbedtls_md_get_type(md_ctx->md_info);
+
+    /* Only MD5 and SHA-1 supported */
+    if (md_type == MBEDTLS_MD_MD5)
+        padlen = 48;
+    else
+        padlen = 40;
+
+    memcpy(header, ctr, 8);
+    header[ 8] = (unsigned char)  type;
+    header[ 9] = (unsigned char)(len >> 8);
+    header[10] = (unsigned char)(len);
+
+    memset(padding, 0x36, padlen);
+    mbedtls_md_starts(md_ctx);
+    mbedtls_md_update(md_ctx, secret,  md_size);
+    mbedtls_md_update(md_ctx, padding, padlen);
+    mbedtls_md_update(md_ctx, header,  11);
+    mbedtls_md_update(md_ctx, buf,     len);
+    mbedtls_md_finish(md_ctx, out);
+
+    memset(padding, 0x5C, padlen);
+    mbedtls_md_starts(md_ctx);
+    mbedtls_md_update(md_ctx, secret,    md_size);
+    mbedtls_md_update(md_ctx, padding,   padlen);
+    mbedtls_md_update(md_ctx, out,       md_size);
+    mbedtls_md_finish(md_ctx, out);
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+static int ssl_transform_aead_dynamic_iv_is_explicit(
+    mbedtls_ssl_transform const *transform) {
+    return (transform->ivlen != transform->fixed_ivlen);
+}
+
+/* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
+ *
+ * Concretely, this occurs in two variants:
+ *
+ * a) Fixed and dynamic IV lengths add up to total IV length, giving
+ *       IV = fixed_iv || dynamic_iv
+ *
+ *    This variant is used in TLS 1.2 when used with GCM or CCM.
+ *
+ * b) Fixed IV lengths matches total IV length, giving
+ *       IV = fixed_iv XOR ( 0 || dynamic_iv )
+ *
+ *    This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
+ *
+ * See also the documentation of mbedtls_ssl_transform.
+ *
+ * This function has the precondition that
+ *
+ *     dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
+ *
+ * which has to be ensured by the caller. If this precondition
+ * violated, the behavior of this function is undefined.
+ */
+static void ssl_build_record_nonce(unsigned char *dst_iv,
+                                   size_t dst_iv_len,
+                                   unsigned char const *fixed_iv,
+                                   size_t fixed_iv_len,
+                                   unsigned char const *dynamic_iv,
+                                   size_t dynamic_iv_len) {
+    size_t i;
+
+    /* Start with Fixed IV || 0 */
+    memset(dst_iv, 0, dst_iv_len);
+    memcpy(dst_iv, fixed_iv, fixed_iv_len);
+
+    dst_iv += dst_iv_len - dynamic_iv_len;
+    for (i = 0; i < dynamic_iv_len; i++)
+        dst_iv[i] ^= dynamic_iv[i];
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+
+int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
+                            mbedtls_ssl_transform *transform,
+                            mbedtls_record *rec,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng) {
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+    unsigned char *data;
+    unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+    size_t add_data_len;
+    size_t post_avail;
+
+    /* The SSL context is only used for debugging purposes! */
+#if !defined(MBEDTLS_DEBUG_C)
+    ssl = NULL; /* make sure we don't use it except for debug */
+    ((void) ssl);
+#endif
+
+    /* The PRNG is used for dynamic IV generation that's used
+     * for CBC transformations in TLS 1.1 and TLS 1.2. */
+#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+       ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
+    ((void) f_rng);
+    ((void) p_rng);
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> encrypt buf"));
+
+    if (transform == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("no transform provided to encrypt_buf"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+    if (rec == NULL
+            || rec->buf == NULL
+            || rec->buf_len < rec->data_offset
+            || rec->buf_len - rec->data_offset < rec->data_len
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+            || rec->cid_len != 0
+#endif
+       ) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad record structure provided to encrypt_buf"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    data = rec->buf + rec->data_offset;
+    post_avail = rec->buf_len - (rec->data_len + rec->data_offset);
+    MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
+                          data, rec->data_len);
+
+    mode = mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc);
+
+    if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
+                                  " too large, maximum %" MBEDTLS_PRINTF_SIZET,
+                                  rec->data_len,
+                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    /* The following two code paths implement the (D)TLSInnerPlaintext
+     * structure present in TLS 1.3 and DTLS 1.2 + CID.
+     *
+     * See ssl_build_inner_plaintext() for more information.
+     *
+     * Note that this changes `rec->data_len`, and hence
+     * `post_avail` needs to be recalculated afterwards.
+     *
+     * Note also that the two code paths cannot occur simultaneously
+     * since they apply to different versions of the protocol. There
+     * is hence no risk of double-addition of the inner plaintext.
+     */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+    if (transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4) {
+        size_t padding =
+            ssl_compute_padding_length(rec->data_len,
+                                       MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY);
+        if (ssl_build_inner_plaintext(data,
+                                      &rec->data_len,
+                                      post_avail,
+                                      rec->type,
+                                      padding) != 0) {
+            return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+        }
+
+        rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    /*
+     * Add CID information
+     */
+    rec->cid_len = transform->out_cid_len;
+    memcpy(rec->cid, transform->out_cid, transform->out_cid_len);
+    MBEDTLS_SSL_DEBUG_BUF(3, "CID", rec->cid, rec->cid_len);
+
+    if (rec->cid_len != 0) {
+        size_t padding =
+            ssl_compute_padding_length(rec->data_len,
+                                       MBEDTLS_SSL_CID_PADDING_GRANULARITY);
+        /*
+         * Wrap plaintext into DTLSInnerPlaintext structure.
+         * See ssl_build_inner_plaintext() for more information.
+         *
+         * Note that this changes `rec->data_len`, and hence
+         * `post_avail` needs to be recalculated afterwards.
+         */
+        if (ssl_build_inner_plaintext(data,
+                                      &rec->data_len,
+                                      post_avail,
+                                      rec->type,
+                                      padding) != 0) {
+            return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+        }
+
+        rec->type = MBEDTLS_SSL_MSG_CID;
+    }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    post_avail = rec->buf_len - (rec->data_len + rec->data_offset);
+
+    /*
+     * Add MAC before if needed
+     */
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    if (mode == MBEDTLS_MODE_STREAM ||
+            (mode == MBEDTLS_MODE_CBC
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+             && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
+#endif
+            )) {
+        if (post_avail < transform->maclen) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+            return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if (transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+            unsigned char mac[SSL3_MAC_MAX_BYTES];
+            ssl_mac(&transform->md_ctx_enc, transform->mac_enc,
+                    data, rec->data_len, rec->ctr, rec->type, mac);
+            memcpy(data + rec->data_len, mac, transform->maclen);
+        } else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if (transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1) {
+                unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+                ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+                                                 transform->minor_ver);
+
+                mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
+                                       add_data_len);
+                mbedtls_md_hmac_update(&transform->md_ctx_enc,
+                                       data, rec->data_len);
+                mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
+                mbedtls_md_hmac_reset(&transform->md_ctx_enc);
+
+                memcpy(data + rec->data_len, mac, transform->maclen);
+            } else
+#endif
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+        MBEDTLS_SSL_DEBUG_BUF(4, "computed mac", data + rec->data_len,
+                              transform->maclen);
+
+        rec->data_len += transform->maclen;
+        post_avail -= transform->maclen;
+        auth_done++;
+    }
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+
+    /*
+     * Encrypt
+     */
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if (mode == MBEDTLS_MODE_STREAM) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        size_t olen;
+        MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+                                  "including %d bytes of padding",
+                                  rec->data_len, 0));
+
+        if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
+                                        transform->iv_enc, transform->ivlen,
+                                        data, rec->data_len,
+                                        data, &olen)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
+            return (ret);
+        }
+
+        if (rec->data_len != olen) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+    } else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+        if (mode == MBEDTLS_MODE_GCM ||
+                mode == MBEDTLS_MODE_CCM ||
+                mode == MBEDTLS_MODE_CHACHAPOLY) {
+            int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+            unsigned char iv[12];
+            unsigned char *dynamic_iv;
+            size_t dynamic_iv_len;
+            int dynamic_iv_is_explicit =
+                ssl_transform_aead_dynamic_iv_is_explicit(transform);
+
+            /* Check that there's space for the authentication tag. */
+            if (post_avail < transform->taglen) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+                return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+            }
+
+            /*
+             * Build nonce for AEAD encryption.
+             *
+             * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
+             *       part of the IV is prepended to the ciphertext and
+             *       can be chosen freely - in particular, it need not
+             *       agree with the record sequence number.
+             *       However, since ChaChaPoly as well as all AEAD modes
+             *       in TLS 1.3 use the record sequence number as the
+             *       dynamic part of the nonce, we uniformly use the
+             *       record sequence number here in all cases.
+             */
+            dynamic_iv     = rec->ctr;
+            dynamic_iv_len = sizeof(rec->ctr);
+
+            ssl_build_record_nonce(iv, sizeof(iv),
+                                   transform->iv_enc,
+                                   transform->fixed_ivlen,
+                                   dynamic_iv,
+                                   dynamic_iv_len);
+
+            /*
+             * Build additional data for AEAD encryption.
+             * This depends on the TLS version.
+             */
+            ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+                                             transform->minor_ver);
+
+            MBEDTLS_SSL_DEBUG_BUF(4, "IV used (internal)",
+                                  iv, transform->ivlen);
+            MBEDTLS_SSL_DEBUG_BUF(4, "IV used (transmitted)",
+                                  dynamic_iv,
+                                  dynamic_iv_is_explicit ? dynamic_iv_len : 0);
+            MBEDTLS_SSL_DEBUG_BUF(4, "additional data used for AEAD",
+                                  add_data, add_data_len);
+            MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+                                      "including 0 bytes of padding",
+                                      rec->data_len));
+
+            /*
+             * Encrypt and authenticate
+             */
+
+            if ((ret = mbedtls_cipher_auth_encrypt_ext(&transform->cipher_ctx_enc,
+                                                       iv, transform->ivlen,
+                                                       add_data, add_data_len,
+                                                       data, rec->data_len,                     /* src */
+                                                       data, rec->buf_len - (data - rec->buf),  /* dst */
+                                                       &rec->data_len,
+                                                       transform->taglen)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt", ret);
+                return (ret);
+            }
+            MBEDTLS_SSL_DEBUG_BUF(4, "after encrypt: tag",
+                                  data + rec->data_len - transform->taglen,
+                                  transform->taglen);
+            /* Account for authentication tag. */
+            post_avail -= transform->taglen;
+
+            /*
+             * Prefix record content with dynamic IV in case it is explicit.
+             */
+            if (dynamic_iv_is_explicit != 0) {
+                if (rec->data_offset < dynamic_iv_len) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+                    return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+                }
+
+                memcpy(data - dynamic_iv_len, dynamic_iv, dynamic_iv_len);
+                rec->data_offset -= dynamic_iv_len;
+                rec->data_len    += dynamic_iv_len;
+            }
+
+            auth_done++;
+        } else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+            if (mode == MBEDTLS_MODE_CBC) {
+                int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+                size_t padlen, i;
+                size_t olen;
+
+                /* Currently we're always using minimal padding
+                 * (up to 255 bytes would be allowed). */
+                padlen = transform->ivlen - (rec->data_len + 1) % transform->ivlen;
+                if (padlen == transform->ivlen)
+                    padlen = 0;
+
+                /* Check there's enough space in the buffer for the padding. */
+                if (post_avail < padlen + 1) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+                    return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+                }
+
+                for (i = 0; i <= padlen; i++)
+                    data[rec->data_len + i] = (unsigned char) padlen;
+
+                rec->data_len += padlen + 1;
+                post_avail -= padlen + 1;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                /*
+                 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
+                 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
+                 */
+                if (transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2) {
+                    if (f_rng == NULL) {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine"));
+                        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                    }
+
+                    if (rec->data_offset < transform->ivlen) {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+                        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+                    }
+
+                    /*
+                     * Generate IV
+                     */
+                    ret = f_rng(p_rng, transform->iv_enc, transform->ivlen);
+                    if (ret != 0)
+                        return (ret);
+
+                    memcpy(data - transform->ivlen, transform->iv_enc,
+                           transform->ivlen);
+
+                }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+                MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+                                          "including %" MBEDTLS_PRINTF_SIZET
+                                          " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
+                                          rec->data_len, transform->ivlen,
+                                          padlen + 1));
+
+                if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
+                                                transform->iv_enc,
+                                                transform->ivlen,
+                                                data, rec->data_len,
+                                                data, &olen)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
+                    return (ret);
+                }
+
+                if (rec->data_len != olen) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+                if (transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2) {
+                    /*
+                     * Save IV in SSL3 and TLS1
+                     */
+                    memcpy(transform->iv_enc, transform->cipher_ctx_enc.iv,
+                           transform->ivlen);
+                } else
+#endif
+                {
+                    data             -= transform->ivlen;
+                    rec->data_offset -= transform->ivlen;
+                    rec->data_len    += transform->ivlen;
+                }
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                if (auth_done == 0) {
+                    unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+                    /*
+                     * MAC(MAC_write_key, seq_num +
+                     *     TLSCipherText.type +
+                     *     TLSCipherText.version +
+                     *     length_of( (IV +) ENC(...) ) +
+                     *     IV + // except for TLS 1.0
+                     *     ENC(content + padding + padding_length));
+                     */
+
+                    if (post_avail < transform->maclen) {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+                        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+                    }
+
+                    ssl_extract_add_data_from_record(add_data, &add_data_len,
+                                                     rec, transform->minor_ver);
+
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
+                    MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
+                                          add_data_len);
+
+                    mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
+                                           add_data_len);
+                    mbedtls_md_hmac_update(&transform->md_ctx_enc,
+                                           data, rec->data_len);
+                    mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
+                    mbedtls_md_hmac_reset(&transform->md_ctx_enc);
+
+                    memcpy(data + rec->data_len, mac, transform->maclen);
+
+                    rec->data_len += transform->maclen;
+                    post_avail -= transform->maclen;
+                    auth_done++;
+                }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+            } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+    /* Make extra sure authentication was performed, exactly once */
+    if (auth_done != 1) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= encrypt buf"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/*
+ * Turn a bit into a mask:
+ * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1
+ * - if bit == 0, return the all-bits 0 mask, aka 0
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_mask_from_bit(size_t bit) {
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    return -bit;
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+}
+
+/*
+ * Constant-flow mask generation for "less than" comparison:
+ * - if x < y,  return all bits 1, that is (size_t) -1
+ * - otherwise, return all bits 0, that is 0
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_mask_lt(size_t x, size_t y) {
+    /* This has the most significant bit set if and only if x < y */
+    const size_t sub = x - y;
+
+    /* sub1 = (x < y) ? 1 : 0 */
+    const size_t sub1 = sub >> (sizeof(sub) * 8 - 1);
+
+    /* mask = (x < y) ? 0xff... : 0x00... */
+    const size_t mask = mbedtls_ssl_cf_mask_from_bit(sub1);
+
+    return (mask);
+}
+
+/*
+ * Constant-flow mask generation for "greater or equal" comparison:
+ * - if x >= y, return all bits 1, that is (size_t) -1
+ * - otherwise, return all bits 0, that is 0
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_mask_ge(size_t x, size_t y) {
+    return (~mbedtls_ssl_cf_mask_lt(x, y));
+}
+
+/*
+ * Constant-flow boolean "equal" comparison:
+ * return x == y
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations - it can be used in conjunction with
+ * mbedtls_ssl_cf_mask_from_bit().
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_bool_eq(size_t x, size_t y) {
+    /* diff = 0 if x == y, non-zero otherwise */
+    const size_t diff = x ^ y;
+
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* diff_msb's most significant bit is equal to x != y */
+    const size_t diff_msb = (diff | -diff);
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /* diff1 = (x != y) ? 1 : 0 */
+    const size_t diff1 = diff_msb >> (sizeof(diff_msb) * 8 - 1);
+
+    return (1 ^ diff1);
+}
+
+/*
+ * Constant-flow conditional memcpy:
+ *  - if c1 == c2, equivalent to memcpy(dst, src, len),
+ *  - otherwise, a no-op,
+ * but with execution flow independent of the values of c1 and c2.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static void mbedtls_ssl_cf_memcpy_if_eq(unsigned char *dst,
+                                        const unsigned char *src,
+                                        size_t len,
+                                        size_t c1, size_t c2) {
+    /* mask = c1 == c2 ? 0xff : 0x00 */
+    const size_t equal = mbedtls_ssl_cf_bool_eq(c1, c2);
+    const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit(equal);
+
+    /* dst[i] = c1 == c2 ? src[i] : dst[i] */
+    for (size_t i = 0; i < len; i++)
+        dst[i] = (src[i] & mask) | (dst[i] & ~mask);
+}
+
+/*
+ * Compute HMAC of variable-length data with constant flow.
+ *
+ * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
+ * (Otherwise, computation of block_size needs to be adapted.)
+ */
+MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
+    mbedtls_md_context_t *ctx,
+    const unsigned char *add_data, size_t add_data_len,
+    const unsigned char *data, size_t data_len_secret,
+    size_t min_data_len, size_t max_data_len,
+    unsigned char *output) {
+    /*
+     * This function breaks the HMAC abstraction and uses the md_clone()
+     * extension to the MD API in order to get constant-flow behaviour.
+     *
+     * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
+     * concatenation, and okey/ikey are the XOR of the key with some fixed bit
+     * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
+     *
+     * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
+     * minlen, then cloning the context, and for each byte up to maxlen
+     * finishing up the hash computation, keeping only the correct result.
+     *
+     * Then we only need to compute HASH(okey + inner_hash) and we're done.
+     */
+    const mbedtls_md_type_t md_alg = mbedtls_md_get_type(ctx->md_info);
+    /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
+     * all of which have the same block size except SHA-384. */
+    const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
+    const unsigned char *const ikey = ctx->hmac_ctx;
+    const unsigned char *const okey = ikey + block_size;
+    const size_t hash_size = mbedtls_md_get_size(ctx->md_info);
+
+    unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
+    mbedtls_md_context_t aux;
+    size_t offset;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_md_init(&aux);
+
+#define MD_CHK( func_call ) \
+    do {                    \
+        ret = (func_call);  \
+        if( ret != 0 )      \
+            goto cleanup;   \
+    } while( 0 )
+
+    MD_CHK(mbedtls_md_setup(&aux, ctx->md_info, 0));
+
+    /* After hmac_start() of hmac_reset(), ikey has already been hashed,
+     * so we can start directly with the message */
+    MD_CHK(mbedtls_md_update(ctx, add_data, add_data_len));
+    MD_CHK(mbedtls_md_update(ctx, data, min_data_len));
+
+    /* For each possible length, compute the hash up to that point */
+    for (offset = min_data_len; offset <= max_data_len; offset++) {
+        MD_CHK(mbedtls_md_clone(&aux, ctx));
+        MD_CHK(mbedtls_md_finish(&aux, aux_out));
+        /* Keep only the correct inner_hash in the output buffer */
+        mbedtls_ssl_cf_memcpy_if_eq(output, aux_out, hash_size,
+                                    offset, data_len_secret);
+
+        if (offset < max_data_len)
+            MD_CHK(mbedtls_md_update(ctx, data + offset, 1));
+    }
+
+    /* Now compute HASH(okey + inner_hash) */
+    MD_CHK(mbedtls_md_starts(ctx));
+    MD_CHK(mbedtls_md_update(ctx, okey, block_size));
+    MD_CHK(mbedtls_md_update(ctx, output, hash_size));
+    MD_CHK(mbedtls_md_finish(ctx, output));
+
+    /* Done, get ready for next time */
+    MD_CHK(mbedtls_md_hmac_reset(ctx));
+
+#undef MD_CHK
+
+cleanup:
+    mbedtls_md_free(&aux);
+    return (ret);
+}
+
+/*
+ * Constant-flow memcpy from variable position in buffer.
+ * - functionally equivalent to memcpy(dst, src + offset_secret, len)
+ * - but with execution flow independent from the value of offset_secret.
+ */
+MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset(
+    unsigned char *dst,
+    const unsigned char *src_base,
+    size_t offset_secret,
+    size_t offset_min, size_t offset_max,
+    size_t len) {
+    size_t offset;
+
+    for (offset = offset_min; offset <= offset_max; offset++) {
+        mbedtls_ssl_cf_memcpy_if_eq(dst, src_base + offset, len,
+                                    offset, offset_secret);
+    }
+}
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
+int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
+                            mbedtls_ssl_transform *transform,
+                            mbedtls_record *rec) {
+    size_t olen;
+    mbedtls_cipher_mode_t mode;
+    int ret, auth_done = 0;
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    size_t padlen = 0, correct = 1;
+#endif
+    unsigned char *data;
+    unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
+    size_t add_data_len;
+
+#if !defined(MBEDTLS_DEBUG_C)
+    ssl = NULL; /* make sure we don't use it except for debug */
+    ((void) ssl);
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> decrypt buf"));
+    if (rec == NULL                     ||
+            rec->buf == NULL                ||
+            rec->buf_len < rec->data_offset ||
+            rec->buf_len - rec->data_offset < rec->data_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad record structure provided to decrypt_buf"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    data = rec->buf + rec->data_offset;
+    mode = mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_dec);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    /*
+     * Match record's CID with incoming CID.
+     */
+    if (rec->cid_len != transform->in_cid_len ||
+            memcmp(rec->cid, transform->in_cid, rec->cid_len) != 0) {
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_CID);
+    }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if (mode == MBEDTLS_MODE_STREAM) {
+        padlen = 0;
+        if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_dec,
+                                        transform->iv_dec,
+                                        transform->ivlen,
+                                        data, rec->data_len,
+                                        data, &olen)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
+            return (ret);
+        }
+
+        if (rec->data_len != olen) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+    } else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+        if (mode == MBEDTLS_MODE_GCM ||
+                mode == MBEDTLS_MODE_CCM ||
+                mode == MBEDTLS_MODE_CHACHAPOLY) {
+            unsigned char iv[12];
+            unsigned char *dynamic_iv;
+            size_t dynamic_iv_len;
+
+            /*
+             * Extract dynamic part of nonce for AEAD decryption.
+             *
+             * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
+             *       part of the IV is prepended to the ciphertext and
+             *       can be chosen freely - in particular, it need not
+             *       agree with the record sequence number.
+             */
+            dynamic_iv_len = sizeof(rec->ctr);
+            if (ssl_transform_aead_dynamic_iv_is_explicit(transform) == 1) {
+                if (rec->data_len < dynamic_iv_len) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+                                              " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
+                                              rec->data_len,
+                                              dynamic_iv_len));
+                    return (MBEDTLS_ERR_SSL_INVALID_MAC);
+                }
+                dynamic_iv = data;
+
+                data += dynamic_iv_len;
+                rec->data_offset += dynamic_iv_len;
+                rec->data_len    -= dynamic_iv_len;
+            } else {
+                dynamic_iv = rec->ctr;
+            }
+
+            /* Check that there's space for the authentication tag. */
+            if (rec->data_len < transform->taglen) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+                                          ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
+                                          rec->data_len,
+                                          transform->taglen));
+                return (MBEDTLS_ERR_SSL_INVALID_MAC);
+            }
+            rec->data_len -= transform->taglen;
+
+            /*
+             * Prepare nonce from dynamic and static parts.
+             */
+            ssl_build_record_nonce(iv, sizeof(iv),
+                                   transform->iv_dec,
+                                   transform->fixed_ivlen,
+                                   dynamic_iv,
+                                   dynamic_iv_len);
+
+            /*
+             * Build additional data for AEAD encryption.
+             * This depends on the TLS version.
+             */
+            ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+                                             transform->minor_ver);
+            MBEDTLS_SSL_DEBUG_BUF(4, "additional data used for AEAD",
+                                  add_data, add_data_len);
+
+            /* Because of the check above, we know that there are
+             * explicit_iv_len Bytes preceeding data, and taglen
+             * bytes following data + data_len. This justifies
+             * the debug message and the invocation of
+             * mbedtls_cipher_auth_decrypt() below. */
+
+            MBEDTLS_SSL_DEBUG_BUF(4, "IV used", iv, transform->ivlen);
+            MBEDTLS_SSL_DEBUG_BUF(4, "TAG used", data + rec->data_len,
+                                  transform->taglen);
+
+            /*
+             * Decrypt and authenticate
+             */
+            if ((ret = mbedtls_cipher_auth_decrypt_ext(&transform->cipher_ctx_dec,
+                                                       iv, transform->ivlen,
+                                                       add_data, add_data_len,
+                                                       data, rec->data_len + transform->taglen,          /* src */
+                                                       data, rec->buf_len - (data - rec->buf), &olen,    /* dst */
+                                                       transform->taglen)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_decrypt", ret);
+
+                if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED)
+                    return (MBEDTLS_ERR_SSL_INVALID_MAC);
+
+                return (ret);
+            }
+            auth_done++;
+
+            /* Double-check that AEAD decryption doesn't change content length. */
+            if (olen != rec->data_len) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+        } else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+            if (mode == MBEDTLS_MODE_CBC) {
+                size_t minlen = 0;
+
+                /*
+                 * Check immediate ciphertext sanity
+                 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                if (transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2) {
+                    /* The ciphertext is prefixed with the CBC IV. */
+                    minlen += transform->ivlen;
+                }
+#endif
+
+                /* Size considerations:
+                 *
+                 * - The CBC cipher text must not be empty and hence
+                 *   at least of size transform->ivlen.
+                 *
+                 * Together with the potential IV-prefix, this explains
+                 * the first of the two checks below.
+                 *
+                 * - The record must contain a MAC, either in plain or
+                 *   encrypted, depending on whether Encrypt-then-MAC
+                 *   is used or not.
+                 *   - If it is, the message contains the IV-prefix,
+                 *     the CBC ciphertext, and the MAC.
+                 *   - If it is not, the padded plaintext, and hence
+                 *     the CBC ciphertext, has at least length maclen + 1
+                 *     because there is at least the padding length byte.
+                 *
+                 * As the CBC ciphertext is not empty, both cases give the
+                 * lower bound minlen + maclen + 1 on the record size, which
+                 * we test for in the second check below.
+                 */
+                if (rec->data_len < minlen + transform->ivlen ||
+                        rec->data_len < minlen + transform->maclen + 1) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+                                              ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
+                                              "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
+                                              "+ 1 ) ( + expl IV )", rec->data_len,
+                                              transform->ivlen,
+                                              transform->maclen));
+                    return (MBEDTLS_ERR_SSL_INVALID_MAC);
+                }
+
+                /*
+                 * Authenticate before decrypt if enabled
+                 */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                if (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
+                    unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
+
+                    /* Update data_len in tandem with add_data.
+                     *
+                     * The subtraction is safe because of the previous check
+                     * data_len >= minlen + maclen + 1.
+                     *
+                     * Afterwards, we know that data + data_len is followed by at
+                     * least maclen Bytes, which justifies the call to
+                     * mbedtls_ssl_safer_memcmp() below.
+                     *
+                     * Further, we still know that data_len > minlen */
+                    rec->data_len -= transform->maclen;
+                    ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+                                                     transform->minor_ver);
+
+                    /* Calculate expected MAC. */
+                    MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
+                                          add_data_len);
+                    mbedtls_md_hmac_update(&transform->md_ctx_dec, add_data,
+                                           add_data_len);
+                    mbedtls_md_hmac_update(&transform->md_ctx_dec,
+                                           data, rec->data_len);
+                    mbedtls_md_hmac_finish(&transform->md_ctx_dec, mac_expect);
+                    mbedtls_md_hmac_reset(&transform->md_ctx_dec);
+
+                    MBEDTLS_SSL_DEBUG_BUF(4, "message  mac", data + rec->data_len,
+                                          transform->maclen);
+                    MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect,
+                                          transform->maclen);
+
+                    /* Compare expected MAC with MAC at the end of the record. */
+                    if (mbedtls_ssl_safer_memcmp(data + rec->data_len, mac_expect,
+                                                 transform->maclen) != 0) {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
+                        return (MBEDTLS_ERR_SSL_INVALID_MAC);
+                    }
+                    auth_done++;
+                }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+                /*
+                 * Check length sanity
+                 */
+
+                /* We know from above that data_len > minlen >= 0,
+                 * so the following check in particular implies that
+                 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
+                if (rec->data_len % transform->ivlen != 0) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+                                              ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
+                                              rec->data_len, transform->ivlen));
+                    return (MBEDTLS_ERR_SSL_INVALID_MAC);
+                }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                /*
+                 * Initialize for prepended IV for block cipher in TLS v1.1 and up
+                 */
+                if (transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2) {
+                    /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
+                    memcpy(transform->iv_dec, data, transform->ivlen);
+
+                    data += transform->ivlen;
+                    rec->data_offset += transform->ivlen;
+                    rec->data_len -= transform->ivlen;
+                }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+                /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
+
+                if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_dec,
+                                                transform->iv_dec, transform->ivlen,
+                                                data, rec->data_len, data, &olen)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
+                    return (ret);
+                }
+
+                /* Double-check that length hasn't changed during decryption. */
+                if (rec->data_len != olen) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+                if (transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2) {
+                    /*
+                     * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
+                     * records is equivalent to CBC decryption of the concatenation
+                     * of the records; in other words, IVs are maintained across
+                     * record decryptions.
+                     */
+                    memcpy(transform->iv_dec, transform->cipher_ctx_dec.iv,
+                           transform->ivlen);
+                }
+#endif
+
+                /* Safe since data_len >= minlen + maclen + 1, so after having
+                 * subtracted at most minlen and maclen up to this point,
+                 * data_len > 0 (because of data_len % ivlen == 0, it's actually
+                 * >= ivlen ). */
+                padlen = data[rec->data_len - 1];
+
+                if (auth_done == 1) {
+                    const size_t mask = mbedtls_ssl_cf_mask_ge(
+                                            rec->data_len,
+                                            padlen + 1);
+                    correct &= mask;
+                    padlen  &= mask;
+                } else {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+                    if (rec->data_len < transform->maclen + padlen + 1) {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+                                                  ") < maclen (%" MBEDTLS_PRINTF_SIZET
+                                                  ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
+                                                  rec->data_len,
+                                                  transform->maclen,
+                                                  padlen + 1));
+                    }
+#endif
+
+                    const size_t mask = mbedtls_ssl_cf_mask_ge(
+                                            rec->data_len,
+                                            transform->maclen + padlen + 1);
+                    correct &= mask;
+                    padlen  &= mask;
+                }
+
+                padlen++;
+
+                /* Regardless of the validity of the padding,
+                 * we have data_len >= padlen here. */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+                if (transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+                    /* This is the SSL 3.0 path, we don't have to worry about Lucky
+                     * 13, because there's a strictly worse padding attack built in
+                     * the protocol (known as part of POODLE), so we don't care if the
+                     * code is not constant-time, in particular branches are OK. */
+                    if (padlen > transform->ivlen) {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("bad padding length: is %" MBEDTLS_PRINTF_SIZET ", "
+                                                  "should be no more than %" MBEDTLS_PRINTF_SIZET,
+                                                  padlen, transform->ivlen));
+#endif
+                        correct = 0;
+                    }
+                } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                    if (transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0) {
+                        /* The padding check involves a series of up to 256
+                         * consecutive memory reads at the end of the record
+                         * plaintext buffer. In order to hide the length and
+                         * validity of the padding, always perform exactly
+                         * `min(256,plaintext_len)` reads (but take into account
+                         * only the last `padlen` bytes for the padding check). */
+                        size_t pad_count = 0;
+                        volatile unsigned char *const check = data;
+
+                        /* Index of first padding byte; it has been ensured above
+                         * that the subtraction is safe. */
+                        size_t const padding_idx = rec->data_len - padlen;
+                        size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
+                        size_t const start_idx = rec->data_len - num_checks;
+                        size_t idx;
+
+                        for (idx = start_idx; idx < rec->data_len; idx++) {
+                            /* pad_count += (idx >= padding_idx) &&
+                             *              (check[idx] == padlen - 1);
+                             */
+                            const size_t mask = mbedtls_ssl_cf_mask_ge(idx, padding_idx);
+                            const size_t equal = mbedtls_ssl_cf_bool_eq(check[idx],
+                                                                        padlen - 1);
+                            pad_count += mask & equal;
+                        }
+                        correct &= mbedtls_ssl_cf_bool_eq(pad_count, padlen);
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+                        if (padlen > 0 && correct == 0)
+                            MBEDTLS_SSL_DEBUG_MSG(1, ("bad padding byte detected"));
+#endif
+                        padlen &= mbedtls_ssl_cf_mask_from_bit(correct);
+                    } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                    }
+
+                /* If the padding was found to be invalid, padlen == 0
+                 * and the subtraction is safe. If the padding was found valid,
+                 * padlen hasn't been changed and the previous assertion
+                 * data_len >= padlen still holds. */
+                rec->data_len -= padlen;
+            } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    MBEDTLS_SSL_DEBUG_BUF(4, "raw buffer after decryption",
+                          data, rec->data_len);
+#endif
+
+    /*
+     * Authenticate if not done yet.
+     * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
+     */
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    if (auth_done == 0) {
+        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+        unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
+
+        /* If the initial value of padlen was such that
+         * data_len < maclen + padlen + 1, then padlen
+         * got reset to 1, and the initial check
+         * data_len >= minlen + maclen + 1
+         * guarantees that at this point we still
+         * have at least data_len >= maclen.
+         *
+         * If the initial value of padlen was such that
+         * data_len >= maclen + padlen + 1, then we have
+         * subtracted either padlen + 1 (if the padding was correct)
+         * or 0 (if the padding was incorrect) since then,
+         * hence data_len >= maclen in any case.
+         */
+        rec->data_len -= transform->maclen;
+        ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+                                         transform->minor_ver);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if (transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+            ssl_mac(&transform->md_ctx_dec,
+                    transform->mac_dec,
+                    data, rec->data_len,
+                    rec->ctr, rec->type,
+                    mac_expect);
+            memcpy(mac_peer, data + rec->data_len, transform->maclen);
+        } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if (transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0) {
+                /*
+                 * The next two sizes are the minimum and maximum values of
+                 * data_len over all padlen values.
+                 *
+                 * They're independent of padlen, since we previously did
+                 * data_len -= padlen.
+                 *
+                 * Note that max_len + maclen is never more than the buffer
+                 * length, as we previously did in_msglen -= maclen too.
+                 */
+                const size_t max_len = rec->data_len + padlen;
+                const size_t min_len = (max_len > 256) ? max_len - 256 : 0;
+
+                ret = mbedtls_ssl_cf_hmac(&transform->md_ctx_dec,
+                                          add_data, add_data_len,
+                                          data, rec->data_len, min_len, max_len,
+                                          mac_expect);
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cf_hmac", ret);
+                    return (ret);
+                }
+
+                mbedtls_ssl_cf_memcpy_offset(mac_peer, data,
+                                             rec->data_len,
+                                             min_len, max_len,
+                                             transform->maclen);
+            } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+              MBEDTLS_SSL_PROTO_TLS1_2 */
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+        MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect, transform->maclen);
+        MBEDTLS_SSL_DEBUG_BUF(4, "message  mac", mac_peer, transform->maclen);
+#endif
+
+        if (mbedtls_ssl_safer_memcmp(mac_peer, mac_expect,
+                                     transform->maclen) != 0) {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
+#endif
+            correct = 0;
+        }
+        auth_done++;
+    }
+
+    /*
+     * Finally check the correct flag
+     */
+    if (correct == 0)
+        return (MBEDTLS_ERR_SSL_INVALID_MAC);
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+
+    /* Make extra sure authentication was performed, exactly once */
+    if (auth_done != 1) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+    if (transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4) {
+        /* Remove inner padding and infer true content type. */
+        ret = ssl_parse_inner_plaintext(data, &rec->data_len,
+                                        &rec->type);
+
+        if (ret != 0)
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    if (rec->cid_len != 0) {
+        ret = ssl_parse_inner_plaintext(data, &rec->data_len,
+                                        &rec->type);
+        if (ret != 0)
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= decrypt buf"));
+
+    return (0);
+}
+
+#undef MAC_NONE
+#undef MAC_PLAINTEXT
+#undef MAC_CIPHERTEXT
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+/*
+ * Compression/decompression functions
+ */
+static int ssl_compress_buf(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *msg_post = ssl->out_msg;
+    ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
+    size_t len_pre = ssl->out_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t out_buf_len = ssl->out_buf_len;
+#else
+    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> compress buf"));
+
+    if (len_pre == 0)
+        return (0);
+
+    memcpy(msg_pre, ssl->out_msg, len_pre);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("before compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
+                              ssl->out_msglen));
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "before compression: output payload",
+                          ssl->out_msg, ssl->out_msglen);
+
+    ssl->transform_out->ctx_deflate.next_in = msg_pre;
+    ssl->transform_out->ctx_deflate.avail_in = len_pre;
+    ssl->transform_out->ctx_deflate.next_out = msg_post;
+    ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
+
+    ret = deflate(&ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH);
+    if (ret != Z_OK) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("failed to perform compression (%d)", ret));
+        return (MBEDTLS_ERR_SSL_COMPRESSION_FAILED);
+    }
+
+    ssl->out_msglen = out_buf_len -
+                      ssl->transform_out->ctx_deflate.avail_out - bytes_written;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("after compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
+                              ssl->out_msglen));
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "after compression: output payload",
+                          ssl->out_msg, ssl->out_msglen);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= compress buf"));
+
+    return (0);
+}
+
+static int ssl_decompress_buf(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *msg_post = ssl->in_msg;
+    ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
+    size_t len_pre = ssl->in_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t in_buf_len = ssl->in_buf_len;
+#else
+    size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> decompress buf"));
+
+    if (len_pre == 0)
+        return (0);
+
+    memcpy(msg_pre, ssl->in_msg, len_pre);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("before decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
+                              ssl->in_msglen));
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "before decompression: input payload",
+                          ssl->in_msg, ssl->in_msglen);
+
+    ssl->transform_in->ctx_inflate.next_in = msg_pre;
+    ssl->transform_in->ctx_inflate.avail_in = len_pre;
+    ssl->transform_in->ctx_inflate.next_out = msg_post;
+    ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
+
+    ret = inflate(&ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH);
+    if (ret != Z_OK) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("failed to perform decompression (%d)", ret));
+        return (MBEDTLS_ERR_SSL_COMPRESSION_FAILED);
+    }
+
+    ssl->in_msglen = in_buf_len -
+                     ssl->transform_in->ctx_inflate.avail_out - header_bytes;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("after decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
+                              ssl->in_msglen));
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "after decompression: input payload",
+                          ssl->in_msg, ssl->in_msglen);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= decompress buf"));
+
+    return (0);
+}
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+/*
+ * Fill the input message buffer by appending data to it.
+ * The amount of data already fetched is in ssl->in_left.
+ *
+ * If we return 0, is it guaranteed that (at least) nb_want bytes are
+ * available (from this read and/or a previous one). Otherwise, an error code
+ * is returned (possibly EOF or WANT_READ).
+ *
+ * With stream transport (TLS) on success ssl->in_left == nb_want, but
+ * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
+ * since we always read a whole datagram at once.
+ *
+ * For DTLS, it is up to the caller to set ssl->next_record_offset when
+ * they're done reading a record.
+ */
+int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t in_buf_len = ssl->in_buf_len;
+#else
+    size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> fetch input"));
+
+    if (ssl->f_recv == NULL && ssl->f_recv_timeout == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Bad usage of mbedtls_ssl_set_bio() "
+                                  "or mbedtls_ssl_set_bio()"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    if (nb_want > in_buf_len - (size_t)(ssl->in_hdr - ssl->in_buf)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("requesting more data than fits"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        uint32_t timeout;
+
+        /*
+         * The point is, we need to always read a full datagram at once, so we
+         * sometimes read more then requested, and handle the additional data.
+         * It could be the rest of the current record (while fetching the
+         * header) and/or some other records in the same datagram.
+         */
+
+        /*
+         * Move to the next record in the already read datagram if applicable
+         */
+        if (ssl->next_record_offset != 0) {
+            if (ssl->in_left < ssl->next_record_offset) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+            ssl->in_left -= ssl->next_record_offset;
+
+            if (ssl->in_left != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("next record in same datagram, offset: %"
+                                          MBEDTLS_PRINTF_SIZET,
+                                          ssl->next_record_offset));
+                memmove(ssl->in_hdr,
+                        ssl->in_hdr + ssl->next_record_offset,
+                        ssl->in_left);
+            }
+
+            ssl->next_record_offset = 0;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
+                                  ", nb_want: %" MBEDTLS_PRINTF_SIZET,
+                                  ssl->in_left, nb_want));
+
+        /*
+         * Done if we already have enough data.
+         */
+        if (nb_want <= ssl->in_left) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("<= fetch input"));
+            return (0);
+        }
+
+        /*
+         * A record can't be split across datagrams. If we need to read but
+         * are not at the beginning of a new record, the caller did something
+         * wrong.
+         */
+        if (ssl->in_left != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+        /*
+         * Don't even try to read if time's out already.
+         * This avoids by-passing the timer when repeatedly receiving messages
+         * that will end up being dropped.
+         */
+        if (mbedtls_ssl_check_timer(ssl) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("timer has expired"));
+            ret = MBEDTLS_ERR_SSL_TIMEOUT;
+        } else {
+            len = in_buf_len - (ssl->in_hdr - ssl->in_buf);
+
+            if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER)
+                timeout = ssl->handshake->retransmit_timeout;
+            else
+                timeout = ssl->conf->read_timeout;
+
+            MBEDTLS_SSL_DEBUG_MSG(3, ("f_recv_timeout: %lu ms", (unsigned long) timeout));
+
+            if (ssl->f_recv_timeout != NULL)
+                ret = ssl->f_recv_timeout(ssl->p_bio, ssl->in_hdr, len,
+                                          timeout);
+            else
+                ret = ssl->f_recv(ssl->p_bio, ssl->in_hdr, len);
+
+            MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_recv(_timeout)", ret);
+
+            if (ret == 0)
+                return (MBEDTLS_ERR_SSL_CONN_EOF);
+        }
+
+        if (ret == MBEDTLS_ERR_SSL_TIMEOUT) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("timeout"));
+            mbedtls_ssl_set_timer(ssl, 0);
+
+            if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+                if (ssl_double_retransmit_timeout(ssl) != 0) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("handshake timeout"));
+                    return (MBEDTLS_ERR_SSL_TIMEOUT);
+                }
+
+                if ((ret = mbedtls_ssl_resend(ssl)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend", ret);
+                    return (ret);
+                }
+
+                return (MBEDTLS_ERR_SSL_WANT_READ);
+            }
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+            else if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                     ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+                if ((ret = mbedtls_ssl_resend_hello_request(ssl)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend_hello_request",
+                                          ret);
+                    return (ret);
+                }
+
+                return (MBEDTLS_ERR_SSL_WANT_READ);
+            }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+        }
+
+        if (ret < 0)
+            return (ret);
+
+        ssl->in_left = ret;
+    } else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
+                                  ", nb_want: %" MBEDTLS_PRINTF_SIZET,
+                                  ssl->in_left, nb_want));
+
+        while (ssl->in_left < nb_want) {
+            len = nb_want - ssl->in_left;
+
+            if (mbedtls_ssl_check_timer(ssl) != 0)
+                ret = MBEDTLS_ERR_SSL_TIMEOUT;
+            else {
+                if (ssl->f_recv_timeout != NULL) {
+                    ret = ssl->f_recv_timeout(ssl->p_bio,
+                                              ssl->in_hdr + ssl->in_left, len,
+                                              ssl->conf->read_timeout);
+                } else {
+                    ret = ssl->f_recv(ssl->p_bio,
+                                      ssl->in_hdr + ssl->in_left, len);
+                }
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
+                                      ", nb_want: %" MBEDTLS_PRINTF_SIZET,
+                                      ssl->in_left, nb_want));
+            MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_recv(_timeout)", ret);
+
+            if (ret == 0)
+                return (MBEDTLS_ERR_SSL_CONN_EOF);
+
+            if (ret < 0)
+                return (ret);
+
+            if ((size_t)ret > len || (INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX)) {
+                MBEDTLS_SSL_DEBUG_MSG(1,
+                                      ("f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested",
+                                       ret, len));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+            ssl->in_left += ret;
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= fetch input"));
+
+    return (0);
+}
+
+/*
+ * Flush any data not yet written
+ */
+int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *buf;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> flush output"));
+
+    if (ssl->f_send == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Bad usage of mbedtls_ssl_set_bio() "
+                                  "or mbedtls_ssl_set_bio()"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    /* Avoid incrementing counter if data is flushed */
+    if (ssl->out_left == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= flush output"));
+        return (0);
+    }
+
+    while (ssl->out_left > 0) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("message length: %" MBEDTLS_PRINTF_SIZET
+                                  ", out_left: %" MBEDTLS_PRINTF_SIZET,
+                                  mbedtls_ssl_out_hdr_len(ssl) + ssl->out_msglen, ssl->out_left));
+
+        buf = ssl->out_hdr - ssl->out_left;
+        ret = ssl->f_send(ssl->p_bio, buf, ssl->out_left);
+
+        MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", ret);
+
+        if (ret <= 0)
+            return (ret);
+
+        if ((size_t)ret > ssl->out_left || (INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX)) {
+            MBEDTLS_SSL_DEBUG_MSG(1,
+                                  ("f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent",
+                                   ret, ssl->out_left));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+        ssl->out_left -= ret;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        ssl->out_hdr = ssl->out_buf;
+    } else
+#endif
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+    }
+    mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= flush output"));
+
+    return (0);
+}
+
+/*
+ * Functions to handle the DTLS retransmission state machine
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Append current handshake message to current outgoing flight
+ */
+static int ssl_flight_append(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_flight_item *msg;
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_flight_append"));
+    MBEDTLS_SSL_DEBUG_BUF(4, "message appended to flight",
+                          ssl->out_msg, ssl->out_msglen);
+
+    /* Allocate space for current message */
+    if ((msg = mbedtls_calloc(1, sizeof(mbedtls_ssl_flight_item))) == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
+                                  sizeof(mbedtls_ssl_flight_item)));
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    if ((msg->p = mbedtls_calloc(1, ssl->out_msglen)) == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
+                                  ssl->out_msglen));
+        mbedtls_free(msg);
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    /* Copy current handshake message with headers */
+    memcpy(msg->p, ssl->out_msg, ssl->out_msglen);
+    msg->len = ssl->out_msglen;
+    msg->type = ssl->out_msgtype;
+    msg->next = NULL;
+
+    /* Append to the current flight */
+    if (ssl->handshake->flight == NULL)
+        ssl->handshake->flight = msg;
+    else {
+        mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
+        while (cur->next != NULL)
+            cur = cur->next;
+        cur->next = msg;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_flight_append"));
+    return (0);
+}
+
+/*
+ * Free the current flight of handshake messages
+ */
+void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight) {
+    mbedtls_ssl_flight_item *cur = flight;
+    mbedtls_ssl_flight_item *next;
+
+    while (cur != NULL) {
+        next = cur->next;
+
+        mbedtls_free(cur->p);
+        mbedtls_free(cur);
+
+        cur = next;
+    }
+}
+
+/*
+ * Swap transform_out and out_ctr with the alternative ones
+ */
+static int ssl_swap_epochs(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_transform *tmp_transform;
+    unsigned char tmp_out_ctr[8];
+
+    if (ssl->transform_out == ssl->handshake->alt_transform_out) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("skip swap epochs"));
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("swap epochs"));
+
+    /* Swap transforms */
+    tmp_transform                     = ssl->transform_out;
+    ssl->transform_out                = ssl->handshake->alt_transform_out;
+    ssl->handshake->alt_transform_out = tmp_transform;
+
+    /* Swap epoch + sequence_number */
+    memcpy(tmp_out_ctr,                 ssl->cur_out_ctr,            8);
+    memcpy(ssl->cur_out_ctr,            ssl->handshake->alt_out_ctr, 8);
+    memcpy(ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8);
+
+    /* Adjust to the newly activated transform */
+    mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_activate != NULL) {
+        int ret = mbedtls_ssl_hw_record_activate(ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_activate", ret);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+    }
+#endif
+
+    return (0);
+}
+
+/*
+ * Retransmit the current flight of messages.
+ */
+int mbedtls_ssl_resend(mbedtls_ssl_context *ssl) {
+    int ret = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_resend"));
+
+    ret = mbedtls_ssl_flight_transmit(ssl);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_resend"));
+
+    return (ret);
+}
+
+/*
+ * Transmit or retransmit the current flight of messages.
+ *
+ * Need to remember the current message in case flush_output returns
+ * WANT_WRITE, causing us to exit this function and come back later.
+ * This function must be called until state is no longer SENDING.
+ */
+int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_flight_transmit"));
+
+    if (ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("initialise flight transmission"));
+
+        ssl->handshake->cur_msg = ssl->handshake->flight;
+        ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
+        ret = ssl_swap_epochs(ssl);
+        if (ret != 0)
+            return (ret);
+
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
+    }
+
+    while (ssl->handshake->cur_msg != NULL) {
+        size_t max_frag_len;
+        const mbedtls_ssl_flight_item *const cur = ssl->handshake->cur_msg;
+
+        int const is_finished =
+            (cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
+             cur->p[0] == MBEDTLS_SSL_HS_FINISHED);
+
+        uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
+                                    SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
+
+        /* Swap epochs before sending Finished: we can't do it after
+         * sending ChangeCipherSpec, in case write returns WANT_READ.
+         * Must be done before copying, may change out_msg pointer */
+        if (is_finished && ssl->handshake->cur_msg_p == (cur->p + 12)) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("swap epochs to send finished message"));
+            ret = ssl_swap_epochs(ssl);
+            if (ret != 0)
+                return (ret);
+        }
+
+        ret = ssl_get_remaining_payload_in_datagram(ssl);
+        if (ret < 0)
+            return (ret);
+        max_frag_len = (size_t) ret;
+
+        /* CCS is copied as is, while HS messages may need fragmentation */
+        if (cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+            if (max_frag_len == 0) {
+                if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
+                    return (ret);
+
+                continue;
+            }
+
+            memcpy(ssl->out_msg, cur->p, cur->len);
+            ssl->out_msglen  = cur->len;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur->len;
+        } else {
+            const unsigned char *const p = ssl->handshake->cur_msg_p;
+            const size_t hs_len = cur->len - 12;
+            const size_t frag_off = p - (cur->p + 12);
+            const size_t rem_len = hs_len - frag_off;
+            size_t cur_hs_frag_len, max_hs_frag_len;
+
+            if ((max_frag_len < 12) || (max_frag_len == 12 && hs_len != 0)) {
+                if (is_finished) {
+                    ret = ssl_swap_epochs(ssl);
+                    if (ret != 0)
+                        return (ret);
+                }
+
+                if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
+                    return (ret);
+
+                continue;
+            }
+            max_hs_frag_len = max_frag_len - 12;
+
+            cur_hs_frag_len = rem_len > max_hs_frag_len ?
+                              max_hs_frag_len : rem_len;
+
+            if (frag_off == 0 && cur_hs_frag_len != hs_len) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("fragmenting handshake message (%u > %u)",
+                                          (unsigned) cur_hs_frag_len,
+                                          (unsigned) max_hs_frag_len));
+            }
+
+            /* Messages are stored with handshake headers as if not fragmented,
+             * copy beginning of headers then fill fragmentation fields.
+             * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
+            memcpy(ssl->out_msg, cur->p, 6);
+
+            ssl->out_msg[6] = ((frag_off >> 16) & 0xff);
+            ssl->out_msg[7] = ((frag_off >>  8) & 0xff);
+            ssl->out_msg[8] = ((frag_off) & 0xff);
+
+            ssl->out_msg[ 9] = ((cur_hs_frag_len >> 16) & 0xff);
+            ssl->out_msg[10] = ((cur_hs_frag_len >>  8) & 0xff);
+            ssl->out_msg[11] = ((cur_hs_frag_len) & 0xff);
+
+            MBEDTLS_SSL_DEBUG_BUF(3, "handshake header", ssl->out_msg, 12);
+
+            /* Copy the handshake message content and set records fields */
+            memcpy(ssl->out_msg + 12, p, cur_hs_frag_len);
+            ssl->out_msglen = cur_hs_frag_len + 12;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur_hs_frag_len;
+        }
+
+        /* If done with the current message move to the next one if any */
+        if (ssl->handshake->cur_msg_p >= cur->p + cur->len) {
+            if (cur->next != NULL) {
+                ssl->handshake->cur_msg = cur->next;
+                ssl->handshake->cur_msg_p = cur->next->p + 12;
+            } else {
+                ssl->handshake->cur_msg = NULL;
+                ssl->handshake->cur_msg_p = NULL;
+            }
+        }
+
+        /* Actually send the message out */
+        if ((ret = mbedtls_ssl_write_record(ssl, force_flush)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
+            return (ret);
+        }
+    }
+
+    if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
+        return (ret);
+
+    /* Update state and set timer */
+    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER)
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    else {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+        mbedtls_ssl_set_timer(ssl, ssl->handshake->retransmit_timeout);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_flight_transmit"));
+
+    return (0);
+}
+
+/*
+ * To be called when the last message of an incoming flight is received.
+ */
+void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl) {
+    /* We won't need to resend that one any more */
+    mbedtls_ssl_flight_free(ssl->handshake->flight);
+    ssl->handshake->flight = NULL;
+    ssl->handshake->cur_msg = NULL;
+
+    /* The next incoming flight will start with this msg_seq */
+    ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
+
+    /* We don't want to remember CCS's across flight boundaries. */
+    ssl->handshake->buffering.seen_ccs = 0;
+
+    /* Clear future message buffering structure. */
+    mbedtls_ssl_buffering_free(ssl);
+
+    /* Cancel timer */
+    mbedtls_ssl_set_timer(ssl, 0);
+
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED) {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    } else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+}
+
+/*
+ * To be called when the last message of an outgoing flight is send.
+ */
+void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl) {
+    ssl_reset_retransmit_timeout(ssl);
+    mbedtls_ssl_set_timer(ssl, ssl->handshake->retransmit_timeout);
+
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED) {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    } else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Handshake layer functions
+ */
+
+/*
+ * Write (DTLS: or queue) current handshake (including CCS) message.
+ *
+ *  - fill in handshake headers
+ *  - update handshake checksum
+ *  - DTLS: save message for resending
+ *  - then pass to the record layer
+ *
+ * DTLS: except for HelloRequest, messages are only queued, and will only be
+ * actually sent when calling flight_transmit() or resend().
+ *
+ * Inputs:
+ *  - ssl->out_msglen: 4 + actual handshake message len
+ *      (4 is the size of handshake headers for TLS)
+ *  - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
+ *  - ssl->out_msg + 4: the handshake message body
+ *
+ * Outputs, ie state before passing to flight_append() or write_record():
+ *   - ssl->out_msglen: the length of the record contents
+ *      (including handshake headers but excluding record headers)
+ *   - ssl->out_msg: the record contents (handshake headers + content)
+ */
+int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const size_t hs_len = ssl->out_msglen - 4;
+    const unsigned char hs_type = ssl->out_msg[0];
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));
+
+    /*
+     * Sanity checks
+     */
+    if (ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE          &&
+            ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+        /* In SSLv3, the client might send a NoCertificate alert. */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+        if (!(ssl->minor_ver      == MBEDTLS_SSL_MINOR_VERSION_0 &&
+                ssl->out_msgtype    == MBEDTLS_SSL_MSG_ALERT       &&
+                ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT))
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+        {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+    }
+
+    /* Whenever we send anything different from a
+     * HelloRequest we should be in a handshake - double check. */
+    if (!(ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST) &&
+            ssl->handshake == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake != NULL &&
+            ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+#endif
+
+    /* Double-check that we did not exceed the bounds
+     * of the outgoing record buffer.
+     * This should never fail as the various message
+     * writing functions must obey the bounds of the
+     * outgoing record buffer, but better be safe.
+     *
+     * Note: We deliberately do not check for the MTU or MFL here.
+     */
+    if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
+                                  "size %" MBEDTLS_PRINTF_SIZET
+                                  ", maximum %" MBEDTLS_PRINTF_SIZET,
+                                  ssl->out_msglen,
+                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    /*
+     * Fill handshake headers
+     */
+    if (ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
+        ssl->out_msg[1] = (unsigned char)(hs_len >> 16);
+        ssl->out_msg[2] = (unsigned char)(hs_len >>  8);
+        ssl->out_msg[3] = (unsigned char)(hs_len);
+
+        /*
+         * DTLS has additional fields in the Handshake layer,
+         * between the length field and the actual payload:
+         *      uint16 message_seq;
+         *      uint24 fragment_offset;
+         *      uint24 fragment_length;
+         */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+            /* Make room for the additional DTLS fields */
+            if (MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS handshake message too large: "
+                                          "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET,
+                                          hs_len,
+                                          (size_t)(MBEDTLS_SSL_OUT_CONTENT_LEN - 12)));
+                return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+            }
+
+            memmove(ssl->out_msg + 12, ssl->out_msg + 4, hs_len);
+            ssl->out_msglen += 8;
+
+            /* Write message_seq and update it, except for HelloRequest */
+            if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST) {
+                ssl->out_msg[4] = (ssl->handshake->out_msg_seq >> 8) & 0xFF;
+                ssl->out_msg[5] = (ssl->handshake->out_msg_seq) & 0xFF;
+                ++(ssl->handshake->out_msg_seq);
+            } else {
+                ssl->out_msg[4] = 0;
+                ssl->out_msg[5] = 0;
+            }
+
+            /* Handshake hashes are computed without fragmentation,
+             * so set frag_offset = 0 and frag_len = hs_len for now */
+            memset(ssl->out_msg + 6, 0x00, 3);
+            memcpy(ssl->out_msg + 9, ssl->out_msg + 1, 3);
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        /* Update running hashes of handshake messages seen */
+        if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST)
+            ssl->handshake->update_checksum(ssl, ssl->out_msg, ssl->out_msglen);
+    }
+
+    /* Either send now, or just save to be sent (and resent) later */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            !(ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+              hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST)) {
+        if ((ret = ssl_flight_append(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_flight_append", ret);
+            return (ret);
+        }
+    } else
+#endif
+    {
+        if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_record", ret);
+            return (ret);
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write handshake message"));
+
+    return (0);
+}
+
+/*
+ * Record layer functions
+ */
+
+/*
+ * Write current record.
+ *
+ * Uses:
+ *  - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
+ *  - ssl->out_msglen: length of the record content (excl headers)
+ *  - ssl->out_msg: record content
+ */
+int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush) {
+    int ret, done = 0;
+    size_t len = ssl->out_msglen;
+    uint8_t flush = force_flush;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write record"));
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if (ssl->transform_out != NULL &&
+            ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE) {
+        if ((ret = ssl_compress_buf(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_compress_buf", ret);
+            return (ret);
+        }
+
+        len = ssl->out_msglen;
+    }
+#endif /*MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_write != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_write()"));
+
+        ret = mbedtls_ssl_hw_record_write(ssl);
+        if (ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_write", ret);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+
+        if (ret == 0)
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if (!done) {
+        unsigned i;
+        size_t protected_record_size;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+        size_t out_buf_len = ssl->out_buf_len;
+#else
+        size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+        /* Skip writing the record content type to after the encryption,
+         * as it may change when using the CID extension. */
+
+        mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
+                                  ssl->conf->transport, ssl->out_hdr + 1);
+
+        memcpy(ssl->out_ctr, ssl->cur_out_ctr, 8);
+        ssl->out_len[0] = (unsigned char)(len >> 8);
+        ssl->out_len[1] = (unsigned char)(len);
+
+        if (ssl->transform_out != NULL) {
+            mbedtls_record rec;
+
+            rec.buf         = ssl->out_iv;
+            rec.buf_len     = out_buf_len - (ssl->out_iv - ssl->out_buf);
+            rec.data_len    = ssl->out_msglen;
+            rec.data_offset = ssl->out_msg - rec.buf;
+
+            memcpy(&rec.ctr[0], ssl->out_ctr, 8);
+            mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
+                                      ssl->conf->transport, rec.ver);
+            rec.type = ssl->out_msgtype;
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+            /* The CID is set by mbedtls_ssl_encrypt_buf(). */
+            rec.cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+            if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec,
+                                               ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
+                return (ret);
+            }
+
+            if (rec.data_offset != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+            /* Update the record content type and CID. */
+            ssl->out_msgtype = rec.type;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
+            memcpy(ssl->out_cid, rec.cid, rec.cid_len);
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+            ssl->out_msglen = len = rec.data_len;
+            ssl->out_len[0] = (unsigned char)(rec.data_len >> 8);
+            ssl->out_len[1] = (unsigned char)(rec.data_len);
+        }
+
+        protected_record_size = len + mbedtls_ssl_out_hdr_len(ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* In case of DTLS, double-check that we don't exceed
+         * the remaining space in the datagram. */
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+            ret = ssl_get_remaining_space_in_datagram(ssl);
+            if (ret < 0)
+                return (ret);
+
+            if (protected_record_size > (size_t) ret) {
+                /* Should never happen */
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        /* Now write the potentially updated record content type. */
+        ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
+
+        MBEDTLS_SSL_DEBUG_MSG(3, ("output record: msgtype = %u, "
+                                  "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
+                                  ssl->out_hdr[0], ssl->out_hdr[1],
+                                  ssl->out_hdr[2], len));
+
+        MBEDTLS_SSL_DEBUG_BUF(4, "output record sent to network",
+                              ssl->out_hdr, protected_record_size);
+
+        ssl->out_left += protected_record_size;
+        ssl->out_hdr  += protected_record_size;
+        mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
+
+        for (i = 8; i > mbedtls_ssl_ep_len(ssl); i--)
+            if (++ssl->cur_out_ctr[i - 1] != 0)
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if (i == mbedtls_ssl_ep_len(ssl)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("outgoing message counter would wrap"));
+            return (MBEDTLS_ERR_SSL_COUNTER_WRAPPING);
+        }
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            flush == SSL_DONT_FORCE_FLUSH) {
+        size_t remaining;
+        ret = ssl_get_remaining_payload_in_datagram(ssl);
+        if (ret < 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_remaining_payload_in_datagram",
+                                  ret);
+            return (ret);
+        }
+
+        remaining = (size_t) ret;
+        if (remaining == 0) {
+            flush = SSL_FORCE_FLUSH;
+        } else {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("Still %u bytes available in current datagram", (unsigned) remaining));
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if ((flush == SSL_FORCE_FLUSH) &&
+            (ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write record"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static int ssl_hs_is_proper_fragment(mbedtls_ssl_context *ssl) {
+    if (ssl->in_msglen < ssl->in_hslen ||
+            memcmp(ssl->in_msg + 6, "\0\0\0",        3) != 0 ||
+            memcmp(ssl->in_msg + 9, ssl->in_msg + 1, 3) != 0) {
+        return (1);
+    }
+    return (0);
+}
+
+static uint32_t ssl_get_hs_frag_len(mbedtls_ssl_context const *ssl) {
+    return ((ssl->in_msg[9] << 16) |
+            (ssl->in_msg[10] << 8) |
+            ssl->in_msg[11]);
+}
+
+static uint32_t ssl_get_hs_frag_off(mbedtls_ssl_context const *ssl) {
+    return ((ssl->in_msg[6] << 16) |
+            (ssl->in_msg[7] << 8) |
+            ssl->in_msg[8]);
+}
+
+static int ssl_check_hs_header(mbedtls_ssl_context const *ssl) {
+    uint32_t msg_len, frag_off, frag_len;
+
+    msg_len  = ssl_get_hs_total_len(ssl);
+    frag_off = ssl_get_hs_frag_off(ssl);
+    frag_len = ssl_get_hs_frag_len(ssl);
+
+    if (frag_off > msg_len)
+        return (-1);
+
+    if (frag_len > msg_len - frag_off)
+        return (-1);
+
+    if (frag_len + 12 > ssl->in_msglen)
+        return (-1);
+
+    return (0);
+}
+
+/*
+ * Mark bits in bitmask (used for DTLS HS reassembly)
+ */
+static void ssl_bitmask_set(unsigned char *mask, size_t offset, size_t len) {
+    unsigned int start_bits, end_bits;
+
+    start_bits = 8 - (offset % 8);
+    if (start_bits != 8) {
+        size_t first_byte_idx = offset / 8;
+
+        /* Special case */
+        if (len <= start_bits) {
+            for (; len != 0; len--)
+                mask[first_byte_idx] |= 1 << (start_bits - len);
+
+            /* Avoid potential issues with offset or len becoming invalid */
+            return;
+        }
+
+        offset += start_bits; /* Now offset % 8 == 0 */
+        len -= start_bits;
+
+        for (; start_bits != 0; start_bits--)
+            mask[first_byte_idx] |= 1 << (start_bits - 1);
+    }
+
+    end_bits = len % 8;
+    if (end_bits != 0) {
+        size_t last_byte_idx = (offset + len) / 8;
+
+        len -= end_bits; /* Now len % 8 == 0 */
+
+        for (; end_bits != 0; end_bits--)
+            mask[last_byte_idx] |= 1 << (8 - end_bits);
+    }
+
+    memset(mask + offset / 8, 0xFF, len / 8);
+}
+
+/*
+ * Check that bitmask is full
+ */
+static int ssl_bitmask_check(unsigned char *mask, size_t len) {
+    size_t i;
+
+    for (i = 0; i < len / 8; i++)
+        if (mask[i] != 0xFF)
+            return (-1);
+
+    for (i = 0; i < len % 8; i++)
+        if ((mask[len / 8] & (1 << (7 - i))) == 0)
+            return (-1);
+
+    return (0);
+}
+
+/* msg_len does not include the handshake header */
+static size_t ssl_get_reassembly_buffer_size(size_t msg_len,
+                                             unsigned add_bitmap) {
+    size_t alloc_len;
+
+    alloc_len  = 12;                                 /* Handshake header */
+    alloc_len += msg_len;                            /* Content buffer   */
+
+    if (add_bitmap)
+        alloc_len += msg_len / 8 + (msg_len % 8 != 0);   /* Bitmap       */
+
+    return (alloc_len);
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl) {
+    return ((ssl->in_msg[1] << 16) |
+            (ssl->in_msg[2] << 8) |
+            ssl->in_msg[3]);
+}
+
+int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) {
+    if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
+                                  ssl->in_msglen));
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+
+    ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
+                              " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET,
+                              ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        unsigned int recv_msg_seq = (ssl->in_msg[4] << 8) | ssl->in_msg[5];
+
+        if (ssl_check_hs_header(ssl) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid handshake header"));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+
+        if (ssl->handshake != NULL &&
+                ((ssl->state   != MBEDTLS_SSL_HANDSHAKE_OVER &&
+                  recv_msg_seq != ssl->handshake->in_msg_seq) ||
+                 (ssl->state  == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                  ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO))) {
+            if (recv_msg_seq > ssl->handshake->in_msg_seq) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("received future handshake message of sequence number %u (next %u)",
+                                          recv_msg_seq,
+                                          ssl->handshake->in_msg_seq));
+                return (MBEDTLS_ERR_SSL_EARLY_MESSAGE);
+            }
+
+            /* Retransmit only on last message from previous flight, to avoid
+             * too many retransmissions.
+             * Besides, No sane server ever retransmits HelloVerifyRequest */
+            if (recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
+                    ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("received message from last flight, "
+                                          "message_seq = %u, start_of_flight = %u",
+                                          recv_msg_seq,
+                                          ssl->handshake->in_flight_start_seq));
+
+                if ((ret = mbedtls_ssl_resend(ssl)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend", ret);
+                    return (ret);
+                }
+            } else {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("dropping out-of-sequence message: "
+                                          "message_seq = %u, expected = %u",
+                                          recv_msg_seq,
+                                          ssl->handshake->in_msg_seq));
+            }
+
+            return (MBEDTLS_ERR_SSL_CONTINUE_PROCESSING);
+        }
+        /* Wait until message completion to increment in_msg_seq */
+
+        /* Message reassembly is handled alongside buffering of future
+         * messages; the commonality is that both handshake fragments and
+         * future messages cannot be forwarded immediately to the
+         * handshake logic layer. */
+        if (ssl_hs_is_proper_fragment(ssl) == 1) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("found fragmented DTLS handshake message"));
+            return (MBEDTLS_ERR_SSL_EARLY_MESSAGE);
+        }
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        /* With TLS we don't handle fragmentation (for now) */
+        if (ssl->in_msglen < ssl->in_hslen) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
+            return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+        }
+
+    return (0);
+}
+
+void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+
+    if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL) {
+        ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
+    }
+
+    /* Handshake message is complete, increment counter */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake != NULL) {
+        unsigned offset;
+        mbedtls_ssl_hs_buffer *hs_buf;
+
+        /* Increment handshake sequence number */
+        hs->in_msg_seq++;
+
+        /*
+         * Clear up handshake buffering and reassembly structure.
+         */
+
+        /* Free first entry */
+        ssl_buffering_free_slot(ssl, 0);
+
+        /* Shift all other entries */
+        for (offset = 0, hs_buf = &hs->buffering.hs[0];
+                offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
+                offset++, hs_buf++) {
+            *hs_buf = *(hs_buf + 1);
+        }
+
+        /* Create a fresh last entry */
+        memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
+    }
+#endif
+}
+
+/*
+ * DTLS anti-replay: RFC 6347 4.1.2.6
+ *
+ * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
+ * Bit n is set iff record number in_window_top - n has been seen.
+ *
+ * Usually, in_window_top is the last record number seen and the lsb of
+ * in_window is set. The only exception is the initial state (record number 0
+ * not seen yet).
+ */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl) {
+    ssl->in_window_top = 0;
+    ssl->in_window = 0;
+}
+
+static inline uint64_t ssl_load_six_bytes(unsigned char *buf) {
+    return (((uint64_t) buf[0] << 40) |
+            ((uint64_t) buf[1] << 32) |
+            ((uint64_t) buf[2] << 24) |
+            ((uint64_t) buf[3] << 16) |
+            ((uint64_t) buf[4] <<  8) |
+            ((uint64_t) buf[5]));
+}
+
+static int mbedtls_ssl_dtls_record_replay_check(mbedtls_ssl_context *ssl, uint8_t *record_in_ctr) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *original_in_ctr;
+
+    // save original in_ctr
+    original_in_ctr = ssl->in_ctr;
+
+    // use counter from record
+    ssl->in_ctr = record_in_ctr;
+
+    ret = mbedtls_ssl_dtls_replay_check((mbedtls_ssl_context const *) ssl);
+
+    // restore the counter
+    ssl->in_ctr = original_in_ctr;
+
+    return ret;
+}
+
+/*
+ * Return 0 if sequence number is acceptable, -1 otherwise
+ */
+int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl) {
+    uint64_t rec_seqnum = ssl_load_six_bytes(ssl->in_ctr + 2);
+    uint64_t bit;
+
+    if (ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED)
+        return (0);
+
+    if (rec_seqnum > ssl->in_window_top)
+        return (0);
+
+    bit = ssl->in_window_top - rec_seqnum;
+
+    if (bit >= 64)
+        return (-1);
+
+    if ((ssl->in_window & ((uint64_t) 1 << bit)) != 0)
+        return (-1);
+
+    return (0);
+}
+
+/*
+ * Update replay window on new validated record
+ */
+void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl) {
+    uint64_t rec_seqnum = ssl_load_six_bytes(ssl->in_ctr + 2);
+
+    if (ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED)
+        return;
+
+    if (rec_seqnum > ssl->in_window_top) {
+        /* Update window_top and the contents of the window */
+        uint64_t shift = rec_seqnum - ssl->in_window_top;
+
+        if (shift >= 64)
+            ssl->in_window = 1;
+        else {
+            ssl->in_window <<= shift;
+            ssl->in_window |= 1;
+        }
+
+        ssl->in_window_top = rec_seqnum;
+    } else {
+        /* Mark that number as seen in the current window */
+        uint64_t bit = ssl->in_window_top - rec_seqnum;
+
+        if (bit < 64)  /* Always true, but be extra sure */
+            ssl->in_window |= (uint64_t) 1 << bit;
+    }
+}
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Without any SSL context, check if a datagram looks like a ClientHello with
+ * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
+ * Both input and output include full DTLS headers.
+ *
+ * - if cookie is valid, return 0
+ * - if ClientHello looks superficially valid but cookie is not,
+ *   fill obuf and set olen, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - otherwise return a specific error code
+ */
+static int ssl_check_dtls_clihlo_cookie(
+    mbedtls_ssl_cookie_write_t *f_cookie_write,
+    mbedtls_ssl_cookie_check_t *f_cookie_check,
+    void *p_cookie,
+    const unsigned char *cli_id, size_t cli_id_len,
+    const unsigned char *in, size_t in_len,
+    unsigned char *obuf, size_t buf_len, size_t *olen) {
+    size_t sid_len, cookie_len;
+    unsigned char *p;
+
+    /*
+     * Structure of ClientHello with record and handshake headers,
+     * and expected values. We don't need to check a lot, more checks will be
+     * done when actually parsing the ClientHello - skipping those checks
+     * avoids code duplication and does not make cookie forging any easier.
+     *
+     *  0-0  ContentType type;                  copied, must be handshake
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied, must be 0
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     (ignored)
+     *
+     * 13-13 HandshakeType msg_type;            (ignored)
+     * 14-16 uint24 length;                     (ignored)
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied, must be 0
+     * 22-24 uint24 fragment_length;            (ignored)
+     *
+     * 25-26 ProtocolVersion client_version;    (ignored)
+     * 27-58 Random random;                     (ignored)
+     * 59-xx SessionID session_id;              1 byte len + sid_len content
+     * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
+     *       ...
+     *
+     * Minimum length is 61 bytes.
+     */
+    if (in_len < 61 ||
+            in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
+            in[3] != 0 || in[4] != 0 ||
+            in[19] != 0 || in[20] != 0 || in[21] != 0) {
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    sid_len = in[59];
+    if (sid_len > in_len - 61)
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+
+    cookie_len = in[60 + sid_len];
+    if (cookie_len > in_len - 60)
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+
+    if (f_cookie_check(p_cookie, in + sid_len + 61, cookie_len,
+                       cli_id, cli_id_len) == 0) {
+        /* Valid cookie */
+        return (0);
+    }
+
+    /*
+     * If we get here, we've got an invalid cookie, let's prepare HVR.
+     *
+     *  0-0  ContentType type;                  copied
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     olen - 13
+     *
+     * 13-13 HandshakeType msg_type;            hello_verify_request
+     * 14-16 uint24 length;                     olen - 25
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied
+     * 22-24 uint24 fragment_length;            olen - 25
+     *
+     * 25-26 ProtocolVersion server_version;    0xfe 0xff
+     * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
+     *
+     * Minimum length is 28.
+     */
+    if (buf_len < 28)
+        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+
+    /* Copy most fields and adapt others */
+    memcpy(obuf, in, 25);
+    obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+    obuf[25] = 0xfe;
+    obuf[26] = 0xff;
+
+    /* Generate and write actual cookie */
+    p = obuf + 28;
+    if (f_cookie_write(p_cookie,
+                       &p, obuf + buf_len, cli_id, cli_id_len) != 0) {
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    *olen = p - obuf;
+
+    /* Go back and fill length fields */
+    obuf[27] = (unsigned char)(*olen - 28);
+
+    obuf[14] = obuf[22] = (unsigned char)((*olen - 25) >> 16);
+    obuf[15] = obuf[23] = (unsigned char)((*olen - 25) >>  8);
+    obuf[16] = obuf[24] = (unsigned char)((*olen - 25));
+
+    obuf[11] = (unsigned char)((*olen - 13) >>  8);
+    obuf[12] = (unsigned char)((*olen - 13));
+
+    return (MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED);
+}
+
+/*
+ * Handle possible client reconnect with the same UDP quadruplet
+ * (RFC 6347 Section 4.2.8).
+ *
+ * Called by ssl_parse_record_header() in case we receive an epoch 0 record
+ * that looks like a ClientHello.
+ *
+ * - if the input looks like a ClientHello without cookies,
+ *   send back HelloVerifyRequest, then return 0
+ * - if the input looks like a ClientHello with a valid cookie,
+ *   reset the session of the current context, and
+ *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * - if anything goes wrong, return a specific error code
+ *
+ * This function is called (through ssl_check_client_reconnect()) when an
+ * unexpected record is found in ssl_get_next_record(), which will discard the
+ * record if we return 0, and bubble up the return value otherwise (this
+ * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
+ * errors, and is the right thing to do in both cases).
+ */
+static int ssl_handle_possible_reconnect(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if (ssl->conf->f_cookie_write == NULL ||
+            ssl->conf->f_cookie_check == NULL) {
+        /* If we can't use cookies to verify reachability of the peer,
+         * drop the record. */
+        MBEDTLS_SSL_DEBUG_MSG(1, ("no cookie callbacks, "
+                                  "can't check reconnect validity"));
+        return (0);
+    }
+
+    ret = ssl_check_dtls_clihlo_cookie(
+              ssl->conf->f_cookie_write,
+              ssl->conf->f_cookie_check,
+              ssl->conf->p_cookie,
+              ssl->cli_id, ssl->cli_id_len,
+              ssl->in_buf, ssl->in_left,
+              ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len);
+
+    MBEDTLS_SSL_DEBUG_RET(2, "ssl_check_dtls_clihlo_cookie", ret);
+
+    if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
+        int send_ret;
+        MBEDTLS_SSL_DEBUG_MSG(1, ("sending HelloVerifyRequest"));
+        MBEDTLS_SSL_DEBUG_BUF(4, "output record sent to network",
+                              ssl->out_buf, len);
+        /* Don't check write errors as we can't do anything here.
+         * If the error is permanent we'll catch it later,
+         * if it's not, then hopefully it'll work next time. */
+        send_ret = ssl->f_send(ssl->p_bio, ssl->out_buf, len);
+        MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", send_ret);
+        (void) send_ret;
+
+        return (0);
+    }
+
+    if (ret == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("cookie is valid, resetting context"));
+        if ((ret = mbedtls_ssl_session_reset_int(ssl, 1)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "reset", ret);
+            return (ret);
+        }
+
+        return (MBEDTLS_ERR_SSL_CLIENT_RECONNECT);
+    }
+
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+static int ssl_check_record_type(uint8_t record_type) {
+    if (record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
+            record_type != MBEDTLS_SSL_MSG_ALERT &&
+            record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+            record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+
+    return (0);
+}
+
+/*
+ * ContentType type;
+ * ProtocolVersion version;
+ * uint16 epoch;            // DTLS only
+ * uint48 sequence_number;  // DTLS only
+ * uint16 length;
+ *
+ * Return 0 if header looks sane (and, for DTLS, the record is expected)
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
+ * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
+ *
+ * With DTLS, mbedtls_ssl_read_record() will:
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function return that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
+ */
+static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
+                                   unsigned char *buf,
+                                   size_t len,
+                                   mbedtls_record *rec) {
+    int major_ver, minor_ver;
+
+    size_t const rec_hdr_type_offset    = 0;
+    size_t const rec_hdr_type_len       = 1;
+
+    size_t const rec_hdr_version_offset = rec_hdr_type_offset +
+                                          rec_hdr_type_len;
+    size_t const rec_hdr_version_len    = 2;
+
+    size_t const rec_hdr_ctr_len        = 8;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint32_t     rec_epoch;
+    size_t const rec_hdr_ctr_offset     = rec_hdr_version_offset +
+                                          rec_hdr_version_len;
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    size_t const rec_hdr_cid_offset     = rec_hdr_ctr_offset +
+                                          rec_hdr_ctr_len;
+    size_t       rec_hdr_cid_len        = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    size_t       rec_hdr_len_offset; /* To be determined */
+    size_t const rec_hdr_len_len    = 2;
+
+    /*
+     * Check minimum lengths for record header.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
+    }
+
+    if (len < rec_hdr_len_offset + rec_hdr_len_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("datagram of length %u too small to hold DTLS record header of length %u",
+                                  (unsigned) len,
+                                  (unsigned)(rec_hdr_len_len + rec_hdr_len_len)));
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+
+    /*
+     * Parse and validate record content type
+     */
+
+    rec->type = buf[ rec_hdr_type_offset ];
+
+    /* Check record content type */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    rec->cid_len = 0;
+
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->conf->cid_len != 0                                &&
+            rec->type == MBEDTLS_SSL_MSG_CID) {
+        /* Shift pointers to account for record header including CID
+         * struct {
+         *   ContentType special_type = tls12_cid;
+         *   ProtocolVersion version;
+         *   uint16 epoch;
+         *   uint48 sequence_number;
+         *   opaque cid[cid_length]; // Additional field compared to
+         *                           // default DTLS record format
+         *   uint16 length;
+         *   opaque enc_content[DTLSCiphertext.length];
+         * } DTLSCiphertext;
+         */
+
+        /* So far, we only support static CID lengths
+         * fixed in the configuration. */
+        rec_hdr_cid_len = ssl->conf->cid_len;
+        rec_hdr_len_offset += rec_hdr_cid_len;
+
+        if (len < rec_hdr_len_offset + rec_hdr_len_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("datagram of length %u too small to hold DTLS record header including CID, length %u",
+                                      (unsigned) len,
+                                      (unsigned)(rec_hdr_len_offset + rec_hdr_len_len)));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+
+        /* configured CID len is guaranteed at most 255, see
+         * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
+        rec->cid_len = (uint8_t) rec_hdr_cid_len;
+        memcpy(rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len);
+    } else
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+    {
+        if (ssl_check_record_type(rec->type)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type %u",
+                                      (unsigned) rec->type));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+    }
+
+    /*
+     * Parse and validate record version
+     */
+
+    rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
+    rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
+    mbedtls_ssl_read_version(&major_ver, &minor_ver,
+                             ssl->conf->transport,
+                             &rec->ver[0]);
+
+    if (major_ver != ssl->major_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("major version mismatch"));
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+
+    if (minor_ver > ssl->conf->max_minor_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("minor version mismatch"));
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+
+    /*
+     * Parse/Copy record sequence number.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        /* Copy explicit record sequence number from input buffer. */
+        memcpy(&rec->ctr[0], buf + rec_hdr_ctr_offset,
+               rec_hdr_ctr_len);
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        /* Copy implicit record sequence number from SSL context structure. */
+        memcpy(&rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len);
+    }
+
+    /*
+     * Parse record length.
+     */
+
+    rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
+    rec->data_len    = ((size_t) buf[ rec_hdr_len_offset + 0 ] << 8) |
+                       ((size_t) buf[ rec_hdr_len_offset + 1 ] << 0);
+    MBEDTLS_SSL_DEBUG_BUF(4, "input record header", buf, rec->data_offset);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("input record: msgtype = %u, "
+                              "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET,
+                              rec->type,
+                              major_ver, minor_ver, rec->data_len));
+
+    rec->buf     = buf;
+    rec->buf_len = rec->data_offset + rec->data_len;
+
+    if (rec->data_len == 0)
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+
+    /*
+     * DTLS-related tests.
+     * Check epoch before checking length constraint because
+     * the latter varies with the epoch. E.g., if a ChangeCipherSpec
+     * message gets duplicated before the corresponding Finished message,
+     * the second ChangeCipherSpec should be discarded because it belongs
+     * to an old epoch, but not because its length is shorter than
+     * the minimum record length for packets using the new record transform.
+     * Note that these two kinds of failures are handled differently,
+     * as an unexpected record is silently skipped but an invalid
+     * record leads to the entire datagram being dropped.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        rec_epoch = (rec->ctr[0] << 8) | rec->ctr[1];
+
+        /* Check that the datagram is large enough to contain a record
+         * of the advertised length. */
+        if (len < rec->data_offset + rec->data_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Datagram of length %u too small to contain record of advertised length %u.",
+                                      (unsigned) len,
+                                      (unsigned)(rec->data_offset + rec->data_len)));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+
+        /* Records from other, non-matching epochs are silently discarded.
+         * (The case of same-port Client reconnects must be considered in
+         *  the caller). */
+        if (rec_epoch != ssl->in_epoch) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("record from another epoch: "
+                                      "expected %u, received %lu",
+                                      ssl->in_epoch, (unsigned long) rec_epoch));
+
+            /* Records from the next epoch are considered for buffering
+             * (concretely: early Finished messages). */
+            if (rec_epoch == (unsigned) ssl->in_epoch + 1) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("Consider record for buffering"));
+                return (MBEDTLS_ERR_SSL_EARLY_MESSAGE);
+            }
+
+            return (MBEDTLS_ERR_SSL_UNEXPECTED_RECORD);
+        }
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        /* For records from the correct epoch, check whether their
+         * sequence number has been seen before. */
+        else if (mbedtls_ssl_dtls_record_replay_check((mbedtls_ssl_context *) ssl,
+                                                      &rec->ctr[0]) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record"));
+            return (MBEDTLS_ERR_SSL_UNEXPECTED_RECORD);
+        }
+#endif
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    return (0);
+}
+
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+static int ssl_check_client_reconnect(mbedtls_ssl_context *ssl) {
+    unsigned int rec_epoch = (ssl->in_ctr[0] << 8) | ssl->in_ctr[1];
+
+    /*
+     * Check for an epoch 0 ClientHello. We can't use in_msg here to
+     * access the first byte of record content (handshake type), as we
+     * have an active transform (possibly iv_len != 0), so use the
+     * fact that the record header len is 13 instead.
+     */
+    if (rec_epoch == 0 &&
+            ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            ssl->in_left > 13 &&
+            ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("possible client reconnect "
+                                  "from the same port"));
+        return (ssl_handle_possible_reconnect(ssl));
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+/*
+ * If applicable, decrypt record content
+ */
+static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
+                                      mbedtls_record *rec) {
+    int ret, done = 0;
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "input record from network",
+                          rec->buf, rec->buf_len);
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_read != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_read()"));
+
+        ret = mbedtls_ssl_hw_record_read(ssl);
+        if (ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_read", ret);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+
+        if (ret == 0)
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if (!done && ssl->transform_in != NULL) {
+        unsigned char const old_msg_type = rec->type;
+
+        if ((ret = mbedtls_ssl_decrypt_buf(ssl, ssl->transform_in,
+                                           rec)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+            if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
+                    ssl->conf->ignore_unexpected_cid
+                    == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
+                MBEDTLS_SSL_DEBUG_MSG(3, ("ignoring unexpected CID"));
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+            }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+            return (ret);
+        }
+
+        if (old_msg_type != rec->type) {
+            MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d",
+                                      old_msg_type, rec->type));
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF(4, "input payload after decrypt",
+                              rec->buf + rec->data_offset, rec->data_len);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+        /* We have already checked the record content type
+         * in ssl_parse_record_header(), failing or silently
+         * dropping the record in the case of an unknown type.
+         *
+         * Since with the use of CIDs, the record content type
+         * might change during decryption, re-check the record
+         * content type, but treat a failure as fatal this time. */
+        if (ssl_check_record_type(rec->type)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type"));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+        if (rec->data_len == 0) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
+                    && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+                /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
+                MBEDTLS_SSL_DEBUG_MSG(1, ("invalid zero-length message type: %d", ssl->in_msgtype));
+                return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+            }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+            ssl->nb_zero++;
+
+            /*
+             * Three or more empty messages may be a DoS attack
+             * (excessive CPU consumption).
+             */
+            if (ssl->nb_zero > 3) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("received four consecutive empty "
+                                          "messages, possible DoS attack"));
+                /* Treat the records as if they were not properly authenticated,
+                 * thereby failing the connection if we see more than allowed
+                 * by the configured bad MAC threshold. */
+                return (MBEDTLS_ERR_SSL_INVALID_MAC);
+            }
+        } else
+            ssl->nb_zero = 0;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+            ; /* in_ctr read from peer, not maintained internally */
+        } else
+#endif
+        {
+            unsigned i;
+            for (i = 8; i > mbedtls_ssl_ep_len(ssl); i--)
+                if (++ssl->in_ctr[i - 1] != 0)
+                    break;
+
+            /* The loop goes to its end iff the counter is wrapping */
+            if (i == mbedtls_ssl_ep_len(ssl)) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("incoming message counter would wrap"));
+                return (MBEDTLS_ERR_SSL_COUNTER_WRAPPING);
+            }
+        }
+
+    }
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        mbedtls_ssl_dtls_replay_update(ssl);
+    }
+#endif
+
+    /* Check actual (decrypted) record content length against
+     * configured maximum. */
+    if (ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad message length"));
+        return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+    }
+
+    return (0);
+}
+
+/*
+ * Read a record.
+ *
+ * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
+ * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
+ *
+ */
+
+/* Helper functions for mbedtls_ssl_read_record(). */
+static int ssl_consume_current_message(mbedtls_ssl_context *ssl);
+static int ssl_get_next_record(mbedtls_ssl_context *ssl);
+static int ssl_record_is_in_progress(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
+                            unsigned update_hs_digest) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> read record"));
+
+    if (ssl->keep_current_message == 0) {
+        do {
+
+            ret = ssl_consume_current_message(ssl);
+            if (ret != 0)
+                return (ret);
+
+            if (ssl_record_is_in_progress(ssl) == 0) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                int have_buffered = 0;
+
+                /* We only check for buffered messages if the
+                 * current datagram is fully consumed. */
+                if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                        ssl_next_record_is_in_datagram(ssl) == 0) {
+                    if (ssl_load_buffered_message(ssl) == 0)
+                        have_buffered = 1;
+                }
+
+                if (have_buffered == 0)
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+                {
+                    ret = ssl_get_next_record(ssl);
+                    if (ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING)
+                        continue;
+
+                    if (ret != 0) {
+                        MBEDTLS_SSL_DEBUG_RET(1, ("ssl_get_next_record"), ret);
+                        return (ret);
+                    }
+                }
+            }
+
+            ret = mbedtls_ssl_handle_message_type(ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if (ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
+                /* Buffer future message */
+                ret = ssl_buffer_message(ssl);
+                if (ret != 0)
+                    return (ret);
+
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+            }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        } while (MBEDTLS_ERR_SSL_NON_FATAL           == ret  ||
+                 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret);
+
+        if (0 != ret) {
+            MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_handle_message_type"), ret);
+            return (ret);
+        }
+
+        if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+                update_hs_digest == 1) {
+            mbedtls_ssl_update_handshake_status(ssl);
+        }
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("reuse previously read message"));
+        ssl->keep_current_message = 0;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= read record"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_next_record_is_in_datagram(mbedtls_ssl_context *ssl) {
+    if (ssl->in_left > ssl->next_record_offset)
+        return (1);
+
+    return (0);
+}
+
+static int ssl_load_buffered_message(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer *hs_buf;
+    int ret = 0;
+
+    if (hs == NULL)
+        return (-1);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_load_buffered_messsage"));
+
+    if (ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
+            ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC) {
+        /* Check if we have seen a ChangeCipherSpec before.
+         * If yes, synthesize a CCS record. */
+        if (!hs->buffering.seen_ccs) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("CCS not seen in the current flight"));
+            ret = -1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Injecting buffered CCS message"));
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+        ssl->in_msglen = 1;
+        ssl->in_msg[0] = 1;
+
+        /* As long as they are equal, the exact value doesn't matter. */
+        ssl->in_left            = 0;
+        ssl->next_record_offset = 0;
+
+        hs->buffering.seen_ccs = 0;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_DEBUG_C)
+    /* Debug only */
+    {
+        unsigned offset;
+        for (offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++) {
+            hs_buf = &hs->buffering.hs[offset];
+            if (hs_buf->is_valid == 1) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("Future message with sequence number %u %s buffered.",
+                                          hs->in_msg_seq + offset,
+                                          hs_buf->is_complete ? "fully" : "partially"));
+            }
+        }
+    }
+#endif /* MBEDTLS_DEBUG_C */
+
+    /* Check if we have buffered and/or fully reassembled the
+     * next handshake message. */
+    hs_buf = &hs->buffering.hs[0];
+    if ((hs_buf->is_valid == 1) && (hs_buf->is_complete == 1)) {
+        /* Synthesize a record containing the buffered HS message. */
+        size_t msg_len = (hs_buf->data[1] << 16) |
+                         (hs_buf->data[2] << 8) |
+                         hs_buf->data[3];
+
+        /* Double-check that we haven't accidentally buffered
+         * a message that doesn't fit into the input buffer. */
+        if (msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message has been buffered - load"));
+        MBEDTLS_SSL_DEBUG_BUF(3, "Buffered handshake message (incl. header)",
+                              hs_buf->data, msg_len + 12);
+
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+        ssl->in_hslen   = msg_len + 12;
+        ssl->in_msglen  = msg_len + 12;
+        memcpy(ssl->in_msg, hs_buf->data, ssl->in_hslen);
+
+        ret = 0;
+        goto exit;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message %u not or only partially bufffered",
+                                  hs->in_msg_seq));
+    }
+
+    ret = -1;
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_load_buffered_message"));
+    return (ret);
+}
+
+static int ssl_buffer_make_space(mbedtls_ssl_context *ssl,
+                                 size_t desired) {
+    int offset;
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+    MBEDTLS_SSL_DEBUG_MSG(2, ("Attempt to free buffered messages to have %u bytes available",
+                              (unsigned) desired));
+
+    /* Get rid of future records epoch first, if such exist. */
+    ssl_free_buffered_record(ssl);
+
+    /* Check if we have enough space available now. */
+    if (desired <= (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                    hs->buffering.total_bytes_buffered)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Enough space available after freeing future epoch record"));
+        return (0);
+    }
+
+    /* We don't have enough space to buffer the next expected handshake
+     * message. Remove buffers used for future messages to gain space,
+     * starting with the most distant one. */
+    for (offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
+            offset >= 0; offset--) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Free buffering slot %d to make space for reassembly of next handshake message",
+                                  offset));
+
+        ssl_buffering_free_slot(ssl, (uint8_t) offset);
+
+        /* Check if we have enough space available now. */
+        if (desired <= (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                        hs->buffering.total_bytes_buffered)) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("Enough space available after freeing buffered HS messages"));
+            return (0);
+        }
+    }
+
+    return (-1);
+}
+
+static int ssl_buffer_message(mbedtls_ssl_context *ssl) {
+    int ret = 0;
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+
+    if (hs == NULL)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_buffer_message"));
+
+    switch (ssl->in_msgtype) {
+        case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+            MBEDTLS_SSL_DEBUG_MSG(2, ("Remember CCS message"));
+
+            hs->buffering.seen_ccs = 1;
+            break;
+
+        case MBEDTLS_SSL_MSG_HANDSHAKE: {
+            unsigned recv_msg_seq_offset;
+            unsigned recv_msg_seq = (ssl->in_msg[4] << 8) | ssl->in_msg[5];
+            mbedtls_ssl_hs_buffer *hs_buf;
+            size_t msg_len = ssl->in_hslen - 12;
+
+            /* We should never receive an old handshake
+             * message - double-check nonetheless. */
+            if (recv_msg_seq < ssl->handshake->in_msg_seq) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+            recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
+            if (recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS) {
+                /* Silently ignore -- message too far in the future */
+                MBEDTLS_SSL_DEBUG_MSG(2,
+                                      ("Ignore future HS message with sequence number %u, "
+                                       "buffering window %u - %u",
+                                       recv_msg_seq, ssl->handshake->in_msg_seq,
+                                       ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1));
+
+                goto exit;
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering HS message with sequence number %u, offset %u ",
+                                      recv_msg_seq, recv_msg_seq_offset));
+
+            hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
+
+            /* Check if the buffering for this seq nr has already commenced. */
+            if (!hs_buf->is_valid) {
+                size_t reassembly_buf_sz;
+
+                hs_buf->is_fragmented =
+                    (ssl_hs_is_proper_fragment(ssl) == 1);
+
+                /* We copy the message back into the input buffer
+                 * after reassembly, so check that it's not too large.
+                 * This is an implementation-specific limitation
+                 * and not one from the standard, hence it is not
+                 * checked in ssl_check_hs_header(). */
+                if (msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN) {
+                    /* Ignore message */
+                    goto exit;
+                }
+
+                /* Check if we have enough space to buffer the message. */
+                if (hs->buffering.total_bytes_buffered >
+                        MBEDTLS_SSL_DTLS_MAX_BUFFERING) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                }
+
+                reassembly_buf_sz = ssl_get_reassembly_buffer_size(msg_len,
+                                                                   hs_buf->is_fragmented);
+
+                if (reassembly_buf_sz > (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                                         hs->buffering.total_bytes_buffered)) {
+                    if (recv_msg_seq_offset > 0) {
+                        /* If we can't buffer a future message because
+                         * of space limitations -- ignore. */
+                        MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
+                                                  " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+                                                  " (already %" MBEDTLS_PRINTF_SIZET
+                                                  " bytes buffered) -- ignore\n",
+                                                  msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                                                  hs->buffering.total_bytes_buffered));
+                        goto exit;
+                    } else {
+                        MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
+                                                  " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+                                                  " (already %" MBEDTLS_PRINTF_SIZET
+                                                  " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
+                                                  msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                                                  hs->buffering.total_bytes_buffered));
+                    }
+
+                    if (ssl_buffer_make_space(ssl, reassembly_buf_sz) != 0) {
+                        MBEDTLS_SSL_DEBUG_MSG(2, ("Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET
+                                                  " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed"
+                                                  " the compile-time limit %" MBEDTLS_PRINTF_SIZET
+                                                  " (already %" MBEDTLS_PRINTF_SIZET
+                                                  " bytes buffered) -- fail\n",
+                                                  msg_len,
+                                                  reassembly_buf_sz,
+                                                  (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                                                  hs->buffering.total_bytes_buffered));
+                        ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+                        goto exit;
+                    }
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG(2, ("initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET,
+                                          msg_len));
+
+                hs_buf->data = mbedtls_calloc(1, reassembly_buf_sz);
+                if (hs_buf->data == NULL) {
+                    ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+                    goto exit;
+                }
+                hs_buf->data_len = reassembly_buf_sz;
+
+                /* Prepare final header: copy msg_type, length and message_seq,
+                 * then add standardised fragment_offset and fragment_length */
+                memcpy(hs_buf->data, ssl->in_msg, 6);
+                memset(hs_buf->data + 6, 0, 3);
+                memcpy(hs_buf->data + 9, hs_buf->data + 1, 3);
+
+                hs_buf->is_valid = 1;
+
+                hs->buffering.total_bytes_buffered += reassembly_buf_sz;
+            } else {
+                /* Make sure msg_type and length are consistent */
+                if (memcmp(hs_buf->data, ssl->in_msg, 4) != 0) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("Fragment header mismatch - ignore"));
+                    /* Ignore */
+                    goto exit;
+                }
+            }
+
+            if (!hs_buf->is_complete) {
+                size_t frag_len, frag_off;
+                unsigned char *const msg = hs_buf->data + 12;
+
+                /*
+                 * Check and copy current fragment
+                 */
+
+                /* Validation of header fields already done in
+                 * mbedtls_ssl_prepare_handshake_record(). */
+                frag_off = ssl_get_hs_frag_off(ssl);
+                frag_len = ssl_get_hs_frag_len(ssl);
+
+                MBEDTLS_SSL_DEBUG_MSG(2, ("adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
+                                          ", length = %" MBEDTLS_PRINTF_SIZET,
+                                          frag_off, frag_len));
+                memcpy(msg + frag_off, ssl->in_msg + 12, frag_len);
+
+                if (hs_buf->is_fragmented) {
+                    unsigned char *const bitmask = msg + msg_len;
+                    ssl_bitmask_set(bitmask, frag_off, frag_len);
+                    hs_buf->is_complete = (ssl_bitmask_check(bitmask,
+                                                             msg_len) == 0);
+                } else {
+                    hs_buf->is_complete = 1;
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG(2, ("message %scomplete",
+                                          hs_buf->is_complete ? "" : "not yet "));
+            }
+
+            break;
+        }
+
+        default:
+            /* We don't buffer other types of messages. */
+            break;
+    }
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_buffer_message"));
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_consume_current_message(mbedtls_ssl_context *ssl) {
+    /*
+     * Consume last content-layer message and potentially
+     * update in_msglen which keeps track of the contents'
+     * consumption state.
+     *
+     * (1) Handshake messages:
+     *     Remove last handshake message, move content
+     *     and adapt in_msglen.
+     *
+     * (2) Alert messages:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (3) Change cipher spec:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (4) Application data:
+     *     Don't do anything - the record layer provides
+     *     the application data as a stream transport
+     *     and consumes through mbedtls_ssl_read only.
+     *
+     */
+
+    /* Case (1): Handshake messages */
+    if (ssl->in_hslen != 0) {
+        /* Hard assertion to be sure that no application data
+         * is in flight, as corrupting ssl->in_msglen during
+         * ssl->in_offt != NULL is fatal. */
+        if (ssl->in_offt != NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+        /*
+         * Get next Handshake message in the current record
+         */
+
+        /* Notes:
+         * (1) in_hslen is not necessarily the size of the
+         *     current handshake content: If DTLS handshake
+         *     fragmentation is used, that's the fragment
+         *     size instead. Using the total handshake message
+         *     size here is faulty and should be changed at
+         *     some point.
+         * (2) While it doesn't seem to cause problems, one
+         *     has to be very careful not to assume that in_hslen
+         *     is always <= in_msglen in a sensible communication.
+         *     Again, it's wrong for DTLS handshake fragmentation.
+         *     The following check is therefore mandatory, and
+         *     should not be treated as a silently corrected assertion.
+         *     Additionally, ssl->in_hslen might be arbitrarily out of
+         *     bounds after handling a DTLS message with an unexpected
+         *     sequence number, see mbedtls_ssl_prepare_handshake_record.
+         */
+        if (ssl->in_hslen < ssl->in_msglen) {
+            ssl->in_msglen -= ssl->in_hslen;
+            memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+                    ssl->in_msglen);
+
+            MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
+                                  ssl->in_msg, ssl->in_msglen);
+        } else {
+            ssl->in_msglen = 0;
+        }
+
+        ssl->in_hslen   = 0;
+    }
+    /* Case (4): Application data */
+    else if (ssl->in_offt != NULL) {
+        return (0);
+    }
+    /* Everything else (CCS & Alerts) */
+    else {
+        ssl->in_msglen = 0;
+    }
+
+    return (0);
+}
+
+static int ssl_record_is_in_progress(mbedtls_ssl_context *ssl) {
+    if (ssl->in_msglen > 0)
+        return (1);
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_free_buffered_record(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+    if (hs == NULL)
+        return;
+
+    if (hs->buffering.future_record.data != NULL) {
+        hs->buffering.total_bytes_buffered -=
+            hs->buffering.future_record.len;
+
+        mbedtls_free(hs->buffering.future_record.data);
+        hs->buffering.future_record.data = NULL;
+    }
+}
+
+static int ssl_load_buffered_record(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+    unsigned char *rec;
+    size_t rec_len;
+    unsigned rec_epoch;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t in_buf_len = ssl->in_buf_len;
+#else
+    size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        return (0);
+
+    if (hs == NULL)
+        return (0);
+
+    rec       = hs->buffering.future_record.data;
+    rec_len   = hs->buffering.future_record.len;
+    rec_epoch = hs->buffering.future_record.epoch;
+
+    if (rec == NULL)
+        return (0);
+
+    /* Only consider loading future records if the
+     * input buffer is empty. */
+    if (ssl_next_record_is_in_datagram(ssl) == 1)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_load_buffered_record"));
+
+    if (rec_epoch != ssl->in_epoch) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Buffered record not from current epoch."));
+        goto exit;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("Found buffered record from current epoch - load"));
+
+    /* Double-check that the record is not too large */
+    if (rec_len > in_buf_len - (size_t)(ssl->in_hdr - ssl->in_buf)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    memcpy(ssl->in_hdr, rec, rec_len);
+    ssl->in_left = rec_len;
+    ssl->next_record_offset = 0;
+
+    ssl_free_buffered_record(ssl);
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_load_buffered_record"));
+    return (0);
+}
+
+static int ssl_buffer_future_record(mbedtls_ssl_context *ssl,
+                                    mbedtls_record const *rec) {
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+
+    /* Don't buffer future records outside handshakes. */
+    if (hs == NULL)
+        return (0);
+
+    /* Only buffer handshake records (we are only interested
+     * in Finished messages). */
+    if (rec->type != MBEDTLS_SSL_MSG_HANDSHAKE)
+        return (0);
+
+    /* Don't buffer more than one future epoch record. */
+    if (hs->buffering.future_record.data != NULL)
+        return (0);
+
+    /* Don't buffer record if there's not enough buffering space remaining. */
+    if (rec->buf_len > (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                        hs->buffering.total_bytes_buffered)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
+                                  " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+                                  " (already %" MBEDTLS_PRINTF_SIZET
+                                  " bytes buffered) -- ignore\n",
+                                  rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                                  hs->buffering.total_bytes_buffered));
+        return (0);
+    }
+
+    /* Buffer record */
+    MBEDTLS_SSL_DEBUG_MSG(2, ("Buffer record from epoch %u",
+                              ssl->in_epoch + 1U));
+    MBEDTLS_SSL_DEBUG_BUF(3, "Buffered record", rec->buf, rec->buf_len);
+
+    /* ssl_parse_record_header() only considers records
+     * of the next epoch as candidates for buffering. */
+    hs->buffering.future_record.epoch = ssl->in_epoch + 1;
+    hs->buffering.future_record.len   = rec->buf_len;
+
+    hs->buffering.future_record.data =
+        mbedtls_calloc(1, hs->buffering.future_record.len);
+    if (hs->buffering.future_record.data == NULL) {
+        /* If we run out of RAM trying to buffer a
+         * record from the next epoch, just ignore. */
+        return (0);
+    }
+
+    memcpy(hs->buffering.future_record.data, rec->buf, rec->buf_len);
+
+    hs->buffering.total_bytes_buffered += rec->buf_len;
+    return (0);
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_get_next_record(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_record rec;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    /* We might have buffered a future record; if so,
+     * and if the epoch matches now, load it.
+     * On success, this call will set ssl->in_left to
+     * the length of the buffered record, so that
+     * the calls to ssl_fetch_input() below will
+     * essentially be no-ops. */
+    ret = ssl_load_buffered_record(ssl);
+    if (ret != 0)
+        return (ret);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /* Ensure that we have enough space available for the default form
+     * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
+     * with no space for CIDs counted in). */
+    ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_in_hdr_len(ssl));
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+        return (ret);
+    }
+
+    ret = ssl_parse_record_header(ssl, ssl->in_hdr, ssl->in_left, &rec);
+    if (ret != 0) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+            if (ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
+                ret = ssl_buffer_future_record(ssl, &rec);
+                if (ret != 0)
+                    return (ret);
+
+                /* Fall through to handling of unexpected records */
+                ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+            }
+
+            if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+                /* Reset in pointers to default state for TLS/DTLS records,
+                 * assuming no CID and no offset between record content and
+                 * record plaintext. */
+                mbedtls_ssl_update_in_pointers(ssl);
+
+                /* Setup internal message pointers from record structure. */
+                ssl->in_msgtype = rec.type;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+                ssl->in_len = ssl->in_cid + rec.cid_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+                ssl->in_iv  = ssl->in_msg = ssl->in_len + 2;
+                ssl->in_msglen = rec.data_len;
+
+                ret = ssl_check_client_reconnect(ssl);
+                MBEDTLS_SSL_DEBUG_RET(2, "ssl_check_client_reconnect", ret);
+                if (ret != 0)
+                    return (ret);
+#endif
+
+                /* Skip unexpected record (but not whole datagram) */
+                ssl->next_record_offset = rec.buf_len;
+
+                MBEDTLS_SSL_DEBUG_MSG(1, ("discarding unexpected record "
+                                          "(header)"));
+            } else {
+                /* Skip invalid record and the rest of the datagram */
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG(1, ("discarding invalid record "
+                                          "(header)"));
+            }
+
+            /* Get next record */
+            return (MBEDTLS_ERR_SSL_CONTINUE_PROCESSING);
+        } else
+#endif
+        {
+            return (ret);
+        }
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        /* Remember offset of next record within datagram. */
+        ssl->next_record_offset = rec.buf_len;
+        if (ssl->next_record_offset < ssl->in_left) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("more than one record within datagram"));
+        }
+    } else
+#endif
+    {
+        /*
+         * Fetch record contents from underlying transport.
+         */
+        ret = mbedtls_ssl_fetch_input(ssl, rec.buf_len);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+            return (ret);
+        }
+
+        ssl->in_left = 0;
+    }
+
+    /*
+     * Decrypt record contents.
+     */
+
+    if ((ret = ssl_prepare_record_content(ssl, &rec)) != 0) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+            /* Silently discard invalid records */
+            if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+                /* Except when waiting for Finished as a bad mac here
+                 * probably means something went wrong in the handshake
+                 * (eg wrong psk used, mitm downgrade attempt, etc.) */
+                if (ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
+                        ssl->state == MBEDTLS_SSL_SERVER_FINISHED) {
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+                    if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+                        mbedtls_ssl_send_alert_message(ssl,
+                                                       MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                       MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC);
+                    }
+#endif
+                    return (ret);
+                }
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+                if (ssl->conf->badmac_limit != 0 &&
+                        ++ssl->badmac_seen >= ssl->conf->badmac_limit) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
+                    return (MBEDTLS_ERR_SSL_INVALID_MAC);
+                }
+#endif
+
+                /* As above, invalid records cause
+                 * dismissal of the whole datagram. */
+
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG(1, ("discarding invalid record (mac)"));
+                return (MBEDTLS_ERR_SSL_CONTINUE_PROCESSING);
+            }
+
+            return (ret);
+        } else
+#endif
+        {
+            /* Error out (and send alert) on invalid records */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+            if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+                mbedtls_ssl_send_alert_message(ssl,
+                                               MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC);
+            }
+#endif
+            return (ret);
+        }
+    }
+
+
+    /* Reset in pointers to default state for TLS/DTLS records,
+     * assuming no CID and no offset between record content and
+     * record plaintext. */
+    mbedtls_ssl_update_in_pointers(ssl);
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    ssl->in_len = ssl->in_cid + rec.cid_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+    ssl->in_iv  = ssl->in_len + 2;
+
+    /* The record content type may change during decryption,
+     * so re-read it. */
+    ssl->in_msgtype = rec.type;
+    /* Also update the input buffer, because unfortunately
+     * the server-side ssl_parse_client_hello() reparses the
+     * record header when receiving a ClientHello initiating
+     * a renegotiation. */
+    ssl->in_hdr[0] = rec.type;
+    ssl->in_msg    = rec.buf + rec.data_offset;
+    ssl->in_msglen = rec.data_len;
+    ssl->in_len[0] = (unsigned char)(rec.data_len >> 8);
+    ssl->in_len[1] = (unsigned char)(rec.data_len);
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if (ssl->transform_in != NULL &&
+            ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE) {
+        if ((ret = ssl_decompress_buf(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "ssl_decompress_buf", ret);
+            return (ret);
+        }
+
+        /* Check actual (decompress) record content length against
+         * configured maximum. */
+        if (ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad message length"));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+    return (0);
+}
+
+int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /*
+     * Handle particular types of records
+     */
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
+        if ((ret = mbedtls_ssl_prepare_handshake_record(ssl)) != 0) {
+            return (ret);
+        }
+    }
+
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+        if (ssl->in_msglen != 1) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
+                                      ssl->in_msglen));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+
+        if (ssl->in_msg[0] != 1) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid CCS message, content: %02x",
+                                      ssl->in_msg[0]));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC    &&
+                ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC) {
+            if (ssl->handshake == NULL) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("dropping ChangeCipherSpec outside handshake"));
+                return (MBEDTLS_ERR_SSL_UNEXPECTED_RECORD);
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG(1, ("received out-of-order ChangeCipherSpec - remember"));
+            return (MBEDTLS_ERR_SSL_EARLY_MESSAGE);
+        }
+#endif
+    }
+
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) {
+        if (ssl->in_msglen != 2) {
+            /* Note: Standard allows for more than one 2 byte alert
+               to be packed in a single message, but Mbed TLS doesn't
+               currently support this. */
+            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
+                                      ssl->in_msglen));
+            return (MBEDTLS_ERR_SSL_INVALID_RECORD);
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("got an alert message, type: [%u:%u]",
+                                  ssl->in_msg[0], ssl->in_msg[1]));
+
+        /*
+         * Ignore non-fatal alerts, except close_notify and no_renegotiation
+         */
+        if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("is a fatal alert message (msg %d)",
+                                      ssl->in_msg[1]));
+            return (MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
+        }
+
+        if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+                ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("is a close notify message"));
+            return (MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY);
+        }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
+        if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+                ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("is a SSLv3 no renegotiation alert"));
+            /* Will be handled when trying to parse ServerHello */
+            return (0);
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
+        if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+                ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+                ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("is a SSLv3 no_cert"));
+            /* Will be handled in mbedtls_ssl_parse_certificate() */
+            return (0);
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+
+        /* Silently ignore: fetch new message */
+        return MBEDTLS_ERR_SSL_NON_FATAL;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        /* Drop unexpected ApplicationData records,
+         * except at the beginning of renegotiations */
+        if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
+                ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                && !(ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+                     ssl->state == MBEDTLS_SSL_SERVER_HELLO)
+#endif
+           ) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("dropping unexpected ApplicationData"));
+            return (MBEDTLS_ERR_SSL_NON_FATAL);
+        }
+
+        if (ssl->handshake != NULL &&
+                ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+            mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    return (0);
+}
+
+int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl) {
+    return (mbedtls_ssl_send_alert_message(ssl,
+                                           MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE));
+}
+
+int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl,
+                                   unsigned char level,
+                                   unsigned char message) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> send alert message"));
+    MBEDTLS_SSL_DEBUG_MSG(3, ("send alert level=%u message=%u", level, message));
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+    ssl->out_msglen = 2;
+    ssl->out_msg[0] = level;
+    ssl->out_msg[1] = message;
+
+    if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
+        return (ret);
+    }
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= send alert message"));
+
+    return (0);
+}
+
+int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+    ssl->out_msglen  = 1;
+    ssl->out_msg[0]  = 1;
+
+    ssl->state++;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
+
+    return (0);
+}
+
+int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse change cipher spec"));
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    /* CCS records are only accepted if they have length 1 and content '1',
+     * so we don't need to check this here. */
+
+    /*
+     * Switch to our negotiated transform and session parameters for inbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for inbound data"));
+    ssl->transform_in = ssl->transform_negotiate;
+    ssl->session_in = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        mbedtls_ssl_dtls_replay_reset(ssl);
+#endif
+
+        /* Increment epoch */
+        if (++ssl->in_epoch == 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
+            /* This is highly unlikely to happen for legitimate reasons, so
+               treat it as an attack and don't send an alert. */
+            return (MBEDTLS_ERR_SSL_COUNTER_WRAPPING);
+        }
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        memset(ssl->in_ctr, 0, 8);
+
+    mbedtls_ssl_update_in_pointers(ssl);
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_activate != NULL) {
+        if ((ret = mbedtls_ssl_hw_record_activate(ssl, MBEDTLS_SSL_CHANNEL_INBOUND)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_activate", ret);
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+    }
+#endif
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
+
+    return (0);
+}
+
+/* Once ssl->out_hdr as the address of the beginning of the
+ * next outgoing record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->out_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static size_t ssl_transform_get_explicit_iv_len(
+    mbedtls_ssl_transform const *transform) {
+    if (transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2)
+        return (0);
+
+    return (transform->ivlen - transform->fixed_ivlen);
+}
+
+void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        ssl->out_ctr = ssl->out_hdr +  3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+        ssl->out_cid = ssl->out_ctr +  8;
+        ssl->out_len = ssl->out_cid;
+        if (transform != NULL)
+            ssl->out_len += transform->out_cid_len;
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+        ssl->out_len = ssl->out_ctr + 8;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+        ssl->out_iv  = ssl->out_len + 2;
+    } else
+#endif
+    {
+        ssl->out_ctr = ssl->out_hdr - 8;
+        ssl->out_len = ssl->out_hdr + 3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+        ssl->out_cid = ssl->out_len;
+#endif
+        ssl->out_iv  = ssl->out_hdr + 5;
+    }
+
+    ssl->out_msg = ssl->out_iv;
+    /* Adjust out_msg to make space for explicit IV, if used. */
+    if (transform != NULL)
+        ssl->out_msg += ssl_transform_get_explicit_iv_len(transform);
+}
+
+/* Once ssl->in_hdr as the address of the beginning of the
+ * next incoming record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->in_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) {
+    /* This function sets the pointers to match the case
+     * of unprotected TLS/DTLS records, with both  ssl->in_iv
+     * and ssl->in_msg pointing to the beginning of the record
+     * content.
+     *
+     * When decrypting a protected record, ssl->in_msg
+     * will be shifted to point to the beginning of the
+     * record plaintext.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        /* This sets the header pointers to match records
+         * without CID. When we receive a record containing
+         * a CID, the fields are shifted accordingly in
+         * ssl_parse_record_header(). */
+        ssl->in_ctr = ssl->in_hdr +  3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+        ssl->in_cid = ssl->in_ctr +  8;
+        ssl->in_len = ssl->in_cid; /* Default: no CID */
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+        ssl->in_len = ssl->in_ctr + 8;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+        ssl->in_iv  = ssl->in_len + 2;
+    } else
+#endif
+    {
+        ssl->in_ctr = ssl->in_hdr - 8;
+        ssl->in_len = ssl->in_hdr + 3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+        ssl->in_cid = ssl->in_len;
+#endif
+        ssl->in_iv  = ssl->in_hdr + 5;
+    }
+
+    /* This will be adjusted at record decryption time. */
+    ssl->in_msg = ssl->in_iv;
+}
+
+/*
+ * Setup an SSL context
+ */
+
+void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl) {
+    /* Set the incoming and outgoing record pointers. */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        ssl->out_hdr = ssl->out_buf;
+        ssl->in_hdr  = ssl->in_buf;
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+        ssl->in_hdr  = ssl->in_buf  + 8;
+    }
+
+    /* Derive other internal pointers. */
+    mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
+    mbedtls_ssl_update_in_pointers(ssl);
+}
+
+/*
+ * SSL get accessors
+ */
+size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl) {
+    return (ssl->in_offt == NULL ? 0 : ssl->in_msglen);
+}
+
+int mbedtls_ssl_check_pending(const mbedtls_ssl_context *ssl) {
+    /*
+     * Case A: We're currently holding back
+     * a message for further processing.
+     */
+
+    if (ssl->keep_current_message == 1) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: record held back for processing"));
+        return (1);
+    }
+
+    /*
+     * Case B: Further records are pending in the current datagram.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->in_left > ssl->next_record_offset) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: more records within current datagram"));
+        return (1);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Case C: A handshake message is being processed.
+     */
+
+    if (ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: more handshake messages within current record"));
+        return (1);
+    }
+
+    /*
+     * Case D: An application data message is being processed
+     */
+    if (ssl->in_offt != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: application data record is being processed"));
+        return (1);
+    }
+
+    /*
+     * In all other cases, the rest of the message can be dropped.
+     * As in ssl_get_next_record, this needs to be adapted if
+     * we implement support for multiple alerts in single records.
+     */
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: nothing pending"));
+    return (0);
+}
+
+
+int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl) {
+    size_t transform_expansion = 0;
+    const mbedtls_ssl_transform *transform = ssl->transform_out;
+    unsigned block_size;
+
+    size_t out_hdr_len = mbedtls_ssl_out_hdr_len(ssl);
+
+    if (transform == NULL)
+        return ((int) out_hdr_len);
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if (ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL)
+        return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif
+
+    switch (mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)) {
+        case MBEDTLS_MODE_GCM:
+        case MBEDTLS_MODE_CCM:
+        case MBEDTLS_MODE_CHACHAPOLY:
+        case MBEDTLS_MODE_STREAM:
+            transform_expansion = transform->minlen;
+            break;
+
+        case MBEDTLS_MODE_CBC:
+
+            block_size = mbedtls_cipher_get_block_size(
+                             &transform->cipher_ctx_enc);
+
+            /* Expansion due to the addition of the MAC. */
+            transform_expansion += transform->maclen;
+
+            /* Expansion due to the addition of CBC padding;
+             * Theoretically up to 256 bytes, but we never use
+             * more than the block size of the underlying cipher. */
+            transform_expansion += block_size;
+
+            /* For TLS 1.1 or higher, an explicit IV is added
+             * after the record header. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if (ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2)
+                transform_expansion += block_size;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    if (transform->out_cid_len != 0)
+        transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    return ((int)(out_hdr_len + transform_expansion));
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/*
+ * Check record counters and renegotiate if they're above the limit.
+ */
+static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl) {
+    size_t ep_len = mbedtls_ssl_ep_len(ssl);
+    int in_ctr_cmp;
+    int out_ctr_cmp;
+
+    if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
+            ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
+            ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
+        return (0);
+    }
+
+    in_ctr_cmp = memcmp(ssl->in_ctr + ep_len,
+                        ssl->conf->renego_period + ep_len, 8 - ep_len);
+    out_ctr_cmp = memcmp(ssl->cur_out_ctr + ep_len,
+                         ssl->conf->renego_period + ep_len, 8 - ep_len);
+
+    if (in_ctr_cmp <= 0 && out_ctr_cmp <= 0) {
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("record counter limit reached: renegotiate"));
+    return (mbedtls_ssl_renegotiate(ssl));
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Receive application data decrypted from the SSL layer
+ */
+int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> read"));
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
+            return (ret);
+
+        if (ssl->handshake != NULL &&
+                ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+            if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0)
+                return (ret);
+        }
+    }
+#endif
+
+    /*
+     * Check if renegotiation is necessary and/or handshake is
+     * in process. If yes, perform/continue, and fall through
+     * if an unexpected packet is received while the client
+     * is waiting for the ServerHello.
+     *
+     * (There is no equivalent to the last condition on
+     *  the server-side as it is not treated as within
+     *  a handshake while waiting for the ClientHello
+     *  after a renegotiation request.)
+     */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ret = ssl_check_ctr_renegotiate(ssl);
+    if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+            ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_check_ctr_renegotiate", ret);
+        return (ret);
+    }
+#endif
+
+    if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+        ret = mbedtls_ssl_handshake(ssl);
+        if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+                ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+            return (ret);
+        }
+    }
+
+    /* Loop as long as no application data record is available */
+    while (ssl->in_offt == NULL) {
+        /* Start timer if not already running */
+        if (ssl->f_get_timer != NULL &&
+                ssl->f_get_timer(ssl->p_timer) == -1) {
+            mbedtls_ssl_set_timer(ssl, ssl->conf->read_timeout);
+        }
+
+        if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+            if (ret == MBEDTLS_ERR_SSL_CONN_EOF)
+                return (0);
+
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+            return (ret);
+        }
+
+        if (ssl->in_msglen  == 0 &&
+                ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+            /*
+             * OpenSSL sends empty messages to randomize the IV
+             */
+            if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+                if (ret == MBEDTLS_ERR_SSL_CONN_EOF)
+                    return (0);
+
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+                return (ret);
+            }
+        }
+
+        if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("received handshake message"));
+
+            /*
+             * - For client-side, expect SERVER_HELLO_REQUEST.
+             * - For server-side, expect CLIENT_HELLO.
+             * - Fail (TLS) or silently drop record (DTLS) in other cases.
+             */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+            if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+                    (ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
+                     ssl->in_hslen  != mbedtls_ssl_hs_hdr_len(ssl))) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("handshake received (not HelloRequest)"));
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+                    continue;
+                }
+#endif
+                return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+            }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+            if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                    ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("handshake received (not ClientHello)"));
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+                    continue;
+                }
+#endif
+                return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+            }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            /* Determine whether renegotiation attempt should be accepted */
+            if (!(ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+                    (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+                     ssl->conf->allow_legacy_renegotiation ==
+                     MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION))) {
+                /*
+                 * Accept renegotiation request
+                 */
+
+                /* DTLS clients need to know renego is server-initiated */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                        ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+                    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+                }
+#endif
+                ret = mbedtls_ssl_start_renegotiation(ssl);
+                if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+                        ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation",
+                                          ret);
+                    return (ret);
+                }
+            } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            {
+                /*
+                 * Refuse renegotiation
+                 */
+
+                MBEDTLS_SSL_DEBUG_MSG(3, ("refusing renegotiation, sending alert"));
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+                if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+                    /* SSLv3 does not have a "no_renegotiation" warning, so
+                       we send a fatal alert and abort the connection. */
+                    mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                   MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+                    return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+                } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                    if (ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1) {
+                        if ((ret = mbedtls_ssl_send_alert_message(ssl,
+                                                                  MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                                                                  MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION)) != 0) {
+                            return (ret);
+                        }
+                    } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                    }
+            }
+
+            /* At this point, we don't know whether the renegotiation has been
+             * completed or not. The cases to consider are the following:
+             * 1) The renegotiation is complete. In this case, no new record
+             *    has been read yet.
+             * 2) The renegotiation is incomplete because the client received
+             *    an application data record while awaiting the ServerHello.
+             * 3) The renegotiation is incomplete because the client received
+             *    a non-handshake, non-application data message while awaiting
+             *    the ServerHello.
+             * In each of these case, looping will be the proper action:
+             * - For 1), the next iteration will read a new record and check
+             *   if it's application data.
+             * - For 2), the loop condition isn't satisfied as application data
+             *   is present, hence continue is the same as break
+             * - For 3), the loop condition is satisfied and read_record
+             *   will re-deliver the message that was held back by the client
+             *   when expecting the ServerHello.
+             */
+            continue;
+        }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+            if (ssl->conf->renego_max_records >= 0) {
+                if (++ssl->renego_records_seen > ssl->conf->renego_max_records) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation requested, "
+                                              "but not honored by client"));
+                    return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+                }
+            }
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
+        if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("ignoring non-fatal non-closure alert"));
+            return (MBEDTLS_ERR_SSL_WANT_READ);
+        }
+
+        if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad application data message"));
+            return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+        }
+
+        ssl->in_offt = ssl->in_msg;
+
+        /* We're going to return something now, cancel timer,
+         * except if handshake (renegotiation) is in progress */
+        if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER)
+            mbedtls_ssl_set_timer(ssl, 0);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* If we requested renego but received AppData, resend HelloRequest.
+         * Do it now, after setting in_offt, to avoid taking this branch
+         * again if ssl_write_hello_request() returns WANT_WRITE */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+            if ((ret = mbedtls_ssl_resend_hello_request(ssl)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend_hello_request",
+                                      ret);
+                return (ret);
+            }
+        }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    }
+
+    n = (len < ssl->in_msglen)
+        ? len : ssl->in_msglen;
+
+    memcpy(buf, ssl->in_offt, n);
+    ssl->in_msglen -= n;
+
+    /* Zeroising the plaintext buffer to erase unused application data
+       from the memory. */
+    mbedtls_platform_zeroize(ssl->in_offt, n);
+
+    if (ssl->in_msglen == 0) {
+        /* all bytes consumed */
+        ssl->in_offt = NULL;
+        ssl->keep_current_message = 0;
+    } else {
+        /* more data available */
+        ssl->in_offt += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
+
+    return ((int) n);
+}
+
+/*
+ * Send application data to be encrypted by the SSL layer, taking care of max
+ * fragment length and buffer size.
+ *
+ * According to RFC 5246 Section 6.2.1:
+ *
+ *      Zero-length fragments of Application data MAY be sent as they are
+ *      potentially useful as a traffic analysis countermeasure.
+ *
+ * Therefore, it is possible that the input message length is 0 and the
+ * corresponding return code is 0 on success.
+ */
+static int ssl_write_real(mbedtls_ssl_context *ssl,
+                          const unsigned char *buf, size_t len) {
+    int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+    const size_t max_len = (size_t) ret;
+
+    if (ret < 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_max_out_record_payload", ret);
+        return (ret);
+    }
+
+    if (len > max_len) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("fragment larger than the (negotiated) "
+                                      "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
+                                      " > %" MBEDTLS_PRINTF_SIZET,
+                                      len, max_len));
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+        } else
+#endif
+            len = max_len;
+    }
+
+    if (ssl->out_left != 0) {
+        /*
+         * The user has previously tried to send the data and
+         * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
+         * written. In this case, we expect the high-level write function
+         * (e.g. mbedtls_ssl_write()) to be called with the same parameters
+         */
+        if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
+            return (ret);
+        }
+    } else {
+        /*
+         * The user is trying to send a message the first time, so we need to
+         * copy the data into the internal buffers and setup the data structure
+         * to keep track of partial writes
+         */
+        ssl->out_msglen  = len;
+        ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+        memcpy(ssl->out_msg, buf, len);
+
+        if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
+            return (ret);
+        }
+    }
+
+    return ((int) len);
+}
+
+/*
+ * Write application data, doing 1/n-1 splitting if necessary.
+ *
+ * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
+ * then the caller will call us again with the same arguments, so
+ * remember whether we already did the split or not.
+ */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+static int ssl_write_split(mbedtls_ssl_context *ssl,
+                           const unsigned char *buf, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ssl->conf->cbc_record_splitting ==
+            MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
+            len <= 1 ||
+            ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
+            mbedtls_cipher_get_cipher_mode(&ssl->transform_out->cipher_ctx_enc)
+            != MBEDTLS_MODE_CBC) {
+        return (ssl_write_real(ssl, buf, len));
+    }
+
+    if (ssl->split_done == 0) {
+        if ((ret = ssl_write_real(ssl, buf, 1)) <= 0)
+            return (ret);
+        ssl->split_done = 1;
+    }
+
+    if ((ret = ssl_write_real(ssl, buf + 1, len - 1)) <= 0)
+        return (ret);
+    ssl->split_done = 0;
+
+    return (ret + 1);
+}
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+/*
+ * Write application data (public-facing wrapper)
+ */
+int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write"));
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if ((ret = ssl_check_ctr_renegotiate(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_check_ctr_renegotiate", ret);
+        return (ret);
+    }
+#endif
+
+    if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+        if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+            return (ret);
+        }
+    }
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    ret = ssl_write_split(ssl, buf, len);
+#else
+    ret = ssl_write_real(ssl, buf, len);
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write"));
+
+    return (ret);
+}
+
+/*
+ * Notify the peer that the connection is being closed
+ */
+int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write close notify"));
+
+    if (ssl->out_left != 0)
+        return (mbedtls_ssl_flush_output(ssl));
+
+    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+        if ((ret = mbedtls_ssl_send_alert_message(ssl,
+                                                  MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                                                  MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_send_alert_message", ret);
+            return (ret);
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write close notify"));
+
+    return (0);
+}
+
+void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform) {
+    if (transform == NULL)
+        return;
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    deflateEnd(&transform->ctx_deflate);
+    inflateEnd(&transform->ctx_inflate);
+#endif
+
+    mbedtls_cipher_free(&transform->cipher_ctx_enc);
+    mbedtls_cipher_free(&transform->cipher_ctx_dec);
+
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    mbedtls_md_free(&transform->md_ctx_enc);
+    mbedtls_md_free(&transform->md_ctx_dec);
+#endif
+
+    mbedtls_platform_zeroize(transform, sizeof(mbedtls_ssl_transform));
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl) {
+    unsigned offset;
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+
+    if (hs == NULL)
+        return;
+
+    ssl_free_buffered_record(ssl);
+
+    for (offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++)
+        ssl_buffering_free_slot(ssl, offset);
+}
+
+static void ssl_buffering_free_slot(mbedtls_ssl_context *ssl,
+                                    uint8_t slot) {
+    mbedtls_ssl_handshake_params *const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer *const hs_buf = &hs->buffering.hs[slot];
+
+    if (slot >= MBEDTLS_SSL_MAX_BUFFERED_HS)
+        return;
+
+    if (hs_buf->is_valid == 1) {
+        hs->buffering.total_bytes_buffered -= hs_buf->data_len;
+        mbedtls_platform_zeroize(hs_buf->data, hs_buf->data_len);
+        mbedtls_free(hs_buf->data);
+        memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
+    }
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Convert version numbers to/from wire format
+ * and, for DTLS, to/from TLS equivalent.
+ *
+ * For TLS this is the identity.
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
+ * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
+ * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
+ */
+void mbedtls_ssl_write_version(int major, int minor, int transport,
+                               unsigned char ver[2]) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        if (minor == MBEDTLS_SSL_MINOR_VERSION_2)
+            --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+
+        ver[0] = (unsigned char)(255 - (major - 2));
+        ver[1] = (unsigned char)(255 - (minor - 1));
+    } else
+#else
+    ((void) transport);
+#endif
+    {
+        ver[0] = (unsigned char) major;
+        ver[1] = (unsigned char) minor;
+    }
+}
+
+void mbedtls_ssl_read_version(int *major, int *minor, int transport,
+                              const unsigned char ver[2]) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        *major = 255 - ver[0] + 2;
+        *minor = 255 - ver[1] + 1;
+
+        if (*minor == MBEDTLS_SSL_MINOR_VERSION_1)
+            ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+    } else
+#else
+    ((void) transport);
+#endif
+    {
+        *major = ver[0];
+        *minor = ver[1];
+    }
+}
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/common/mbedtls/ssl_srv.c b/common/mbedtls/ssl_srv.c
new file mode 100644
index 000000000..3d15931aa
--- /dev/null
+++ b/common/mbedtls/ssl_srv.c
@@ -0,0 +1,4396 @@
+/*
+ *  SSLv3/TLSv1 server-side functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_SRV_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
+                                        const unsigned char *info,
+                                        size_t ilen) {
+    if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    mbedtls_free(ssl->cli_id);
+
+    if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL)
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+    memcpy(ssl->cli_id, info, ilen);
+    ssl->cli_id_len = ilen;
+
+    return (0);
+}
+
+void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
+                                   mbedtls_ssl_cookie_write_t *f_cookie_write,
+                                   mbedtls_ssl_cookie_check_t *f_cookie_check,
+                                   void *p_cookie) {
+    conf->f_cookie_write = f_cookie_write;
+    conf->f_cookie_check = f_cookie_check;
+    conf->p_cookie       = p_cookie;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static int ssl_parse_servername_ext(mbedtls_ssl_context *ssl,
+                                    const unsigned char *buf,
+                                    size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t servername_list_size, hostname_len;
+    const unsigned char *p;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
+
+    if (len < 2) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+    servername_list_size = ((buf[0] << 8) | (buf[1]));
+    if (servername_list_size + 2 != len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    p = buf + 2;
+    while (servername_list_size > 2) {
+        hostname_len = ((p[1] << 8) | p[2]);
+        if (hostname_len + 3 > servername_list_size) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+
+        if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
+            ret = ssl->conf->f_sni(ssl->conf->p_sni,
+                                   ssl, p + 3, hostname_len);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+            return (0);
+        }
+
+        servername_list_size -= hostname_len + 3;
+        p += hostname_len + 3;
+    }
+
+    if (servername_list_size != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) {
+    if (conf->f_psk != NULL)
+        return (1);
+
+    if (conf->psk_identity_len == 0 || conf->psk_identity == NULL)
+        return (0);
+
+    if (conf->psk != NULL && conf->psk_len != 0)
+        return (1);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (! mbedtls_svc_key_id_is_null(conf->psk_opaque))
+        return (1);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    return (0);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int ssl_use_opaque_psk(mbedtls_ssl_context const *ssl) {
+    if (ssl->conf->f_psk != NULL) {
+        /* If we've used a callback to select the PSK,
+         * the static configuration is irrelevant. */
+
+        if (! mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque))
+            return (1);
+
+        return (0);
+    }
+
+    if (! mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque))
+        return (1);
+
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf,
+                                        size_t len) {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if (len    != 1 + ssl->verify_data_len ||
+                buf[0] !=     ssl->verify_data_len ||
+                mbedtls_ssl_safer_memcmp(buf + 1, ssl->peer_verify_data,
+                                         ssl->verify_data_len) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+    } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if (len != 1 || buf[0] != 0x0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+/*
+ * Status of the implementation of signature-algorithms extension:
+ *
+ * Currently, we are only considering the signature-algorithm extension
+ * to pick a ciphersuite which allows us to send the ServerKeyExchange
+ * message with a signature-hash combination that the user allows.
+ *
+ * We do *not* check whether all certificates in our certificate
+ * chain are signed with an allowed signature-hash pair.
+ * This needs to be done at a later stage.
+ *
+ */
+static int ssl_parse_signature_algorithms_ext(mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len) {
+    size_t sig_alg_list_size;
+
+    const unsigned char *p;
+    const unsigned char *end = buf + len;
+
+    mbedtls_md_type_t md_cur;
+    mbedtls_pk_type_t sig_cur;
+
+    if (len < 2) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+    sig_alg_list_size = ((buf[0] << 8) | (buf[1]));
+    if (sig_alg_list_size + 2 != len ||
+            sig_alg_list_size % 2 != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /* Currently we only guarantee signing the ServerKeyExchange message according
+     * to the constraints specified in this extension (see above), so it suffices
+     * to remember only one suitable hash for each possible signature algorithm.
+     *
+     * This will change when we also consider certificate signatures,
+     * in which case we will need to remember the whole signature-hash
+     * pair list from the extension.
+     */
+
+    for (p = buf + 2; p < end; p += 2) {
+        /* Silently ignore unknown signature or hash algorithms. */
+
+        if ((sig_cur = mbedtls_ssl_pk_alg_from_sig(p[1])) == MBEDTLS_PK_NONE) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext"
+                                      " unknown sig alg encoding %d", p[1]));
+            continue;
+        }
+
+        /* Check if we support the hash the user proposes */
+        md_cur = mbedtls_ssl_md_alg_from_hash(p[0]);
+        if (md_cur == MBEDTLS_MD_NONE) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext:"
+                                      " unknown hash alg encoding %d", p[0]));
+            continue;
+        }
+
+        if (mbedtls_ssl_check_sig_hash(ssl, md_cur) == 0) {
+            mbedtls_ssl_sig_hash_set_add(&ssl->handshake->hash_algs, sig_cur, md_cur);
+            MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext:"
+                                      " match sig %u and hash %u",
+                                      (unsigned) sig_cur, (unsigned) md_cur));
+        } else {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: "
+                                      "hash alg %u not supported", (unsigned) md_cur));
+        }
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_elliptic_curves(mbedtls_ssl_context *ssl,
+                                               const unsigned char *buf,
+                                               size_t len) {
+    size_t list_size, our_size;
+    const unsigned char *p;
+    const mbedtls_ecp_curve_info *curve_info, **curves;
+
+    if (len < 2) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+    list_size = ((buf[0] << 8) | (buf[1]));
+    if (list_size + 2 != len ||
+            list_size % 2 != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /* Should never happen unless client duplicates the extension */
+    if (ssl->handshake->curves != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /* Don't allow our peer to make us allocate too much memory,
+     * and leave room for a final 0 */
+    our_size = list_size / 2 + 1;
+    if (our_size > MBEDTLS_ECP_DP_MAX)
+        our_size = MBEDTLS_ECP_DP_MAX;
+
+    if ((curves = mbedtls_calloc(our_size, sizeof(*curves))) == NULL) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    ssl->handshake->curves = curves;
+
+    p = buf + 2;
+    while (list_size > 0 && our_size > 1) {
+        curve_info = mbedtls_ecp_curve_info_from_tls_id((p[0] << 8) | p[1]);
+
+        if (curve_info != NULL) {
+            *curves++ = curve_info;
+            our_size--;
+        }
+
+        list_size -= 2;
+        p += 2;
+    }
+
+    return (0);
+}
+
+static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
+                                             const unsigned char *buf,
+                                             size_t len) {
+    size_t list_size;
+    const unsigned char *p;
+
+    if (len == 0 || (size_t)(buf[0] + 1) != len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while (list_size > 0) {
+        if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
+            return (0);
+        }
+
+        list_size--;
+        p++;
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
+                                  const unsigned char *buf,
+                                  size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
+        return (0);
+    }
+
+    if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
+                                              buf, len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (ret);
+    }
+
+    /* Only mark the extension as OK when we're sure it is */
+    ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+                                             const unsigned char *buf,
+                                             size_t len) {
+    if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ssl->session_negotiate->mfl_code = buf[0];
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
+                             const unsigned char *buf,
+                             size_t len) {
+    size_t peer_cid_len;
+
+    /* CID extension only makes sense in DTLS */
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /*
+     * Quoting draft-ietf-tls-dtls-connection-id-05
+     * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+     *
+     *   struct {
+     *      opaque cid<0..2^8-1>;
+     *   } ConnectionId;
+    */
+
+    if (len < 1) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    peer_cid_len = *buf++;
+    len--;
+
+    if (len != peer_cid_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /* Ignore CID if the user has disabled its use. */
+    if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+        /* Leave ssl->handshake->cid_in_use in its default
+         * value of MBEDTLS_SSL_CID_DISABLED. */
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
+        return (0);
+    }
+
+    if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
+    ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
+    memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
+    MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf,
+                                        size_t len) {
+    if (len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ((void) buf);
+
+    if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED)
+        ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+                                          const unsigned char *buf,
+                                          size_t len) {
+    if (len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ((void) buf);
+
+    if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
+            ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
+                                     const unsigned char *buf,
+                                     size_t len) {
+    if (len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ((void) buf);
+
+    if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+            ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
+        ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_session session;
+
+    mbedtls_ssl_session_init(&session);
+
+    if (ssl->conf->f_ticket_parse == NULL ||
+            ssl->conf->f_ticket_write == NULL) {
+        return (0);
+    }
+
+    /* Remember the client asked us to send a new ticket */
+    ssl->handshake->new_session_ticket = 1;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
+
+    if (len == 0)
+        return (0);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
+        return (0);
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    /*
+     * Failures are ok: just ignore the ticket and proceed.
+     */
+    if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
+                                         buf, len)) != 0) {
+        mbedtls_ssl_session_free(&session);
+
+        if (ret == MBEDTLS_ERR_SSL_INVALID_MAC)
+            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
+        else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED)
+            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
+        else
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
+
+        return (0);
+    }
+
+    /*
+     * Keep the session ID sent by the client, since we MUST send it back to
+     * inform them we're accepting the ticket  (RFC 5077 section 3.4)
+     */
+    session.id_len = ssl->session_negotiate->id_len;
+    memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
+
+    mbedtls_ssl_session_free(ssl->session_negotiate);
+    memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
+
+    /* Zeroize instead of free as we copied the content */
+    mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
+
+    ssl->handshake->resume = 1;
+
+    /* Don't send a new ticket after all, this one is OK */
+    ssl->handshake->new_session_ticket = 0;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
+                              const unsigned char *buf, size_t len) {
+    size_t list_len, cur_len, ours_len;
+    const unsigned char *theirs, *start, *end;
+    const char **ours;
+
+    /* If ALPN not configured, just ignore the extension */
+    if (ssl->conf->alpn_list == NULL)
+        return (0);
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if (len < 4) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    list_len = (buf[0] << 8) | buf[1];
+    if (list_len != len - 2) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /*
+     * Validate peer's list (lengths)
+     */
+    start = buf + 2;
+    end = buf + len;
+    for (theirs = start; theirs != end; theirs += cur_len) {
+        cur_len = *theirs++;
+
+        /* Current identifier must fit in list */
+        if (cur_len > (size_t)(end - theirs)) {
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+
+        /* Empty strings MUST NOT be included */
+        if (cur_len == 0) {
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+    }
+
+    /*
+     * Use our order of preference
+     */
+    for (ours = ssl->conf->alpn_list; *ours != NULL; ours++) {
+        ours_len = strlen(*ours);
+        for (theirs = start; theirs != end; theirs += cur_len) {
+            cur_len = *theirs++;
+
+            if (cur_len == ours_len &&
+                    memcmp(theirs, *ours, cur_len) == 0) {
+                ssl->alpn_chosen = *ours;
+                return (0);
+            }
+        }
+    }
+
+    /* If we get there, no match was found */
+    mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                   MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL);
+    return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
+                                  const unsigned char *buf,
+                                  size_t len) {
+    mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
+    size_t i, j;
+    size_t profile_length;
+    uint16_t mki_length;
+    /*! 2 bytes for profile length and 1 byte for mki len */
+    const size_t size_of_lengths = 3;
+
+    /* If use_srtp is not configured, just ignore the extension */
+    if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+            (ssl->conf->dtls_srtp_profile_list == NULL) ||
+            (ssl->conf->dtls_srtp_profile_list_len == 0)) {
+        return (0);
+    }
+
+    /* RFC5764 section 4.1.1
+     * uint8 SRTPProtectionProfile[2];
+     *
+     * struct {
+     *   SRTPProtectionProfiles SRTPProtectionProfiles;
+     *   opaque srtp_mki<0..255>;
+     * } UseSRTPData;
+
+     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+     */
+
+    /*
+     * Min length is 5: at least one protection profile(2 bytes)
+     *                  and length(2 bytes) + srtp_mki length(1 byte)
+     * Check here that we have at least 2 bytes of protection profiles length
+     * and one of srtp_mki length
+     */
+    if (len < size_of_lengths) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
+
+    /* first 2 bytes are protection profile length(in bytes) */
+    profile_length = (buf[0] << 8) | buf[1];
+    buf += 2;
+
+    /* The profile length cannot be bigger than input buffer size - lengths fields */
+    if (profile_length > len - size_of_lengths ||
+            profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+    /*
+     * parse the extension list values are defined in
+     * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+     */
+    for (j = 0; j < profile_length; j += 2) {
+        uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
+        client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
+
+        if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
+                                      mbedtls_ssl_get_srtp_profile_as_string(
+                                          client_protection)));
+        } else {
+            continue;
+        }
+        /* check if suggested profile is in our list */
+        for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
+            if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
+                ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
+                MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
+                                          mbedtls_ssl_get_srtp_profile_as_string(
+                                              client_protection)));
+                break;
+            }
+        }
+        if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET)
+            break;
+    }
+    buf += profile_length; /* buf points to the mki length */
+    mki_length = *buf;
+    buf++;
+
+    if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
+            mki_length + profile_length + size_of_lengths != len) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /* Parse the mki only if present and mki is supported locally */
+    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
+            mki_length > 0) {
+        ssl->dtls_srtp_info.mki_len = mki_length;
+
+        memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "using mki",  ssl->dtls_srtp_info.mki_value,
+                              ssl->dtls_srtp_info.mki_len);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/*
+ * Auxiliary functions for ServerHello parsing and related actions
+ */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
+ */
+#if defined(MBEDTLS_ECDSA_C)
+static int ssl_check_key_curve(mbedtls_pk_context *pk,
+                               const mbedtls_ecp_curve_info **curves) {
+    const mbedtls_ecp_curve_info **crv = curves;
+    mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
+
+    while (*crv != NULL) {
+        if ((*crv)->grp_id == grp_id)
+            return (0);
+        crv++;
+    }
+
+    return (-1);
+}
+#endif /* MBEDTLS_ECDSA_C */
+
+/*
+ * Try picking a certificate for this ciphersuite,
+ * return 0 on success and -1 on failure.
+ */
+static int ssl_pick_cert(mbedtls_ssl_context *ssl,
+                         const mbedtls_ssl_ciphersuite_t *ciphersuite_info) {
+    mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
+    mbedtls_pk_type_t pk_alg =
+        mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
+    uint32_t flags;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if (ssl->handshake->sni_key_cert != NULL)
+        list = ssl->handshake->sni_key_cert;
+    else
+#endif
+        list = ssl->conf->key_cert;
+
+    if (pk_alg == MBEDTLS_PK_NONE)
+        return (0);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
+
+    if (list == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
+        return (-1);
+    }
+
+    for (cur = list; cur != NULL; cur = cur->next) {
+        flags = 0;
+        MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
+                              cur->cert);
+
+        if (! mbedtls_pk_can_do(&cur->cert->pk, pk_alg)) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
+            continue;
+        }
+
+        /*
+         * This avoids sending the client a cert it'll reject based on
+         * keyUsage or other extensions.
+         *
+         * It also allows the user to provision different certificates for
+         * different uses based on keyUsage, eg if they want to avoid signing
+         * and decrypting with the same RSA key.
+         */
+        if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
+                                         MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
+                                      "(extended) key usage extension"));
+            continue;
+        }
+
+#if defined(MBEDTLS_ECDSA_C)
+        if (pk_alg == MBEDTLS_PK_ECDSA &&
+                ssl_check_key_curve(&cur->cert->pk, ssl->handshake->curves) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
+            continue;
+        }
+#endif
+
+        /*
+         * Try to select a SHA-1 certificate for pre-1.2 clients, but still
+         * present them a SHA-higher cert rather than failing if it's the only
+         * one we got that satisfies the other conditions.
+         */
+        if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
+                cur->cert->sig_md != MBEDTLS_MD_SHA1) {
+            if (fallback == NULL)
+                fallback = cur;
+            {
+                MBEDTLS_SSL_DEBUG_MSG(3, ("certificate not preferred: "
+                                          "sha-2 with pre-TLS 1.2 client"));
+                continue;
+            }
+        }
+
+        /* If we get there, we got a winner */
+        break;
+    }
+
+    if (cur == NULL)
+        cur = fallback;
+
+    /* Do not update ssl->handshake->key_cert unless there is a match */
+    if (cur != NULL) {
+        ssl->handshake->key_cert = cur;
+        MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
+                              ssl->handshake->key_cert->cert);
+        return (0);
+    }
+
+    return (-1);
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Check if a given ciphersuite is suitable for use with our config/keys/etc
+ * Sets ciphersuite_info only if the suite matches.
+ */
+static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
+                                 const mbedtls_ssl_ciphersuite_t **ciphersuite_info) {
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    mbedtls_pk_type_t sig_type;
+#endif
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
+    if (suite_info == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
+                              (unsigned int) suite_id, suite_info->name));
+
+    if (suite_info->min_minor_ver > ssl->minor_ver ||
+            suite_info->max_minor_ver < ssl->minor_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
+        return (0);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS))
+        return (0);
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: rc4"));
+        return (0);
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+            (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
+                                  "not configured or ext missing"));
+        return (0);
+    }
+#endif
+
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+    if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
+            (ssl->handshake->curves == NULL ||
+             ssl->handshake->curves[0] == NULL)) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
+                                  "no common elliptic curve"));
+        return (0);
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    /* If the ciphersuite requires a pre-shared key and we don't
+     * have one, skip it now rather than failing later */
+    if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
+            ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
+        return (0);
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    /* If the ciphersuite requires signing, check whether
+     * a suitable hash algorithm is present. */
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
+        if (sig_type != MBEDTLS_PK_NONE &&
+                mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs, sig_type) == MBEDTLS_MD_NONE) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
+                                      "for signature algorithm %u", (unsigned) sig_type));
+            return (0);
+        }
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * Final check: if ciphersuite requires us to have a
+     * certificate/key of a particular type:
+     * - select the appropriate certificate if we have one, or
+     * - try the next ciphersuite if we don't
+     * This must be done last since we modify the key_cert list.
+     */
+    if (ssl_pick_cert(ssl, suite_info) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
+                                  "no suitable certificate"));
+        return (0);
+    }
+#endif
+
+    *ciphersuite_info = suite_info;
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+static int ssl_parse_client_hello_v2(mbedtls_ssl_context *ssl) {
+    int ret, got_common_suite;
+    unsigned int i, j;
+    size_t n;
+    unsigned int ciph_len, sess_len, chal_len;
+    unsigned char *buf, *p;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello v2"));
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("client hello v2 illegal for renegotiation"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    buf = ssl->in_hdr;
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, 5);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, message type: %d",
+                              buf[2]));
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, message len.: %d",
+                              ((buf[0] & 0x7F) << 8) | buf[1]));
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, max. version: [%d:%d]",
+                              buf[3], buf[4]));
+
+    /*
+     * SSLv2 Client Hello
+     *
+     * Record layer:
+     *     0  .   1   message length
+     *
+     * SSL layer:
+     *     2  .   2   message type
+     *     3  .   4   protocol version
+     */
+    if (buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
+            buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    n = ((buf[0] << 8) | buf[1]) & 0x7FFF;
+
+    if (n < 17 || n > 512) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+    ssl->minor_ver = (buf[4] <= ssl->conf->max_minor_ver)
+                     ? buf[4]  : ssl->conf->max_minor_ver;
+
+    if (ssl->minor_ver < ssl->conf->min_minor_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("client only supports ssl smaller than minimum"
+                                  " [%d:%d] < [%d:%d]",
+                                  ssl->major_ver, ssl->minor_ver,
+                                  ssl->conf->min_major_ver, ssl->conf->min_minor_ver));
+
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+        return (MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION);
+    }
+
+    ssl->handshake->max_major_ver = buf[3];
+    ssl->handshake->max_minor_ver = buf[4];
+
+    if ((ret = mbedtls_ssl_fetch_input(ssl, 2 + n)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+        return (ret);
+    }
+
+    ssl->handshake->update_checksum(ssl, buf + 2, n);
+
+    buf = ssl->in_msg;
+    n = ssl->in_left - 5;
+
+    /*
+     *    0  .   1   ciphersuitelist length
+     *    2  .   3   session id length
+     *    4  .   5   challenge length
+     *    6  .  ..   ciphersuitelist
+     *   ..  .  ..   session id
+     *   ..  .  ..   challenge
+     */
+    MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, n);
+
+    ciph_len = (buf[0] << 8) | buf[1];
+    sess_len = (buf[2] << 8) | buf[3];
+    chal_len = (buf[4] << 8) | buf[5];
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ciph_len: %u, sess_len: %u, chal_len: %u",
+                              ciph_len, sess_len, chal_len));
+
+    /*
+     * Make sure each parameter length is valid
+     */
+    if (ciph_len < 3 || (ciph_len % 3) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    if (sess_len > 32) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    if (chal_len < 8 || chal_len > 32) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    if (n != 6 + ciph_len + sess_len + chal_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
+                          buf + 6, ciph_len);
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
+                          buf + 6 + ciph_len, sess_len);
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, challenge",
+                          buf + 6 + ciph_len + sess_len, chal_len);
+
+    p = buf + 6 + ciph_len;
+    ssl->session_negotiate->id_len = sess_len;
+    memset(ssl->session_negotiate->id, 0,
+           sizeof(ssl->session_negotiate->id));
+    memcpy(ssl->session_negotiate->id, p, ssl->session_negotiate->id_len);
+
+    p += sess_len;
+    memset(ssl->handshake->randbytes, 0, 64);
+    memcpy(ssl->handshake->randbytes + 32 - chal_len, p, chal_len);
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for (i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3) {
+        if (p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
+                                          "during renegotiation"));
+
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for (i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3) {
+        if (p[0] == 0 &&
+                p[1] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8) & 0xff) &&
+                p[2] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE) & 0xff)) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("received FALLBACK_SCSV"));
+
+            if (ssl->minor_ver < ssl->conf->max_minor_ver) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("inapropriate fallback"));
+
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK);
+
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3)
+        for (i = 0; ciphersuites[i] != 0; i++)
+#else
+    for (i = 0; ciphersuites[i] != 0; i++)
+        for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3)
+#endif
+        {
+            if (p[0] != 0 ||
+                    p[1] != ((ciphersuites[i] >> 8) & 0xFF) ||
+                    p[2] != ((ciphersuites[i]) & 0xFF))
+                continue;
+
+            got_common_suite = 1;
+
+            if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
+                                             &ciphersuite_info)) != 0)
+                return (ret);
+
+            if (ciphersuite_info != NULL)
+                goto have_ciphersuite_v2;
+        }
+
+    if (got_common_suite) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
+                                  "but none of them usable"));
+        return (MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE);
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
+        return (MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN);
+    }
+
+have_ciphersuite_v2:
+    MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->handshake->ciphersuite_info = ciphersuite_info;
+
+    /*
+     * SSLv2 Client Hello relevant renegotiation security checks
+     */
+    if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+            ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    ssl->in_left = 0;
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello v2"));
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
+/* This function doesn't alert on errors that happen early during
+   ClientHello parsing because they might indicate that the client is
+   not talking SSL/TLS at all and would not understand our alert. */
+static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) {
+    int ret, got_common_suite;
+    size_t i, j;
+    size_t ciph_offset, comp_offset, ext_offset;
+    size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    size_t cookie_offset, cookie_len;
+#endif
+    unsigned char *buf, *p, *ext;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    int major, minor;
+
+    /* If there is no signature-algorithm extension present,
+     * we need to fall back to the default values for allowed
+     * signature-hash pairs. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+read_record_header:
+#endif
+    /*
+     * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
+     * otherwise read it ourselves manually in order to support SSLv2
+     * ClientHello, which doesn't use the same record layer format.
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+    {
+        if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
+            /* No alert on a read error. */
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+            return (ret);
+        }
+    }
+
+    buf = ssl->in_hdr;
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM)
+#endif
+        if ((buf[0] & 0x80) != 0)
+            return (ssl_parse_client_hello_v2(ssl));
+#endif
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
+
+    /*
+     * SSLv3/TLS Client Hello
+     *
+     * Record layer:
+     *     0  .   0   message type
+     *     1  .   2   protocol version
+     *     3  .   11  DTLS: epoch + record sequence number
+     *     3  .   4   message length
+     */
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, message type: %d",
+                              buf[0]));
+
+    if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, message len.: %d",
+                              (ssl->in_len[0] << 8) | ssl->in_len[1]));
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, protocol version: [%d:%d]",
+                              buf[1], buf[2]));
+
+    mbedtls_ssl_read_version(&major, &minor, ssl->conf->transport, buf + 1);
+
+    /* According to RFC 5246 Appendix E.1, the version here is typically
+     * "{03,00}, the lowest version number supported by the client, [or] the
+     * value of ClientHello.client_version", so the only meaningful check here
+     * is the major version shouldn't be less than 3 */
+    if (major < MBEDTLS_SSL_MAJOR_VERSION_3) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /* For DTLS if this is the initial handshake, remember the client sequence
+     * number to use it in our next message (RFC 6347 4.2.1) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+       ) {
+        /* Epoch should be 0 for initial handshakes */
+        if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+
+        memcpy(ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6);
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
+            ssl->next_record_offset = 0;
+            ssl->in_left = 0;
+            goto read_record_header;
+        }
+
+        /* No MAC to check yet, so we can update right now */
+        mbedtls_ssl_dtls_replay_update(ssl);
+#endif
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+        /* Set by mbedtls_ssl_read_record() */
+        msg_len = ssl->in_hslen;
+    } else
+#endif
+    {
+        if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+
+        if ((ret = mbedtls_ssl_fetch_input(ssl,
+                                           mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+            return (ret);
+        }
+
+        /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+            ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
+        else
+#endif
+            ssl->in_left = 0;
+    }
+
+    buf = ssl->in_msg;
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
+
+    ssl->handshake->update_checksum(ssl, buf, msg_len);
+
+    /*
+     * Handshake layer:
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   DTLS only: message seqence number
+     *     6  .   8   DTLS only: fragment offset
+     *     9  .  11   DTLS only: fragment length
+     */
+    if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
+
+    if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %d",
+                              (buf[1] << 16) | (buf[2] << 8) | buf[3]));
+
+    /* We don't support fragmentation of ClientHello (yet?) */
+    if (buf[1] != 0 ||
+            msg_len != mbedtls_ssl_hs_hdr_len(ssl) + ((buf[2] << 8) | buf[3])) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        /*
+         * Copy the client's handshake message_seq on initial handshakes,
+         * check sequence number on renego.
+         */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+            /* This couldn't be done in ssl_prepare_handshake_record() */
+            unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
+                                       ssl->in_msg[5];
+
+            if (cli_msg_seq != ssl->handshake->in_msg_seq) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
+                                          "%u (expected %u)", cli_msg_seq,
+                                          ssl->handshake->in_msg_seq));
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+
+            ssl->handshake->in_msg_seq++;
+        } else
+#endif
+        {
+            unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
+                                       ssl->in_msg[5];
+            ssl->handshake->out_msg_seq = cli_msg_seq;
+            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
+        }
+
+        /*
+         * For now we don't support fragmentation, so make sure
+         * fragment_offset == 0 and fragment_length == length
+         */
+        if (ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
+                memcmp(ssl->in_msg + 1, ssl->in_msg + 9, 3) != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
+            return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    buf += mbedtls_ssl_hs_hdr_len(ssl);
+    msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
+
+    /*
+     * ClientHello layer:
+     *     0  .   1   protocol version
+     *     2  .  33   random bytes (starting with 4 bytes of Unix time)
+     *    34  .  35   session id length (1 byte)
+     *    35  . 34+x  session id
+     *   35+x . 35+x  DTLS only: cookie length (1 byte)
+     *   36+x .  ..   DTLS only: cookie
+     *    ..  .  ..   ciphersuite list length (2 bytes)
+     *    ..  .  ..   ciphersuite list
+     *    ..  .  ..   compression alg. list length (1 byte)
+     *    ..  .  ..   compression alg. list
+     *    ..  .  ..   extensions length (2 bytes, optional)
+     *    ..  .  ..   extensions (optional)
+     */
+
+    /*
+     * Minimal length (with everything empty and extensions omitted) is
+     * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
+     * read at least up to session id length without worrying.
+     */
+    if (msg_len < 38) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /*
+     * Check and save the protocol version
+     */
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
+
+    mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver,
+                             ssl->conf->transport, buf);
+
+    ssl->handshake->max_major_ver = ssl->major_ver;
+    ssl->handshake->max_minor_ver = ssl->minor_ver;
+
+    if (ssl->major_ver < ssl->conf->min_major_ver ||
+            ssl->minor_ver < ssl->conf->min_minor_ver) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("client only supports ssl smaller than minimum"
+                                  " [%d:%d] < [%d:%d]",
+                                  ssl->major_ver, ssl->minor_ver,
+                                  ssl->conf->min_major_ver, ssl->conf->min_minor_ver));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+        return (MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION);
+    }
+
+    if (ssl->major_ver > ssl->conf->max_major_ver) {
+        ssl->major_ver = ssl->conf->max_major_ver;
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+    } else if (ssl->minor_ver > ssl->conf->max_minor_ver)
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+
+    /*
+     * Save client random (inc. Unix time)
+     */
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
+
+    memcpy(ssl->handshake->randbytes, buf + 2, 32);
+
+    /*
+     * Check the session ID length and save session ID
+     */
+    sess_len = buf[34];
+
+    if (sess_len > sizeof(ssl->session_negotiate->id) ||
+            sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
+
+    ssl->session_negotiate->id_len = sess_len;
+    memset(ssl->session_negotiate->id, 0,
+           sizeof(ssl->session_negotiate->id));
+    memcpy(ssl->session_negotiate->id, buf + 35,
+           ssl->session_negotiate->id_len);
+
+    /*
+     * Check the cookie length and content
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        cookie_offset = 35 + sess_len;
+        cookie_len = buf[cookie_offset];
+
+        if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
+                              buf + cookie_offset + 1, cookie_len);
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+        if (ssl->conf->f_cookie_check != NULL
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+           ) {
+            if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
+                                          buf + cookie_offset + 1, cookie_len,
+                                          ssl->cli_id, ssl->cli_id_len) != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
+                ssl->handshake->verify_cookie_len = 1;
+            } else {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
+                ssl->handshake->verify_cookie_len = 0;
+            }
+        } else
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+        {
+            /* We know we didn't send a cookie, so it should be empty */
+            if (cookie_len != 0) {
+                /* This may be an attacker's probe, so don't send an alert */
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
+        }
+
+        /*
+         * Check the ciphersuitelist length (will be parsed later)
+         */
+        ciph_offset = cookie_offset + 1 + cookie_len;
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        ciph_offset = 35 + sess_len;
+
+    ciph_len = (buf[ciph_offset + 0] << 8)
+               | (buf[ciph_offset + 1]);
+
+    if (ciph_len < 2 ||
+            ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
+            (ciph_len % 2) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
+                          buf + ciph_offset + 2,  ciph_len);
+
+    /*
+     * Check the compression algorithms length and pick one
+     */
+    comp_offset = ciph_offset + 2 + ciph_len;
+
+    comp_len = buf[comp_offset];
+
+    if (comp_len < 1 ||
+            comp_len > 16 ||
+            comp_len + comp_offset + 1 > msg_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
+                          buf + comp_offset + 1, comp_len);
+
+    ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    for (i = 0; i < comp_len; ++i) {
+        if (buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE) {
+            ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
+            break;
+        }
+    }
+#endif
+
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#endif
+
+    /* Do not parse the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if ((ssl->major_ver != 3) || (ssl->minor_ver != 0)) {
+#endif
+        /*
+         * Check the extension length
+         */
+        ext_offset = comp_offset + 1 + comp_len;
+        if (msg_len > ext_offset) {
+            if (msg_len < ext_offset + 2) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+
+            ext_len = (buf[ext_offset + 0] << 8)
+                      | (buf[ext_offset + 1]);
+
+            if ((ext_len > 0 && ext_len < 4) ||
+                    msg_len != ext_offset + 2 + ext_len) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+        } else
+            ext_len = 0;
+
+        ext = buf + ext_offset + 2;
+        MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
+
+        while (ext_len != 0) {
+            unsigned int ext_id;
+            unsigned int ext_size;
+            if (ext_len < 4) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+            ext_id   = ((ext[0] <<  8) | (ext[1]));
+            ext_size = ((ext[2] <<  8) | (ext[3]));
+
+            if (ext_size + 4 > ext_len) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+            switch (ext_id) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+                case MBEDTLS_TLS_EXT_SERVERNAME:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
+                    if (ssl->conf->f_sni == NULL)
+                        break;
+
+                    ret = ssl_parse_servername_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+                case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                    renegotiation_info_seen = 1;
+#endif
+
+                    ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+                case MBEDTLS_TLS_EXT_SIG_ALG:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
+
+                    ret = ssl_parse_signature_algorithms_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+
+                    sig_hash_alg_ext_present = 1;
+                    break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+                case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
+
+                    ret = ssl_parse_supported_elliptic_curves(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+
+                case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
+                    ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
+
+                    ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+                case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
+
+                    ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+                case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
+
+                    ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+                case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated hmac extension"));
+
+                    ret = ssl_parse_truncated_hmac_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+                case MBEDTLS_TLS_EXT_CID:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
+
+                    ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
+
+                    ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+                case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
+
+                    ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+                case MBEDTLS_TLS_EXT_SESSION_TICKET:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
+
+                    ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+                case MBEDTLS_TLS_EXT_ALPN:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
+
+                    ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+                case MBEDTLS_TLS_EXT_USE_SRTP:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
+
+                    ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
+                    if (ret != 0)
+                        return (ret);
+                    break;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+                default:
+                    MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
+                                              ext_id));
+            }
+
+            ext_len -= 4 + ext_size;
+            ext += 4 + ext_size;
+
+            if (ext_len > 0 && ext_len < 4) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+        }
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
+        if (p[0] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8) & 0xff) &&
+                p[1] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE) & 0xff)) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("received FALLBACK_SCSV"));
+
+            if (ssl->minor_ver < ssl->conf->max_minor_ver) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("inapropriate fallback"));
+
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK);
+
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+    /*
+     * Try to fall back to default hash SHA1 if the client
+     * hasn't provided any preferred signature-hash combinations.
+     */
+    if (sig_hash_alg_ext_present == 0) {
+        mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
+
+        if (mbedtls_ssl_check_sig_hash(ssl, md_default) != 0)
+            md_default = MBEDTLS_MD_NONE;
+
+        mbedtls_ssl_sig_hash_set_const_hash(&ssl->handshake->hash_algs, md_default);
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
+        if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
+                                          "during renegotiation"));
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+            }
+#endif
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+            ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
+        handshake_failure = 1;
+    } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+               ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+               ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
+        handshake_failure = 1;
+    } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+               ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+               renegotiation_info_seen == 1) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if (handshake_failure == 1) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
+    }
+
+    /*
+     * Search for a matching ciphersuite
+     * (At the end because we need information from the EC-based extensions
+     * and certificate from the SNI callback triggered by the SNI extension.)
+     */
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2)
+        for (i = 0; ciphersuites[i] != 0; i++)
+#else
+    for (i = 0; ciphersuites[i] != 0; i++)
+        for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2)
+#endif
+        {
+            if (p[0] != ((ciphersuites[i] >> 8) & 0xFF) ||
+                    p[1] != ((ciphersuites[i]) & 0xFF))
+                continue;
+
+            got_common_suite = 1;
+
+            if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
+                                             &ciphersuite_info)) != 0)
+                return (ret);
+
+            if (ciphersuite_info != NULL)
+                goto have_ciphersuite;
+        }
+
+    if (got_common_suite) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
+                                  "but none of them usable"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE);
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        return (MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN);
+    }
+
+have_ciphersuite:
+    MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->handshake->ciphersuite_info = ciphersuite_info;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        mbedtls_ssl_recv_flight_completed(ssl);
+#endif
+
+    /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C)                         && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
+        if (sig_alg != MBEDTLS_PK_NONE) {
+            mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
+                                                                     sig_alg);
+            MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %d",
+                                      mbedtls_ssl_hash_from_md_alg(md_alg)));
+        } else {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
+                                      "%u - should not happen", (unsigned) sig_alg));
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static void ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen) {
+    unsigned char *p = buf;
+
+    if (ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding truncated hmac extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_TRUNCATED_HMAC) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
+                              unsigned char *buf,
+                              size_t *olen) {
+    unsigned char *p = buf;
+    size_t ext_len;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    /* Skip writing the extension if we don't want to use it or if
+     * the client hasn't offered it. */
+    if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED)
+        return;
+
+    /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
+     * which is at most 255, so the increment cannot overflow. */
+    if (end < p || (size_t)(end - p) < (unsigned)(ssl->own_cid_len + 5)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
+
+    /*
+     * Quoting draft-ietf-tls-dtls-connection-id-05
+     * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+     *
+     *   struct {
+     *      opaque cid<0..2^8-1>;
+     *   } ConnectionId;
+    */
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID) & 0xFF);
+    ext_len = (size_t) ssl->own_cid_len + 1;
+    *p++ = (unsigned char)((ext_len >> 8) & 0xFF);
+    *p++ = (unsigned char)((ext_len) & 0xFF);
+
+    *p++ = (uint8_t) ssl->own_cid_len;
+    memcpy(p, ssl->own_cid, ssl->own_cid_len);
+
+    *olen = ssl->own_cid_len + 5;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+                                           unsigned char *buf,
+                                           size_t *olen) {
+    unsigned char *p = buf;
+    const mbedtls_ssl_ciphersuite_t *suite = NULL;
+    const mbedtls_cipher_info_t *cipher = NULL;
+
+    if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+        *olen = 0;
+        return;
+    }
+
+    /*
+     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+     * from a client and then selects a stream or Authenticated Encryption
+     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+     * encrypt-then-MAC response extension back to the client."
+     */
+    if ((suite = mbedtls_ssl_ciphersuite_from_id(
+                     ssl->session_negotiate->ciphersuite)) == NULL ||
+            (cipher = mbedtls_cipher_info_from_type(suite->cipher)) == NULL ||
+            cipher->mode != MBEDTLS_MODE_CBC) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
+                                      unsigned char *buf,
+                                      size_t *olen) {
+    unsigned char *p = buf;
+
+    if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
+                              "extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen) {
+    unsigned char *p = buf;
+
+    if (ssl->handshake->new_session_ticket == 0) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SESSION_TICKET >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SESSION_TICKET) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t *olen) {
+    unsigned char *p = buf;
+
+    if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_RENEGOTIATION_INFO) & 0xFF);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+        *p++ = 0x00;
+        *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
+        *p++ = ssl->verify_data_len * 2 & 0xFF;
+
+        memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
+        p += ssl->verify_data_len;
+        memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
+        p += ssl->verify_data_len;
+    } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        *p++ = 0x00;
+        *p++ = 0x01;
+        *p++ = 0x00;
+    }
+
+    *olen = p - buf;
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+                                              unsigned char *buf,
+                                              size_t *olen) {
+    unsigned char *p = buf;
+
+    if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->session_negotiate->mfl_code;
+
+    *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
+                                                  unsigned char *buf,
+                                                  size_t *olen) {
+    unsigned char *p = buf;
+    ((void) ssl);
+
+    if ((ssl->handshake->cli_exts &
+            MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS) & 0xFF);
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
+                                       unsigned char *buf,
+                                       size_t *olen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly computation if not needed */
+    if (ssl->handshake->ciphersuite_info->key_exchange !=
+            MBEDTLS_KEY_EXCHANGE_ECJPAKE)
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
+
+    if (end - p < 4) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+        return;
+    }
+
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8) & 0xFF);
+    *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ECJPAKE_KKPP) & 0xFF);
+
+    ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
+                                          p + 2, end - p - 2, &kkpp_len,
+                                          ssl->conf->f_rng, ssl->conf->p_rng);
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
+        return;
+    }
+
+    *p++ = (unsigned char)((kkpp_len >> 8) & 0xFF);
+    *p++ = (unsigned char)((kkpp_len) & 0xFF);
+
+    *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN )
+static void ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
+                               unsigned char *buf, size_t *olen) {
+    if (ssl->alpn_chosen == NULL) {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding alpn extension"));
+
+    /*
+     * 0 . 1    ext identifier
+     * 2 . 3    ext length
+     * 4 . 5    protocol list length
+     * 6 . 6    protocol name length
+     * 7 . 7+n  protocol name
+     */
+    buf[0] = (unsigned char)((MBEDTLS_TLS_EXT_ALPN >> 8) & 0xFF);
+    buf[1] = (unsigned char)((MBEDTLS_TLS_EXT_ALPN) & 0xFF);
+
+    *olen = 7 + strlen(ssl->alpn_chosen);
+
+    buf[2] = (unsigned char)(((*olen - 4) >> 8) & 0xFF);
+    buf[3] = (unsigned char)(((*olen - 4)) & 0xFF);
+
+    buf[4] = (unsigned char)(((*olen - 6) >> 8) & 0xFF);
+    buf[5] = (unsigned char)(((*olen - 6)) & 0xFF);
+
+    buf[6] = (unsigned char)(((*olen - 7)) & 0xFF);
+
+    memcpy(buf + 7, ssl->alpn_chosen, *olen - 7);
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS)
+static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
+                                   unsigned char *buf,
+                                   size_t *olen) {
+    size_t mki_len = 0, ext_len = 0;
+    uint16_t profile_value = 0;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+            (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
+
+    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
+        mki_len = ssl->dtls_srtp_info.mki_len;
+    }
+
+    /* The extension total size is 9 bytes :
+     * - 2 bytes for the extension tag
+     * - 2 bytes for the total size
+     * - 2 bytes for the protection profile length
+     * - 2 bytes for the protection profile
+     * - 1 byte for the mki length
+     * +  the actual mki length
+     * Check we have enough room in the output buffer */
+    if ((size_t)(end - buf) < mki_len + 9) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+        return;
+    }
+
+    /* extension */
+    buf[0] = (unsigned char)((MBEDTLS_TLS_EXT_USE_SRTP >> 8) & 0xFF);
+    buf[1] = (unsigned char)((MBEDTLS_TLS_EXT_USE_SRTP) & 0xFF);
+    /*
+     * total length 5 and mki value: only one profile(2 bytes)
+     *              and length(2 bytes) and srtp_mki  )
+     */
+    ext_len = 5 + mki_len;
+    buf[2] = (unsigned char)((ext_len >> 8) & 0xFF);
+    buf[3] = (unsigned char)(ext_len & 0xFF);
+
+    /* protection profile length: 2 */
+    buf[4] = 0x00;
+    buf[5] = 0x02;
+    profile_value = mbedtls_ssl_check_srtp_profile_value(
+                        ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
+    if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
+        buf[6] = (unsigned char)((profile_value >> 8) & 0xFF);
+        buf[7] = (unsigned char)(profile_value & 0xFF);
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
+        return;
+    }
+
+    buf[8] = mki_len & 0xFF;
+    memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
+
+    *olen = 9 + mki_len;
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = ssl->out_msg + 4;
+    unsigned char *cookie_len_byte;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+
+    /* The RFC is not clear on this point, but sending the actual negotiated
+     * version looks like the most interoperable thing to do. */
+    mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
+                              ssl->conf->transport, p);
+    MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
+    p += 2;
+
+    /* If we get here, f_cookie_check is not null */
+    if (ssl->conf->f_cookie_write == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    /* Skip length byte until we know the length */
+    cookie_len_byte = p++;
+
+    if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
+                                         &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
+                                         ssl->cli_id, ssl->cli_id_len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
+        return (ret);
+    }
+
+    *cookie_len_byte = (unsigned char)(p - (cookie_len_byte + 1));
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
+
+    ssl->out_msglen  = p - ssl->out_msg;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+
+    ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+        return (ret);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+static int ssl_write_server_hello(mbedtls_ssl_context *ssl) {
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen, ext_len = 0, n;
+    unsigned char *buf, *p;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake->verify_cookie_len != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
+
+        return (ssl_write_hello_verify_request(ssl));
+    }
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+    if (ssl->conf->f_rng == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
+        return (MBEDTLS_ERR_SSL_NO_RNG);
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   protocol version
+     *     6  .   9   UNIX time()
+     *    10  .  37   random bytes
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
+                              ssl->conf->transport, p);
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
+                              buf[4], buf[5]));
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time(NULL);
+    *p++ = (unsigned char)(t >> 24);
+    *p++ = (unsigned char)(t >> 16);
+    *p++ = (unsigned char)(t >>  8);
+    *p++ = (unsigned char)(t);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
+                              (long long) t));
+#else
+    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0)
+        return (ret);
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0)
+        return (ret);
+
+    p += 28;
+
+    memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
+
+    /*
+     * Resume is 0  by default, see ssl_handshake_init().
+     * It may be already set to 1 by ssl_parse_session_ticket_ext().
+     * If not, try looking up session ID in our cache.
+     */
+    if (ssl->handshake->resume == 0 &&
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
+#endif
+            ssl->session_negotiate->id_len != 0 &&
+            ssl->conf->f_get_cache != NULL &&
+            ssl->conf->f_get_cache(ssl->conf->p_cache, ssl->session_negotiate) == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
+        ssl->handshake->resume = 1;
+    }
+
+    if (ssl->handshake->resume == 0) {
+        /*
+         * New session, create a new session id,
+         * unless we're about to issue a session ticket
+         */
+        ssl->state++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time(NULL);
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        if (ssl->handshake->new_session_ticket != 0) {
+            ssl->session_negotiate->id_len = n = 0;
+            memset(ssl->session_negotiate->id, 0, 32);
+        } else
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+        {
+            ssl->session_negotiate->id_len = n = 32;
+            if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
+                                        n)) != 0)
+                return (ret);
+        }
+    } else {
+        /*
+         * Resuming a session
+         */
+        n = ssl->session_negotiate->id_len;
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+            return (ret);
+        }
+    }
+
+    /*
+     *    38  .  38     session id length
+     *    39  . 38+n    session id
+     *   39+n . 40+n    chosen ciphersuite
+     *   41+n . 41+n    chosen compression alg.
+     *   42+n . 43+n    extensions length
+     *   44+n . 43+n+m  extensions
+     */
+    *p++ = (unsigned char) ssl->session_negotiate->id_len;
+    memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
+    p += ssl->session_negotiate->id_len;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
+    MBEDTLS_SSL_DEBUG_BUF(3,   "server hello, session id", buf + 39, n);
+    MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
+                              ssl->handshake->resume ? "a" : "no"));
+
+    *p++ = (unsigned char)(ssl->session_negotiate->ciphersuite >> 8);
+    *p++ = (unsigned char)(ssl->session_negotiate->ciphersuite);
+    *p++ = (unsigned char)(ssl->session_negotiate->compression);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
+                              mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
+    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
+                              (unsigned int) ssl->session_negotiate->compression));
+
+    /* Do not write the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if ((ssl->major_ver != 3) || (ssl->minor_ver != 0)) {
+#endif
+
+        /*
+         *  First write extensions, then the total length
+         */
+        ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+        ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+        ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        if (mbedtls_ssl_ciphersuite_uses_ec(
+                    mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite))) {
+            ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
+            ext_len += olen;
+        }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+        ssl_write_alpn_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+        ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
+        ext_len += olen;
+#endif
+
+        MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
+                                  ext_len));
+
+        if (ext_len > 0) {
+            *p++ = (unsigned char)((ext_len >> 8) & 0xFF);
+            *p++ = (unsigned char)((ext_len) & 0xFF);
+            p += ext_len;
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
+
+    ret = mbedtls_ssl_write_handshake_msg(ssl);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
+
+    return (ret);
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
+
+    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
+        ssl->state++;
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+}
+#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+    uint16_t dn_size, total_dn_size; /* excluding length bytes */
+    size_t ct_len, sa_len; /* including length bytes */
+    unsigned char *buf, *p;
+    const unsigned char *const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    const mbedtls_x509_crt *crt;
+    int authmode;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET)
+        authmode = ssl->handshake->sni_authmode;
+    else
+#endif
+        authmode = ssl->conf->authmode;
+
+    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
+            authmode == MBEDTLS_SSL_VERIFY_NONE) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
+        return (0);
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   4   cert type count
+     *     5  .. m-1  cert types
+     *     m  .. m+1  sig alg length (TLS 1.2 only)
+     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
+     *     n  .. n+1  length of all DNs
+     *    n+2 .. n+3  length of DN 1
+     *    n+4 .. ...  Distinguished Name #1
+     *    ... .. ...  length of DN 2, etc.
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    /*
+     * Supported certificate types
+     *
+     *     ClientCertificateType certificate_types<1..2^8-1>;
+     *     enum { (255) } ClientCertificateType;
+     */
+    ct_len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
+#endif
+
+    p[0] = (unsigned char) ct_len++;
+    p += ct_len;
+
+    sa_len = 0;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    /*
+     * Add signature_algorithms for verify (TLS 1.2)
+     *
+     *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
+     *
+     *     struct {
+     *           HashAlgorithm hash;
+     *           SignatureAlgorithm signature;
+     *     } SignatureAndHashAlgorithm;
+     *
+     *     enum { (255) } HashAlgorithm;
+     *     enum { (255) } SignatureAlgorithm;
+     */
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        const int *cur;
+
+        /*
+         * Supported signature algorithms
+         */
+        for (cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++) {
+            unsigned char hash = mbedtls_ssl_hash_from_md_alg(*cur);
+
+            if (MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md(ssl, hash))
+                continue;
+
+#if defined(MBEDTLS_RSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+        }
+
+        p[0] = (unsigned char)(sa_len >> 8);
+        p[1] = (unsigned char)(sa_len);
+        sa_len += 2;
+        p += sa_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /*
+     * DistinguishedName certificate_authorities<0..2^16-1>;
+     * opaque DistinguishedName<1..2^16-1>;
+     */
+    p += 2;
+
+    total_dn_size = 0;
+
+    if (ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
+        /* NOTE: If trusted certificates are provisioned
+         *       via a CA callback (configured through
+         *       `mbedtls_ssl_conf_ca_cb()`, then the
+         *       CertificateRequest is currently left empty. */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if (ssl->handshake->sni_ca_chain != NULL)
+            crt = ssl->handshake->sni_ca_chain;
+        else
+#endif
+            crt = ssl->conf->ca_chain;
+
+        while (crt != NULL && crt->version != 0) {
+            /* It follows from RFC 5280 A.1 that this length
+             * can be represented in at most 11 bits. */
+            dn_size = (uint16_t) crt->subject_raw.len;
+
+            if (end < p || (size_t)(end - p) < 2 + (size_t) dn_size) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
+                break;
+            }
+
+            *p++ = (unsigned char)(dn_size >> 8);
+            *p++ = (unsigned char)(dn_size);
+            memcpy(p, crt->subject_raw.p, dn_size);
+            p += dn_size;
+
+            MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
+
+            total_dn_size += 2 + dn_size;
+            crt = crt->next;
+        }
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
+    ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)(total_dn_size  >> 8);
+    ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)(total_dn_size);
+
+    ret = mbedtls_ssl_write_handshake_msg(ssl);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (! mbedtls_pk_can_do(mbedtls_ssl_own_key(ssl), MBEDTLS_PK_ECKEY)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
+        return (MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH);
+    }
+
+    if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
+                                       mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)),
+                                       MBEDTLS_ECDH_OURS)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
+        return (ret);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
+                                          size_t *signature_len) {
+    /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+     * signature length which will be added in ssl_write_server_key_exchange
+     * after the call to ssl_prepare_server_key_exchange.
+     * ssl_write_server_key_exchange also takes care of incrementing
+     * ssl->out_msglen. */
+    unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
+    size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
+                          - sig_start);
+    int ret = ssl->conf->f_async_resume(ssl,
+                                        sig_start, signature_len, sig_max_len);
+    if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data(ssl, NULL);
+    }
+    MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
+    return (ret);
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ * calculating the signature if any, but excluding formatting the
+ * signature and sending the message. */
+static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
+                                           size_t *signature_len) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+    unsigned char *dig_signed = NULL;
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
+
+    (void) ciphersuite_info; /* unused in some configurations */
+#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+    (void) signature_len;
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+    ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
+
+    /*
+     *
+     * Part 1: Provide key exchange parameters for chosen ciphersuite.
+     *
+     */
+
+    /*
+     * - ECJPAKE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        size_t len = 0;
+
+        ret = mbedtls_ecjpake_write_round_two(
+                  &ssl->handshake->ecjpake_ctx,
+                  ssl->out_msg + ssl->out_msglen,
+                  MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
+                  ssl->conf->f_rng, ssl->conf->p_rng);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
+            return (ret);
+        }
+
+        ssl->out_msglen += len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+    /*
+     * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
+     * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
+     * we use empty support identity hints here.
+     **/
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+    /*
+     * - DHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
+    if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        size_t len = 0;
+
+        if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+        }
+
+        /*
+         * Ephemeral DH parameters:
+         *
+         * struct {
+         *     opaque dh_p<1..2^16-1>;
+         *     opaque dh_g<1..2^16-1>;
+         *     opaque dh_Ys<1..2^16-1>;
+         * } ServerDHParams;
+         */
+        if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
+                                         &ssl->conf->dhm_P,
+                                         &ssl->conf->dhm_G)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
+            return (ret);
+        }
+
+        if ((ret = mbedtls_dhm_make_params(
+                       &ssl->handshake->dhm_ctx,
+                       (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
+                       ssl->out_msg + ssl->out_msglen, &len,
+                       ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
+            return (ret);
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+        dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+        ssl->out_msglen += len;
+
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
+
+    /*
+     * - ECDHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+    if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
+        /*
+         * Ephemeral ECDH parameters:
+         *
+         * struct {
+         *     ECParameters curve_params;
+         *     ECPoint      public;
+         * } ServerECDHParams;
+         */
+        const mbedtls_ecp_curve_info **curve = NULL;
+        const mbedtls_ecp_group_id *gid;
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        size_t len = 0;
+
+        /* Match our preference list against the offered curves */
+        for (gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++)
+            for (curve = ssl->handshake->curves; *curve != NULL; curve++)
+                if ((*curve)->grp_id == *gid)
+                    goto curve_matching_done;
+
+curve_matching_done:
+        if (curve == NULL || *curve == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
+            return (MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN);
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", (*curve)->name));
+
+        if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
+                                      (*curve)->grp_id)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
+            return (ret);
+        }
+
+        if ((ret = mbedtls_ecdh_make_params(
+                       &ssl->handshake->ecdh_ctx, &len,
+                       ssl->out_msg + ssl->out_msglen,
+                       MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+                       ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
+            return (ret);
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+        dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+        ssl->out_msglen += len;
+
+        MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                               MBEDTLS_DEBUG_ECDH_Q);
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
+
+    /*
+     *
+     * Part 2: For key exchanges involving the server signing the
+     *         exchange parameters, compute and add the signature here.
+     *
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+    if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
+        size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
+        size_t hashlen = 0;
+        unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        /*
+         * 2.1: Choose hash algorithm:
+         * A: For TLS 1.2, obey signature-hash-algorithm extension
+         *    to choose appropriate hash.
+         * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
+         *    (RFC 4492, Sec. 5.4)
+         * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
+         */
+
+        mbedtls_md_type_t md_alg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        mbedtls_pk_type_t sig_alg =
+            mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
+        if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+            /* A: For TLS 1.2, obey signature-hash-algorithm extension
+             *    (RFC 5246, Sec. 7.4.1.4.1). */
+            if (sig_alg == MBEDTLS_PK_NONE ||
+                    (md_alg = mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
+                                                            sig_alg)) == MBEDTLS_MD_NONE) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                /* (... because we choose a cipher suite
+                 *      only if there is a matching hash.) */
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+        } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+            if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
+                /* B: Default hash SHA1 */
+                md_alg = MBEDTLS_MD_SHA1;
+            } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+            {
+                /* C: MD5 + SHA1 */
+                md_alg = MBEDTLS_MD_NONE;
+            }
+
+        MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
+
+        /*
+         * 2.2: Compute the hash to be signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if (md_alg == MBEDTLS_MD_NONE) {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash,
+                                                          dig_signed,
+                                                          dig_signed_len);
+            if (ret != 0)
+                return (ret);
+        } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if (md_alg != MBEDTLS_MD_NONE) {
+                ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
+                                                             dig_signed,
+                                                             dig_signed_len,
+                                                             md_alg);
+                if (ret != 0)
+                    return (ret);
+            } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+            }
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
+
+        /*
+         * 2.3: Compute and add the signature
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+            /*
+             * For TLS 1.2, we need to specify signature and hash algorithm
+             * explicitly through a prefix to the signature.
+             *
+             * struct {
+             *    HashAlgorithm hash;
+             *    SignatureAlgorithm signature;
+             * } SignatureAndHashAlgorithm;
+             *
+             * struct {
+             *    SignatureAndHashAlgorithm algorithm;
+             *    opaque signature<0..2^16-1>;
+             * } DigitallySigned;
+             *
+             */
+
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_hash_from_md_alg(md_alg);
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_sig_from_pk_alg(sig_alg);
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if (ssl->conf->f_async_sign_start != NULL) {
+            ret = ssl->conf->f_async_sign_start(ssl,
+                                                mbedtls_ssl_own_cert(ssl),
+                                                md_alg, hash, hashlen);
+            switch (ret) {
+                case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+                    /* act as if f_async_sign was null */
+                    break;
+                case 0:
+                    ssl->handshake->async_in_progress = 1;
+                    return (ssl_resume_server_key_exchange(ssl, signature_len));
+                case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+                    ssl->handshake->async_in_progress = 1;
+                    return (MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS);
+                default:
+                    MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
+                    return (ret);
+            }
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+        if (mbedtls_ssl_own_key(ssl) == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
+            return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
+        }
+
+        /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+         * signature length which will be added in ssl_write_server_key_exchange
+         * after the call to ssl_prepare_server_key_exchange.
+         * ssl_write_server_key_exchange also takes care of incrementing
+         * ssl->out_msglen. */
+        if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
+                                   md_alg, hash, hashlen,
+                                   ssl->out_msg + ssl->out_msglen + 2,
+                                   signature_len,
+                                   ssl->conf->f_rng,
+                                   ssl->conf->p_rng)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
+            return (ret);
+        }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+    return (0);
+}
+
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ * that do not include a ServerKeyExchange message, do nothing. Either
+ * way, if successful, move on to the next step in the SSL state
+ * machine. */
+static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+    /* Extract static ECDH parameters and abort if ServerKeyExchange
+     * is not needed. */
+    if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
+        /* For suites involving ECDH, extract DH parameters
+         * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+        if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
+            ssl_get_ecdh_params_from_cert(ssl);
+        }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
+
+        /* Key exchanges not involving ephemeral keys don't use
+         * ServerKeyExchange, so end here. */
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
+        ssl->state++;
+        return (0);
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already prepared the message and there is an ongoing
+     * signature operation, resume signing. */
+    if (ssl->handshake->async_in_progress != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
+        ret = ssl_resume_server_key_exchange(ssl, &signature_len);
+    } else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+    {
+        /* ServerKeyExchange is needed. Prepare the message. */
+        ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
+    }
+
+    if (ret != 0) {
+        /* If we're starting to write a new message, set ssl->out_msglen
+         * to 0. But if we're resuming after an asynchronous message,
+         * out_msglen is the amount of data written so far and mst be
+         * preserved. */
+        if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS)
+            MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
+        else
+            ssl->out_msglen = 0;
+        return (ret);
+    }
+
+    /* If there is a signature, write its length.
+     * ssl_prepare_server_key_exchange already wrote the signature
+     * itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+    if (signature_len != 0) {
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)(signature_len >> 8);
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)(signature_len);
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
+                              ssl->out_msg + ssl->out_msglen,
+                              signature_len);
+
+        /* Skip over the already-written signature */
+        ssl->out_msglen += signature_len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+    /* Add header and send. */
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
+    return (0);
+}
+
+static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        mbedtls_ssl_send_flight_completed(ssl);
+#endif
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+        return (ret);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
+                                      const unsigned char *end) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t n;
+
+    /*
+     * Receive G^Y mod P, premaster = (G^Y)^X mod P
+     */
+    if (*p + 2 > end) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+    n = ((*p)[0] << 8) | (*p)[1];
+    *p += 2;
+
+    if (*p + n > end) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+    if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP);
+    }
+
+    *p += n;
+
+    MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
+                                  unsigned char *peer_pms,
+                                  size_t *peer_pmslen,
+                                  size_t peer_pmssize) {
+    int ret = ssl->conf->f_async_resume(ssl,
+                                        peer_pms, peer_pmslen, peer_pmssize);
+    if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data(ssl, NULL);
+    }
+    MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
+                                     const unsigned char *p,
+                                     const unsigned char *end,
+                                     unsigned char *peer_pms,
+                                     size_t *peer_pmslen,
+                                     size_t peer_pmssize) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
+    mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert(ssl)->pk;
+    size_t len = mbedtls_pk_get_len(public_key);
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already started decoding the message and there is an ongoing
+     * decryption operation, resume signing. */
+    if (ssl->handshake->async_in_progress != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
+        return (ssl_resume_decrypt_pms(ssl,
+                                       peer_pms, peer_pmslen, peer_pmssize));
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    /*
+     * Prepare to decrypt the premaster using own private RSA key
+     */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
+        if (p + 2 > end) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+        }
+        if (*p++ != ((len >> 8) & 0xFF) ||
+                *p++ != ((len) & 0xFF)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+        }
+    }
+#endif
+
+    if (p + len != end) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+    /*
+     * Decrypt the premaster secret
+     */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if (ssl->conf->f_async_decrypt_start != NULL) {
+        ret = ssl->conf->f_async_decrypt_start(ssl,
+                                               mbedtls_ssl_own_cert(ssl),
+                                               p, len);
+        switch (ret) {
+            case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+                /* act as if f_async_decrypt_start was null */
+                break;
+            case 0:
+                ssl->handshake->async_in_progress = 1;
+                return (ssl_resume_decrypt_pms(ssl,
+                                               peer_pms,
+                                               peer_pmslen,
+                                               peer_pmssize));
+            case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+                ssl->handshake->async_in_progress = 1;
+                return (MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS);
+            default:
+                MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
+                return (ret);
+        }
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    if (! mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
+        return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
+    }
+
+    ret = mbedtls_pk_decrypt(private_key, p, len,
+                             peer_pms, peer_pmslen, peer_pmssize,
+                             ssl->conf->f_rng, ssl->conf->p_rng);
+    return (ret);
+}
+
+static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
+                                   const unsigned char *p,
+                                   const unsigned char *end,
+                                   size_t pms_offset) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *pms = ssl->handshake->premaster + pms_offset;
+    unsigned char ver[2];
+    unsigned char fake_pms[48], peer_pms[48];
+    unsigned char mask;
+    size_t i, peer_pmslen;
+    unsigned int diff;
+
+    /* In case of a failure in decryption, the decryption may write less than
+     * 2 bytes of output, but we always read the first two bytes. It doesn't
+     * matter in the end because diff will be nonzero in that case due to
+     * ret being nonzero, and we only care whether diff is 0.
+     * But do initialize peer_pms and peer_pmslen for robustness anyway. This
+     * also makes memory analyzers happy (don't access uninitialized memory,
+     * even if it's an unsigned char). */
+    peer_pms[0] = peer_pms[1] = ~0;
+    peer_pmslen = 0;
+
+    ret = ssl_decrypt_encrypted_pms(ssl, p, end,
+                                    peer_pms,
+                                    &peer_pmslen,
+                                    sizeof(peer_pms));
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS)
+        return (ret);
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    mbedtls_ssl_write_version(ssl->handshake->max_major_ver,
+                              ssl->handshake->max_minor_ver,
+                              ssl->conf->transport, ver);
+
+    /* Avoid data-dependent branches while checking for invalid
+     * padding, to protect against timing-based Bleichenbacher-type
+     * attacks. */
+    diff  = (unsigned int) ret;
+    diff |= peer_pmslen ^ 48;
+    diff |= peer_pms[0] ^ ver[0];
+    diff |= peer_pms[1] ^ ver[1];
+
+    /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ((diff | - diff) >> (sizeof(unsigned int) * 8 - 1));
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /*
+     * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
+     * must not cause the connection to end immediately; instead, send a
+     * bad_record_mac later in the handshake.
+     * To protect against timing-based variants of the attack, we must
+     * not have any branch that depends on whether the decryption was
+     * successful. In particular, always generate the fake premaster secret,
+     * regardless of whether it will ultimately influence the output or not.
+     */
+    ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
+    if (ret != 0) {
+        /* It's ok to abort on an RNG failure, since this does not reveal
+         * anything about the RSA decryption. */
+        return (ret);
+    }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    if (diff != 0)
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+#endif
+
+    if (sizeof(ssl->handshake->premaster) < pms_offset ||
+            sizeof(ssl->handshake->premaster) - pms_offset < 48) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+    ssl->handshake->pmslen = 48;
+
+    /* Set pms to either the true or the fake PMS, without
+     * data-dependent branches. */
+    for (i = 0; i < ssl->handshake->pmslen; i++)
+        pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
+                                         const unsigned char *end) {
+    int ret = 0;
+    uint16_t n;
+
+    if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
+        return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
+    }
+
+    /*
+     * Receive client pre-shared key identity name
+     */
+    if (end - *p < 2) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+    n = ((*p)[0] << 8) | (*p)[1];
+    *p += 2;
+
+    if (n == 0 || n > end - *p) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+    if (ssl->conf->f_psk != NULL) {
+        if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0)
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+    } else {
+        /* Identity is not a big secret since clients send it in the clear,
+         * but treat it carefully anyway, just in case */
+        if (n != ssl->conf->psk_identity_len ||
+                mbedtls_ssl_safer_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+        }
+    }
+
+    if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
+        MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
+        return (MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY);
+    }
+
+    *p += n;
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    unsigned char *p, *end;
+
+    ciphersuite_info = ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
+    ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
+    if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
+            (ssl->handshake->async_in_progress != 0)) {
+        /* We've already read a record and there is an asynchronous
+         * operation in progress to decrypt it. So skip reading the
+         * record. */
+        MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
+    } else
+#endif
+        if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+            return (ret);
+        }
+
+    p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+    end = ssl->in_msg + ssl->in_hslen;
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+    if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
+        if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
+            return (ret);
+        }
+
+        if (p != end) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+        }
+
+        if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+                                           ssl->handshake->premaster,
+                                           MBEDTLS_PREMASTER_SIZE,
+                                           &ssl->handshake->pmslen,
+                                           ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS);
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+    } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+                ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+                ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+                ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
+            if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
+                                                p, end - p)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP);
+            }
+
+            MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                   MBEDTLS_DEBUG_ECDH_QP);
+
+            if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
+                                                &ssl->handshake->pmslen,
+                                                ssl->handshake->premaster,
+                                                MBEDTLS_MPI_MAX_SIZE,
+                                                ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS);
+            }
+
+            MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                   MBEDTLS_DEBUG_ECDH_Z);
+        } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+            if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
+                if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+                    return (ret);
+                }
+
+                if (p != end) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
+                    return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+                }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically
+                 * and skip the intermediate PMS. */
+                if (ssl_use_opaque_psk(ssl) == 1)
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("skip PMS generation for opaque PSK"));
+                else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+                    if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+                                                                ciphersuite_info->key_exchange)) != 0) {
+                        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+                        return (ret);
+                    }
+            } else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+                if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+                    if (ssl->handshake->async_in_progress != 0) {
+                        /* There is an asynchronous operation in progress to
+                         * decrypt the encrypted premaster secret, so skip
+                         * directly to resuming this operation. */
+                        MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
+                        /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+                         * won't actually use it, but maintain p anyway for robustness. */
+                        p += ssl->conf->psk_identity_len + 2;
+                    } else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+                        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+                            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+                            return (ret);
+                        }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                    /* Opaque PSKs are currently only supported for PSK-only. */
+                    if (ssl_use_opaque_psk(ssl) == 1)
+                        return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif
+
+                    if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
+                        MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
+                        return (ret);
+                    }
+
+                    if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+                                                                ciphersuite_info->key_exchange)) != 0) {
+                        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+                        return (ret);
+                    }
+                } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+                    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+                        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+                            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+                            return (ret);
+                        }
+                        if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
+                            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
+                            return (ret);
+                        }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                        /* Opaque PSKs are currently only supported for PSK-only. */
+                        if (ssl_use_opaque_psk(ssl) == 1)
+                            return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif
+
+                        if (p != end) {
+                            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
+                            return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
+                        }
+
+                        if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+                                                                    ciphersuite_info->key_exchange)) != 0) {
+                            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+                            return (ret);
+                        }
+                    } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+                        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+                            if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+                                MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+                                return (ret);
+                            }
+
+                            if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
+                                                                p, end - p)) != 0) {
+                                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
+                                return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP);
+                            }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+                            /* Opaque PSKs are currently only supported for PSK-only. */
+                            if (ssl_use_opaque_psk(ssl) == 1)
+                                return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+#endif
+
+                            MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                                   MBEDTLS_DEBUG_ECDH_QP);
+
+                            if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+                                                                        ciphersuite_info->key_exchange)) != 0) {
+                                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+                                return (ret);
+                            }
+                        } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+                            if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
+                                if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
+                                    MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
+                                    return (ret);
+                                }
+                            } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+                                if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+                                    ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
+                                                                         p, end - p);
+                                    if (ret != 0) {
+                                        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
+                                        return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
+                                    }
+
+                                    ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
+                                                                        ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                                                                        ssl->conf->f_rng, ssl->conf->p_rng);
+                                    if (ret != 0) {
+                                        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
+                                        return (ret);
+                                    }
+                                } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+                                {
+                                    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                                }
+
+    if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+        return (ret);
+    }
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
+
+    return (0);
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
+
+    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+}
+#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, sig_len;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    size_t hashlen;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    mbedtls_pk_type_t pk_alg;
+#endif
+    mbedtls_md_type_t md_alg;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+    mbedtls_pk_context *peer_pk;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
+
+    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if (ssl->session_negotiate->peer_cert == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (ssl->session_negotiate->peer_cert_digest == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+        ssl->state++;
+        return (0);
+    }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    /* Read the message without adding it to the checksum */
+    ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
+    if (0 != ret) {
+        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
+        return (ret);
+    }
+
+    ssl->state++;
+
+    /* Process the message contents */
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
+            ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+    }
+
+    i = mbedtls_ssl_hs_hdr_len(ssl);
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (ssl->session_negotiate->peer_cert == NULL) {
+        /* Should never happen */
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+    peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    /*
+     *  struct {
+     *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
+     *     opaque signature<0..2^16-1>;
+     *  } DigitallySigned;
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
+        md_alg = MBEDTLS_MD_NONE;
+        hashlen = 36;
+
+        /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
+        if (mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECDSA)) {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+            if (i + 2 > ssl->in_hslen) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+                return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+            }
+
+            /*
+             * Hash
+             */
+            md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
+
+            if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
+                                          " for verify message"));
+                return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+            }
+
+#if !defined(MBEDTLS_MD_SHA1)
+            if (MBEDTLS_MD_SHA1 == md_alg)
+                hash_start += 16;
+#endif
+
+            /* Info from md_alg will be used instead */
+            hashlen = 0;
+
+            i++;
+
+            /*
+             * Signature
+             */
+            if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
+                    == MBEDTLS_PK_NONE) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
+                                          " for verify message"));
+                return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+            }
+
+            /*
+             * Check the certificate's key type matches the signature alg
+             */
+            if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
+                return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+            }
+
+            i++;
+        } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+    if (i + 2 > ssl->in_hslen) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+    }
+
+    sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i + 1];
+    i += 2;
+
+    if (i + sig_len != ssl->in_hslen) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
+    }
+
+    /* Calculate hash and verify signature */
+    {
+        size_t dummy_hlen;
+        ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
+    }
+
+    if ((ret = mbedtls_pk_verify(peer_pk,
+                                 md_alg, hash_start, hashlen,
+                                 ssl->in_msg + i, sig_len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
+        return (ret);
+    }
+
+    mbedtls_ssl_update_handshake_status(ssl);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t tlen;
+    uint32_t lifetime;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 4  .  7   ticket_lifetime_hint (0 = unspecified)
+     * 8  .  9   ticket_len (n)
+     * 10 .  9+n ticket content
+     */
+
+    if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
+                                         ssl->session_negotiate,
+                                         ssl->out_msg + 10,
+                                         ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
+                                         &tlen, &lifetime)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
+        tlen = 0;
+    }
+
+    ssl->out_msg[4] = (lifetime >> 24) & 0xFF;
+    ssl->out_msg[5] = (lifetime >> 16) & 0xFF;
+    ssl->out_msg[6] = (lifetime >>  8) & 0xFF;
+    ssl->out_msg[7] = (lifetime) & 0xFF;
+
+    ssl->out_msg[8] = (unsigned char)((tlen >> 8) & 0xFF);
+    ssl->out_msg[9] = (unsigned char)((tlen) & 0xFF);
+
+    ssl->out_msglen = 10 + tlen;
+
+    /*
+     * Morally equivalent to updating ssl->state, but NewSessionTicket and
+     * ChangeCipherSpec share the same state.
+     */
+    ssl->handshake->new_session_ticket = 0;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- server side -- single step
+ */
+int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) {
+    int ret = 0;
+
+    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
+
+    if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
+        return (ret);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+        if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0)
+            return (ret);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    switch (ssl->state) {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+        /*
+         *  <==   ClientHello
+         */
+        case MBEDTLS_SSL_CLIENT_HELLO:
+            ret = ssl_parse_client_hello(ssl);
+            break;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+            return (MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED);
+#endif
+
+        /*
+         *  ==>   ServerHello
+         *        Certificate
+         *      ( ServerKeyExchange  )
+         *      ( CertificateRequest )
+         *        ServerHelloDone
+         */
+        case MBEDTLS_SSL_SERVER_HELLO:
+            ret = ssl_write_server_hello(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_CERTIFICATE:
+            ret = mbedtls_ssl_write_certificate(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+            ret = ssl_write_server_key_exchange(ssl);
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+            ret = ssl_write_certificate_request(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_HELLO_DONE:
+            ret = ssl_write_server_hello_done(ssl);
+            break;
+
+        /*
+         *  <== ( Certificate/Alert  )
+         *        ClientKeyExchange
+         *      ( CertificateVerify  )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+            ret = mbedtls_ssl_parse_certificate(ssl);
+            break;
+
+        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+            ret = ssl_parse_client_key_exchange(ssl);
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+            ret = ssl_parse_certificate_verify(ssl);
+            break;
+
+        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+            ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
+            break;
+
+        case MBEDTLS_SSL_CLIENT_FINISHED:
+            ret = mbedtls_ssl_parse_finished(ssl);
+            break;
+
+        /*
+         *  ==> ( NewSessionTicket )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            if (ssl->handshake->new_session_ticket != 0)
+                ret = ssl_write_new_session_ticket(ssl);
+            else
+#endif
+                ret = mbedtls_ssl_write_change_cipher_spec(ssl);
+            break;
+
+        case MBEDTLS_SSL_SERVER_FINISHED:
+            ret = mbedtls_ssl_write_finished(ssl);
+            break;
+
+        case MBEDTLS_SSL_FLUSH_BUFFERS:
+            MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+            break;
+
+        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+            mbedtls_ssl_handshake_wrapup(ssl);
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_SRV_C */
diff --git a/common/mbedtls/ssl_ticket.c b/common/mbedtls/ssl_ticket.c
new file mode 100644
index 000000000..aefc7ab09
--- /dev/null
+++ b/common/mbedtls/ssl_ticket.c
@@ -0,0 +1,384 @@
+/*
+ *  TLS server tickets callbacks implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TICKET_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/*
+ * Initialze context
+ */
+void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_ssl_ticket_context));
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+}
+
+#define MAX_KEY_BYTES 32    /* 256 bits */
+
+#define TICKET_KEY_NAME_BYTES    4
+#define TICKET_IV_BYTES         12
+#define TICKET_CRYPT_LEN_BYTES   2
+#define TICKET_AUTH_TAG_BYTES   16
+
+#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES  +        \
+                         TICKET_IV_BYTES        +        \
+                         TICKET_CRYPT_LEN_BYTES +        \
+                         TICKET_AUTH_TAG_BYTES )
+#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES  +        \
+                              TICKET_IV_BYTES        +        \
+                              TICKET_CRYPT_LEN_BYTES )
+
+/*
+ * Generate/update a key
+ */
+static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
+                              unsigned char index) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[MAX_KEY_BYTES];
+    mbedtls_ssl_ticket_key *key = ctx->keys + index;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    key->generation_time = (uint32_t) mbedtls_time(NULL);
+#endif
+
+    if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0)
+        return (ret);
+
+    if ((ret = ctx->f_rng(ctx->p_rng, buf, sizeof(buf))) != 0)
+        return (ret);
+
+    /* With GCM and CCM, same context can encrypt & decrypt */
+    ret = mbedtls_cipher_setkey(&key->ctx, buf,
+                                mbedtls_cipher_get_key_bitlen(&key->ctx),
+                                MBEDTLS_ENCRYPT);
+
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    return (ret);
+}
+
+/*
+ * Rotate/generate keys if necessary
+ */
+static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx) {
+#if !defined(MBEDTLS_HAVE_TIME)
+    ((void) ctx);
+#else
+    if (ctx->ticket_lifetime != 0) {
+        uint32_t current_time = (uint32_t) mbedtls_time(NULL);
+        uint32_t key_time = ctx->keys[ctx->active].generation_time;
+
+        if (current_time >= key_time &&
+                current_time - key_time < ctx->ticket_lifetime) {
+            return (0);
+        }
+
+        ctx->active = 1 - ctx->active;
+
+        return (ssl_ticket_gen_key(ctx, ctx->active));
+    } else
+#endif /* MBEDTLS_HAVE_TIME */
+    return (0);
+}
+
+/*
+ * Setup context for actual use
+ */
+int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                             mbedtls_cipher_type_t cipher,
+                             uint32_t lifetime) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    ctx->f_rng = f_rng;
+    ctx->p_rng = p_rng;
+
+    ctx->ticket_lifetime = lifetime;
+
+    cipher_info = mbedtls_cipher_info_from_type(cipher);
+    if (cipher_info == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (cipher_info->mode != MBEDTLS_MODE_GCM &&
+            cipher_info->mode != MBEDTLS_MODE_CCM) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    if (cipher_info->key_bitlen > 8 * MAX_KEY_BYTES)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    ret = mbedtls_cipher_setup_psa(&ctx->keys[0].ctx,
+                                   cipher_info, TICKET_AUTH_TAG_BYTES);
+    if (ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE)
+        return (ret);
+    /* We don't yet expect to support all ciphers through PSA,
+     * so allow fallback to ordinary mbedtls_cipher_setup(). */
+    if (ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE)
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) != 0)
+            return (ret);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    ret = mbedtls_cipher_setup_psa(&ctx->keys[1].ctx,
+                                   cipher_info, TICKET_AUTH_TAG_BYTES);
+    if (ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE)
+        return (ret);
+    if (ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE)
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) != 0)
+            return (ret);
+
+    if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 ||
+            (ret = ssl_ticket_gen_key(ctx, 1)) != 0) {
+        return (ret);
+    }
+
+    return (0);
+}
+
+/*
+ * Create session ticket, with the following structure:
+ *
+ *    struct {
+ *        opaque key_name[4];
+ *        opaque iv[12];
+ *        opaque encrypted_state<0..2^16-1>;
+ *        opaque tag[16];
+ *    } ticket;
+ *
+ * The key_name, iv, and length of encrypted_state are the additional
+ * authenticated data.
+ */
+
+int mbedtls_ssl_ticket_write(void *p_ticket,
+                             const mbedtls_ssl_session *session,
+                             unsigned char *start,
+                             const unsigned char *end,
+                             size_t *tlen,
+                             uint32_t *ticket_lifetime) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = start;
+    unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
+    unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
+    unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
+    size_t clear_len, ciph_len;
+
+    *tlen = 0;
+
+    if (ctx == NULL || ctx->f_rng == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
+     * in addition to session itself, that will be checked when writing it. */
+    MBEDTLS_SSL_CHK_BUF_PTR(start, end, TICKET_MIN_LEN);
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
+        return (ret);
+#endif
+
+    if ((ret = ssl_ticket_update_keys(ctx)) != 0)
+        goto cleanup;
+
+    key = &ctx->keys[ctx->active];
+
+    *ticket_lifetime = ctx->ticket_lifetime;
+
+    memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES);
+
+    if ((ret = ctx->f_rng(ctx->p_rng, iv, TICKET_IV_BYTES)) != 0)
+        goto cleanup;
+
+    /* Dump session state */
+    if ((ret = mbedtls_ssl_session_save(session,
+                                        state, end - state,
+                                        &clear_len)) != 0 ||
+            (unsigned long) clear_len > 65535) {
+        goto cleanup;
+    }
+    state_len_bytes[0] = (clear_len >> 8) & 0xff;
+    state_len_bytes[1] = (clear_len) & 0xff;
+
+    /* Encrypt and authenticate */
+    if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx,
+                                               iv, TICKET_IV_BYTES,
+                                               /* Additional data: key name, IV and length */
+                                               key_name, TICKET_ADD_DATA_LEN,
+                                               state, clear_len,
+                                               state, end - state, &ciph_len,
+                                               TICKET_AUTH_TAG_BYTES)) != 0) {
+        goto cleanup;
+    }
+    if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0)
+        return (MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+#endif
+
+    return (ret);
+}
+
+/*
+ * Select key based on name
+ */
+static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
+    mbedtls_ssl_ticket_context *ctx,
+    const unsigned char name[4]) {
+    unsigned char i;
+
+    for (i = 0; i < sizeof(ctx->keys) / sizeof(*ctx->keys); i++)
+        if (memcmp(name, ctx->keys[i].name, 4) == 0)
+            return (&ctx->keys[i]);
+
+    return (NULL);
+}
+
+/*
+ * Load session ticket (see mbedtls_ssl_ticket_write for structure)
+ */
+int mbedtls_ssl_ticket_parse(void *p_ticket,
+                             mbedtls_ssl_session *session,
+                             unsigned char *buf,
+                             size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = buf;
+    unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
+    unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
+    unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
+    size_t enc_len, clear_len;
+
+    if (ctx == NULL || ctx->f_rng == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (len < TICKET_MIN_LEN)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)
+        return (ret);
+#endif
+
+    if ((ret = ssl_ticket_update_keys(ctx)) != 0)
+        goto cleanup;
+
+    enc_len = (enc_len_p[0] << 8) | enc_len_p[1];
+
+    if (len != TICKET_MIN_LEN + enc_len) {
+        ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* Select key */
+    if ((key = ssl_ticket_select_key(ctx, key_name)) == NULL) {
+        /* We can't know for sure but this is a likely option unless we're
+         * under attack - this is only informative anyway */
+        ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+        goto cleanup;
+    }
+
+    /* Decrypt and authenticate */
+    if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx,
+                                               iv, TICKET_IV_BYTES,
+                                               /* Additional data: key name, IV and length */
+                                               key_name, TICKET_ADD_DATA_LEN,
+                                               ticket, enc_len + TICKET_AUTH_TAG_BYTES,
+                                               ticket, enc_len, &clear_len,
+                                               TICKET_AUTH_TAG_BYTES)) != 0) {
+        if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED)
+            ret = MBEDTLS_ERR_SSL_INVALID_MAC;
+
+        goto cleanup;
+    }
+    if (clear_len != enc_len) {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    /* Actually load session */
+    if ((ret = mbedtls_ssl_session_load(session, ticket, clear_len)) != 0)
+        goto cleanup;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    {
+        /* Check for expiration */
+        mbedtls_time_t current_time = mbedtls_time(NULL);
+
+        if (current_time < session->start ||
+                (uint32_t)(current_time - session->start) > ctx->ticket_lifetime) {
+            ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+            goto cleanup;
+        }
+    }
+#endif
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0)
+        return (MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+#endif
+
+    return (ret);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx) {
+    mbedtls_cipher_free(&ctx->keys[0].ctx);
+    mbedtls_cipher_free(&ctx->keys[1].ctx);
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free(&ctx->mutex);
+#endif
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_ticket_context));
+}
+
+#endif /* MBEDTLS_SSL_TICKET_C */
diff --git a/common/mbedtls/ssl_ticket.h b/common/mbedtls/ssl_ticket.h
new file mode 100644
index 000000000..5db443b45
--- /dev/null
+++ b/common/mbedtls/ssl_ticket.h
@@ -0,0 +1,138 @@
+/**
+ * \file ssl_ticket.h
+ *
+ * \brief TLS server ticket callbacks implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_TICKET_H
+#define MBEDTLS_SSL_TICKET_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/*
+ * This implementation of the session ticket callbacks includes key
+ * management, rotating the keys periodically in order to preserve forward
+ * secrecy, when MBEDTLS_HAVE_TIME is defined.
+ */
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Information for session ticket protection
+ */
+typedef struct mbedtls_ssl_ticket_key {
+    unsigned char name[4];          /*!< random key identifier              */
+    uint32_t generation_time;       /*!< key generation timestamp (seconds) */
+    mbedtls_cipher_context_t ctx;   /*!< context for auth enc/decryption    */
+}
+mbedtls_ssl_ticket_key;
+
+/**
+ * \brief   Context for session ticket handling functions
+ */
+typedef struct mbedtls_ssl_ticket_context {
+    mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
+    unsigned char active;           /*!< index of the currently active key  */
+
+    uint32_t ticket_lifetime;       /*!< lifetime of tickets in seconds     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ssl_ticket_context;
+
+/**
+ * \brief           Initialize a ticket context.
+ *                  (Just make it ready for mbedtls_ssl_ticket_setup()
+ *                  or mbedtls_ssl_ticket_free().)
+ *
+ * \param ctx       Context to be initialized
+ */
+void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
+
+/**
+ * \brief           Prepare context to be actually used
+ *
+ * \param ctx       Context to be set up
+ * \param f_rng     RNG callback function
+ * \param p_rng     RNG callback context
+ * \param cipher    AEAD cipher to use for ticket protection.
+ *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
+ * \param lifetime  Tickets lifetime in seconds
+ *                  Recommended value: 86400 (one day).
+ *
+ * \note            It is highly recommended to select a cipher that is at
+ *                  least as strong as the the strongest ciphersuite
+ *                  supported. Usually that means a 256-bit key.
+ *
+ * \note            The lifetime of the keys is twice the lifetime of tickets.
+ *                  It is recommended to pick a reasonnable lifetime so as not
+ *                  to negate the benefits of forward secrecy.
+ *
+ * \return          0 if successful,
+ *                  or a specific MBEDTLS_ERR_XXX error code
+ */
+int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                             mbedtls_cipher_type_t cipher,
+                             uint32_t lifetime);
+
+/**
+ * \brief           Implementation of the ticket write callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_write_t for description
+ */
+mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
+
+/**
+ * \brief           Implementation of the ticket parse callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_parse_t for description
+ */
+mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
+
+/**
+ * \brief           Free a context's content and zeroize it.
+ *
+ * \param ctx       Context to be cleaned up
+ */
+void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ticket.h */
diff --git a/common/mbedtls/ssl_tls.c b/common/mbedtls/ssl_tls.c
new file mode 100644
index 000000000..34534f3c5
--- /dev/null
+++ b/common/mbedtls/ssl_tls.c
@@ -0,0 +1,7070 @@
+/*
+ *  SSLv3/TLSv1 shared functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The SSL 3.0 specification was drafted by Netscape in 1996,
+ *  and became an IETF standard in 1999.
+ *
+ *  http://wp.netscape.com/eng/ssl3/
+ *  http://www.ietf.org/rfc/rfc2246.txt
+ *  http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/version.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+/* Top-level Connection ID API */
+
+int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
+                         size_t len,
+                         int ignore_other_cid) {
+    if (len > MBEDTLS_SSL_CID_IN_LEN_MAX)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
+            ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    conf->ignore_unexpected_cid = ignore_other_cid;
+    conf->cid_len = len;
+    return (0);
+}
+
+int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
+                        int enable,
+                        unsigned char const *own_cid,
+                        size_t own_cid_len) {
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl->negotiate_cid = enable;
+    if (enable == MBEDTLS_SSL_CID_DISABLED) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
+        return (0);
+    }
+    MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
+    MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
+
+    if (own_cid_len != ssl->conf->cid_len) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
+                                  (unsigned) own_cid_len,
+                                  (unsigned) ssl->conf->cid_len));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    memcpy(ssl->own_cid, own_cid, own_cid_len);
+    /* Truncation is not an issue here because
+     * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
+    ssl->own_cid_len = (uint8_t) own_cid_len;
+
+    return (0);
+}
+
+int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
+                             int *enabled,
+                             unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
+                             size_t *peer_cid_len) {
+    *enabled = MBEDTLS_SSL_CID_DISABLED;
+
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+            ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
+     * were used, but client and server requested the empty CID.
+     * This is indistinguishable from not using the CID extension
+     * in the first place. */
+    if (ssl->transform_in->in_cid_len  == 0 &&
+            ssl->transform_in->out_cid_len == 0) {
+        return (0);
+    }
+
+    if (peer_cid_len != NULL) {
+        *peer_cid_len = ssl->transform_in->out_cid_len;
+        if (peer_cid != NULL) {
+            memcpy(peer_cid, ssl->transform_in->out_cid,
+                   ssl->transform_in->out_cid_len);
+        }
+    }
+
+    *enabled = MBEDTLS_SSL_CID_ENABLED;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/*
+ * Convert max_fragment_length codes to length.
+ * RFC 6066 says:
+ *    enum{
+ *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ *    } MaxFragmentLength;
+ * and we add 0 -> extension unused
+ */
+static unsigned int ssl_mfl_code_to_length(int mfl) {
+    switch (mfl) {
+        case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
+            return (MBEDTLS_TLS_EXT_ADV_CONTENT_LEN);
+        case MBEDTLS_SSL_MAX_FRAG_LEN_512:
+            return 512;
+        case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
+            return 1024;
+        case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
+            return 2048;
+        case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
+            return 4096;
+        default:
+            return (MBEDTLS_TLS_EXT_ADV_CONTENT_LEN);
+    }
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
+                             const mbedtls_ssl_session *src) {
+    mbedtls_ssl_session_free(dst);
+    memcpy(dst, src, sizeof(mbedtls_ssl_session));
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if (src->peer_cert != NULL) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+        if (dst->peer_cert == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        mbedtls_x509_crt_init(dst->peer_cert);
+
+        if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
+                                              src->peer_cert->raw.len)) != 0) {
+            mbedtls_free(dst->peer_cert);
+            dst->peer_cert = NULL;
+            return (ret);
+        }
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (src->peer_cert_digest != NULL) {
+        dst->peer_cert_digest =
+            mbedtls_calloc(1, src->peer_cert_digest_len);
+        if (dst->peer_cert_digest == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        memcpy(dst->peer_cert_digest, src->peer_cert_digest,
+               src->peer_cert_digest_len);
+        dst->peer_cert_digest_type = src->peer_cert_digest_type;
+        dst->peer_cert_digest_len = src->peer_cert_digest_len;
+    }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    if (src->ticket != NULL) {
+        dst->ticket = mbedtls_calloc(1, src->ticket_len);
+        if (dst->ticket == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        memcpy(dst->ticket, src->ticket, src->ticket_len);
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old) {
+    unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
+    if (resized_buffer == NULL)
+        return -1;
+
+    /* We want to copy len_new bytes when downsizing the buffer, and
+     * len_old bytes when upsizing, so we choose the smaller of two sizes,
+     * to fit one buffer into another. Size checks, ensuring that no data is
+     * lost, are done outside of this function. */
+    memcpy(resized_buffer, *buffer,
+           (len_new < *len_old) ? len_new : *len_old);
+    mbedtls_platform_zeroize(*buffer, *len_old);
+    mbedtls_free(*buffer);
+
+    *buffer = resized_buffer;
+    *len_old = len_new;
+
+    return 0;
+}
+
+static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
+                                   size_t in_buf_new_len,
+                                   size_t out_buf_new_len) {
+    int modified = 0;
+    size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+    size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
+    if (ssl->in_buf != NULL) {
+        written_in = ssl->in_msg - ssl->in_buf;
+        iv_offset_in = ssl->in_iv - ssl->in_buf;
+        len_offset_in = ssl->in_len - ssl->in_buf;
+        if (downsizing ?
+                ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
+                ssl->in_buf_len < in_buf_new_len) {
+            if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
+            } else {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
+                                          in_buf_new_len));
+                modified = 1;
+            }
+        }
+    }
+
+    if (ssl->out_buf != NULL) {
+        written_out = ssl->out_msg - ssl->out_buf;
+        iv_offset_out = ssl->out_iv - ssl->out_buf;
+        len_offset_out = ssl->out_len - ssl->out_buf;
+        if (downsizing ?
+                ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
+                ssl->out_buf_len < out_buf_new_len) {
+            if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
+            } else {
+                MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
+                                          out_buf_new_len));
+                modified = 1;
+            }
+        }
+    }
+    if (modified) {
+        /* Update pointers here to avoid doing it twice. */
+        mbedtls_ssl_reset_in_out_pointers(ssl);
+        /* Fields below might not be properly updated with record
+         * splitting or with CID, so they are manually updated here. */
+        ssl->out_msg = ssl->out_buf + written_out;
+        ssl->out_len = ssl->out_buf + len_offset_out;
+        ssl->out_iv = ssl->out_buf + iv_offset_out;
+
+        ssl->in_msg = ssl->in_buf + written_in;
+        ssl->in_len = ssl->in_buf + len_offset_in;
+        ssl->in_iv = ssl->in_buf + iv_offset_in;
+    }
+}
+#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+
+/*
+ * Key material generation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static int ssl3_prf(const unsigned char *secret, size_t slen,
+                    const char *label,
+                    const unsigned char *random, size_t rlen,
+                    unsigned char *dstbuf, size_t dlen) {
+    int ret = 0;
+    size_t i;
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padding[16];
+    unsigned char sha1sum[20];
+    ((void)label);
+
+    mbedtls_md5_init(&md5);
+    mbedtls_sha1_init(&sha1);
+
+    /*
+     *  SSLv3:
+     *    block =
+     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
+     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
+     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
+     *      ...
+     */
+    for (i = 0; i < dlen / 16; i++) {
+        memset(padding, (unsigned char)('A' + i), 1 + i);
+
+        if ((ret = mbedtls_sha1_starts_ret(&sha1)) != 0)
+            goto exit;
+        if ((ret = mbedtls_sha1_update_ret(&sha1, padding, 1 + i)) != 0)
+            goto exit;
+        if ((ret = mbedtls_sha1_update_ret(&sha1, secret, slen)) != 0)
+            goto exit;
+        if ((ret = mbedtls_sha1_update_ret(&sha1, random, rlen)) != 0)
+            goto exit;
+        if ((ret = mbedtls_sha1_finish_ret(&sha1, sha1sum)) != 0)
+            goto exit;
+
+        if ((ret = mbedtls_md5_starts_ret(&md5)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md5_update_ret(&md5, secret, slen)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md5_update_ret(&md5, sha1sum, 20)) != 0)
+            goto exit;
+        if ((ret = mbedtls_md5_finish_ret(&md5, dstbuf + i * 16)) != 0)
+            goto exit;
+    }
+
+exit:
+    mbedtls_md5_free(&md5);
+    mbedtls_sha1_free(&sha1);
+
+    mbedtls_platform_zeroize(padding, sizeof(padding));
+    mbedtls_platform_zeroize(sha1sum, sizeof(sha1sum));
+
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static int tls1_prf(const unsigned char *secret, size_t slen,
+                    const char *label,
+                    const unsigned char *random, size_t rlen,
+                    unsigned char *dstbuf, size_t dlen) {
+    size_t nb, hs;
+    size_t i, j, k;
+    const unsigned char *S1, *S2;
+    unsigned char *tmp;
+    size_t tmp_len = 0;
+    unsigned char h_i[20];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_md_init(&md_ctx);
+
+    tmp_len = 20 + strlen(label) + rlen;
+    tmp = mbedtls_calloc(1, tmp_len);
+    if (tmp == NULL) {
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto exit;
+    }
+
+    hs = (slen + 1) / 2;
+    S1 = secret;
+    S2 = secret + slen - hs;
+
+    nb = strlen(label);
+    memcpy(tmp + 20, label, nb);
+    memcpy(tmp + 20 + nb, random, rlen);
+    nb += rlen;
+
+    /*
+     * First compute P_md5(secret,label+random)[0..dlen]
+     */
+    if ((md_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5)) == NULL) {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto exit;
+    }
+
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
+        goto exit;
+    }
+
+    mbedtls_md_hmac_starts(&md_ctx, S1, hs);
+    mbedtls_md_hmac_update(&md_ctx, tmp + 20, nb);
+    mbedtls_md_hmac_finish(&md_ctx, 4 + tmp);
+
+    for (i = 0; i < dlen; i += 16) {
+        mbedtls_md_hmac_reset(&md_ctx);
+        mbedtls_md_hmac_update(&md_ctx, 4 + tmp, 16 + nb);
+        mbedtls_md_hmac_finish(&md_ctx, h_i);
+
+        mbedtls_md_hmac_reset(&md_ctx);
+        mbedtls_md_hmac_update(&md_ctx, 4 + tmp, 16);
+        mbedtls_md_hmac_finish(&md_ctx, 4 + tmp);
+
+        k = (i + 16 > dlen) ? dlen % 16 : 16;
+
+        for (j = 0; j < k; j++)
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free(&md_ctx);
+
+    /*
+     * XOR out with P_sha1(secret,label+random)[0..dlen]
+     */
+    if ((md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1)) == NULL) {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto exit;
+    }
+
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
+        goto exit;
+    }
+
+    mbedtls_md_hmac_starts(&md_ctx, S2, hs);
+    mbedtls_md_hmac_update(&md_ctx, tmp + 20, nb);
+    mbedtls_md_hmac_finish(&md_ctx, tmp);
+
+    for (i = 0; i < dlen; i += 20) {
+        mbedtls_md_hmac_reset(&md_ctx);
+        mbedtls_md_hmac_update(&md_ctx, tmp, 20 + nb);
+        mbedtls_md_hmac_finish(&md_ctx, h_i);
+
+        mbedtls_md_hmac_reset(&md_ctx);
+        mbedtls_md_hmac_update(&md_ctx, tmp, 20);
+        mbedtls_md_hmac_finish(&md_ctx, tmp);
+
+        k = (i + 20 > dlen) ? dlen % 20 : 20;
+
+        for (j = 0; j < k; j++)
+            dstbuf[i + j] = (unsigned char)(dstbuf[i + j] ^ h_i[j]);
+    }
+
+exit:
+    mbedtls_md_free(&md_ctx);
+
+    mbedtls_platform_zeroize(tmp, tmp_len);
+    mbedtls_platform_zeroize(h_i, sizeof(h_i));
+
+    mbedtls_free(tmp);
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
+                                             psa_key_id_t key,
+                                             psa_algorithm_t alg,
+                                             const unsigned char *seed, size_t seed_length,
+                                             const unsigned char *label, size_t label_length,
+                                             size_t capacity) {
+    psa_status_t status;
+
+    status = psa_key_derivation_setup(derivation, alg);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
+        status = psa_key_derivation_input_bytes(derivation,
+                                                PSA_KEY_DERIVATION_INPUT_SEED,
+                                                seed, seed_length);
+        if (status != PSA_SUCCESS)
+            return (status);
+
+        if (mbedtls_svc_key_id_is_null(key)) {
+            status = psa_key_derivation_input_bytes(
+                         derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
+                         NULL, 0);
+        } else {
+            status = psa_key_derivation_input_key(
+                         derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
+        }
+        if (status != PSA_SUCCESS)
+            return (status);
+
+        status = psa_key_derivation_input_bytes(derivation,
+                                                PSA_KEY_DERIVATION_INPUT_LABEL,
+                                                label, label_length);
+        if (status != PSA_SUCCESS)
+            return (status);
+    } else {
+        return (PSA_ERROR_NOT_SUPPORTED);
+    }
+
+    status = psa_key_derivation_set_capacity(derivation, capacity);
+    if (status != PSA_SUCCESS)
+        return (status);
+
+    return (PSA_SUCCESS);
+}
+
+static int tls_prf_generic(mbedtls_md_type_t md_type,
+                           const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen) {
+    psa_status_t status;
+    psa_algorithm_t alg;
+    psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_derivation_operation_t derivation =
+        PSA_KEY_DERIVATION_OPERATION_INIT;
+
+    if (md_type == MBEDTLS_MD_SHA384)
+        alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
+    else
+        alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
+
+    /* Normally a "secret" should be long enough to be impossible to
+     * find by brute force, and in particular should not be empty. But
+     * this PRF is also used to derive an IV, in particular in EAP-TLS,
+     * and for this use case it makes sense to have a 0-length "secret".
+     * Since the key API doesn't allow importing a key of length 0,
+     * keep master_key=0, which setup_psa_key_derivation() understands
+     * to mean a 0-length "secret" input. */
+    if (slen != 0) {
+        psa_key_attributes_t key_attributes = psa_key_attributes_init();
+        psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+        psa_set_key_algorithm(&key_attributes, alg);
+        psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
+
+        status = psa_import_key(&key_attributes, secret, slen, &master_key);
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+    }
+
+    status = setup_psa_key_derivation(&derivation,
+                                      master_key, alg,
+                                      random, rlen,
+                                      (unsigned char const *) label,
+                                      (size_t) strlen(label),
+                                      dlen);
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(&derivation);
+        psa_destroy_key(master_key);
+        return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+    }
+
+    status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(&derivation);
+        psa_destroy_key(master_key);
+        return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+    }
+
+    status = psa_key_derivation_abort(&derivation);
+    if (status != PSA_SUCCESS) {
+        psa_destroy_key(master_key);
+        return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+    }
+
+    if (! mbedtls_svc_key_id_is_null(master_key))
+        status = psa_destroy_key(master_key);
+    if (status != PSA_SUCCESS)
+        return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+
+    return (0);
+}
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+static int tls_prf_generic(mbedtls_md_type_t md_type,
+                           const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen) {
+    size_t nb;
+    size_t i, j, k, md_len;
+    unsigned char *tmp;
+    size_t tmp_len = 0;
+    unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_md_init(&md_ctx);
+
+    if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL)
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+
+    md_len = mbedtls_md_get_size(md_info);
+
+    tmp_len = md_len + strlen(label) + rlen;
+    tmp = mbedtls_calloc(1, tmp_len);
+    if (tmp == NULL) {
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto exit;
+    }
+
+    nb = strlen(label);
+    memcpy(tmp + md_len, label, nb);
+    memcpy(tmp + md_len + nb, random, rlen);
+    nb += rlen;
+
+    /*
+     * Compute P_<hash>(secret, label + random)[0..dlen]
+     */
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0)
+        goto exit;
+
+    mbedtls_md_hmac_starts(&md_ctx, secret, slen);
+    mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
+    mbedtls_md_hmac_finish(&md_ctx, tmp);
+
+    for (i = 0; i < dlen; i += md_len) {
+        mbedtls_md_hmac_reset(&md_ctx);
+        mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
+        mbedtls_md_hmac_finish(&md_ctx, h_i);
+
+        mbedtls_md_hmac_reset(&md_ctx);
+        mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
+        mbedtls_md_hmac_finish(&md_ctx, tmp);
+
+        k = (i + md_len > dlen) ? dlen % md_len : md_len;
+
+        for (j = 0; j < k; j++)
+            dstbuf[i + j]  = h_i[j];
+    }
+
+exit:
+    mbedtls_md_free(&md_ctx);
+
+    mbedtls_platform_zeroize(tmp, tmp_len);
+    mbedtls_platform_zeroize(h_i, sizeof(h_i));
+
+    mbedtls_free(tmp);
+
+    return (ret);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_SHA256_C)
+static int tls_prf_sha256(const unsigned char *secret, size_t slen,
+                          const char *label,
+                          const unsigned char *random, size_t rlen,
+                          unsigned char *dstbuf, size_t dlen) {
+    return (tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
+                            label, random, rlen, dstbuf, dlen));
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+static int tls_prf_sha384(const unsigned char *secret, size_t slen,
+                          const char *label,
+                          const unsigned char *random, size_t rlen,
+                          unsigned char *dstbuf, size_t dlen) {
+    return (tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
+                            label, random, rlen, dstbuf, dlen));
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1(mbedtls_ssl_context *, const unsigned char *, size_t);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_verify_ssl(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static void ssl_calc_finished_ssl(mbedtls_ssl_context *, unsigned char *, int);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_verify_tls(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static void ssl_calc_finished_tls(mbedtls_ssl_context *, unsigned char *, int);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
+static void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static void ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
+static void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static void ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
+    defined(MBEDTLS_USE_PSA_CRYPTO)
+static int ssl_use_opaque_psk(mbedtls_ssl_context const *ssl) {
+    if (ssl->conf->f_psk != NULL) {
+        /* If we've used a callback to select the PSK,
+         * the static configuration is irrelevant. */
+        if (! mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque))
+            return (1);
+
+        return (0);
+    }
+
+    if (! mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque))
+        return (1);
+
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+          MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) {
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if (tls_prf == ssl3_prf) {
+        return (MBEDTLS_SSL_TLS_PRF_SSL3);
+    } else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if (tls_prf == tls1_prf) {
+            return (MBEDTLS_SSL_TLS_PRF_TLS1);
+        } else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+            if (tls_prf == tls_prf_sha384) {
+                return (MBEDTLS_SSL_TLS_PRF_SHA384);
+            } else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+                if (tls_prf == tls_prf_sha256) {
+                    return (MBEDTLS_SSL_TLS_PRF_SHA256);
+                } else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+                    return (MBEDTLS_SSL_TLS_PRF_NONE);
+}
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+int  mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
+                         const unsigned char *secret, size_t slen,
+                         const char *label,
+                         const unsigned char *random, size_t rlen,
+                         unsigned char *dstbuf, size_t dlen) {
+    mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
+
+    switch (prf) {
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        case MBEDTLS_SSL_TLS_PRF_SSL3:
+            tls_prf = ssl3_prf;
+            break;
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        case MBEDTLS_SSL_TLS_PRF_TLS1:
+            tls_prf = tls1_prf;
+            break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_TLS_PRF_SHA384:
+            tls_prf = tls_prf_sha384;
+            break;
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_TLS_PRF_SHA256:
+            tls_prf = tls_prf_sha256;
+            break;
+#endif /* MBEDTLS_SHA256_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+        default:
+            return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+    }
+
+    return (tls_prf(secret, slen, label, random, rlen, dstbuf, dlen));
+}
+
+/* Type for the TLS PRF */
+typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
+                          const unsigned char *, size_t,
+                          unsigned char *, size_t);
+
+/*
+ * Populate a transform structure with session keys and all the other
+ * necessary information.
+ *
+ * Parameters:
+ * - [in/out]: transform: structure to populate
+ *      [in] must be just initialised with mbedtls_ssl_transform_init()
+ *      [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
+ * - [in] ciphersuite
+ * - [in] master
+ * - [in] encrypt_then_mac
+ * - [in] trunc_hmac
+ * - [in] compression
+ * - [in] tls_prf: pointer to PRF to use for key derivation
+ * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
+ * - [in] minor_ver: SSL/TLS minor version
+ * - [in] endpoint: client or server
+ * - [in] ssl: optionally used for:
+ *        - MBEDTLS_SSL_HW_RECORD_ACCEL: whole context (non-const)
+ *        - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
+ *        - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
+ */
+static int ssl_populate_transform(mbedtls_ssl_transform *transform,
+                                  int ciphersuite,
+                                  const unsigned char master[48],
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                                  int encrypt_then_mac,
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+                                  int trunc_hmac,
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+                                  int compression,
+#endif
+                                  ssl_tls_prf_t tls_prf,
+                                  const unsigned char randbytes[64],
+                                  int minor_ver,
+                                  unsigned endpoint,
+#if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+                                  const
+#endif
+                                  mbedtls_ssl_context *ssl) {
+    int ret = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    int psa_fallthrough;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    unsigned char keyblk[256];
+    unsigned char *key1;
+    unsigned char *key2;
+    unsigned char *mac_enc;
+    unsigned char *mac_dec;
+    size_t mac_key_len = 0;
+    size_t iv_copy_len;
+    unsigned keylen;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    const mbedtls_cipher_info_t *cipher_info;
+    const mbedtls_md_info_t *md_info;
+
+#if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL) && \
+    !defined(MBEDTLS_SSL_EXPORT_KEYS) && \
+    !defined(MBEDTLS_DEBUG_C)
+    ssl = NULL; /* make sure we don't use it except for those cases */
+    (void) ssl;
+#endif
+
+    /*
+     * Some data just needs copying into the structure
+     */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
+    defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    transform->encrypt_then_mac = encrypt_then_mac;
+#endif
+    transform->minor_ver = minor_ver;
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+    memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
+#endif
+
+    /*
+     * Get various info structures
+     */
+    ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
+    if (ciphersuite_info == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
+                                  ciphersuite));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher);
+    if (cipher_info == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
+                                  ciphersuite_info->cipher));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    md_info = mbedtls_md_info_from_type(ciphersuite_info->mac);
+    if (md_info == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
+                                  (unsigned) ciphersuite_info->mac));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    /* Copy own and peer's CID if the use of the CID
+     * extension has been negotiated. */
+    if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
+
+        transform->in_cid_len = ssl->own_cid_len;
+        memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
+        MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
+                              transform->in_cid_len);
+
+        transform->out_cid_len = ssl->handshake->peer_cid_len;
+        memcpy(transform->out_cid, ssl->handshake->peer_cid,
+               ssl->handshake->peer_cid_len);
+        MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
+                              transform->out_cid_len);
+    }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    /*
+     * Compute key block using the PRF
+     */
+    ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
+                              mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
+    MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
+    MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
+    MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
+
+    /*
+     * Determine the appropriate key, IV and MAC length.
+     */
+
+    keylen = cipher_info->key_bitlen / 8;
+
+#if defined(MBEDTLS_GCM_C) ||                           \
+    defined(MBEDTLS_CCM_C) ||                           \
+    defined(MBEDTLS_CHACHAPOLY_C)
+    if (cipher_info->mode == MBEDTLS_MODE_GCM ||
+            cipher_info->mode == MBEDTLS_MODE_CCM ||
+            cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY) {
+        size_t explicit_ivlen;
+
+        transform->maclen = 0;
+        mac_key_len = 0;
+        transform->taglen =
+            ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+
+        /* All modes haves 96-bit IVs, but the length of the static parts vary
+         * with mode and version:
+         * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
+         *   (to be concatenated with a dynamically chosen IV of 8 Bytes)
+         * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
+         *   a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
+         *   sequence number).
+         */
+        transform->ivlen = 12;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+        if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_4) {
+            transform->fixed_ivlen = 12;
+        } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+        {
+            if (cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY)
+                transform->fixed_ivlen = 12;
+            else
+                transform->fixed_ivlen = 4;
+        }
+
+        /* Minimum length of encrypted record */
+        explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+        transform->minlen = explicit_ivlen + transform->taglen;
+    } else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+        if (cipher_info->mode == MBEDTLS_MODE_STREAM ||
+                cipher_info->mode == MBEDTLS_MODE_CBC) {
+            /* Initialize HMAC contexts */
+            if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
+                    (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
+                goto end;
+            }
+
+            /* Get MAC length */
+            mac_key_len = mbedtls_md_get_size(md_info);
+            transform->maclen = mac_key_len;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+            /*
+             * If HMAC is to be truncated, we shall keep the leftmost bytes,
+             * (rfc 6066 page 13 or rfc 2104 section 4),
+             * so we only need to adjust the length here.
+             */
+            if (trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED) {
+                transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+                /* Fall back to old, non-compliant version of the truncated
+                 * HMAC implementation which also truncates the key
+                 * (Mbed TLS versions from 1.3 to 2.6.0) */
+                mac_key_len = transform->maclen;
+#endif
+            }
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+            /* IV length */
+            transform->ivlen = cipher_info->iv_size;
+
+            /* Minimum length */
+            if (cipher_info->mode == MBEDTLS_MODE_STREAM)
+                transform->minlen = transform->maclen;
+            else {
+                /*
+                 * GenericBlockCipher:
+                 * 1. if EtM is in use: one block plus MAC
+                 *    otherwise: * first multiple of blocklen greater than maclen
+                 * 2. IV except for SSL3 and TLS 1.0
+                 */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
+                    transform->minlen = transform->maclen
+                                        + cipher_info->block_size;
+                } else
+#endif
+                {
+                    transform->minlen = transform->maclen
+                                        + cipher_info->block_size
+                                        - transform->maclen % cipher_info->block_size;
+                }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+                if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+                        minor_ver == MBEDTLS_SSL_MINOR_VERSION_1)
+                    ; /* No need to adjust minlen */
+                else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                    if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
+                            minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+                        transform->minlen += transform->ivlen;
+                    } else
+#endif
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+                        goto end;
+                    }
+            }
+        } else
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+        {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
+                              (unsigned) keylen,
+                              (unsigned) transform->minlen,
+                              (unsigned) transform->ivlen,
+                              (unsigned) transform->maclen));
+
+    /*
+     * Finally setup the cipher contexts, IVs and MAC secrets.
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
+        key1 = keyblk + mac_key_len * 2;
+        key2 = keyblk + mac_key_len * 2 + keylen;
+
+        mac_enc = keyblk;
+        mac_dec = keyblk + mac_key_len;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = (transform->fixed_ivlen) ?
+                      transform->fixed_ivlen : transform->ivlen;
+        memcpy(transform->iv_enc, key2 + keylen,  iv_copy_len);
+        memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
+               iv_copy_len);
+    } else
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+        if (endpoint == MBEDTLS_SSL_IS_SERVER) {
+            key1 = keyblk + mac_key_len * 2 + keylen;
+            key2 = keyblk + mac_key_len * 2;
+
+            mac_enc = keyblk + mac_key_len;
+            mac_dec = keyblk;
+
+            /*
+             * This is not used in TLS v1.1.
+             */
+            iv_copy_len = (transform->fixed_ivlen) ?
+                          transform->fixed_ivlen : transform->ivlen;
+            memcpy(transform->iv_dec, key1 + keylen,  iv_copy_len);
+            memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
+                   iv_copy_len);
+        } else
+#endif /* MBEDTLS_SSL_SRV_C */
+        {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+            goto end;
+        }
+
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+        if (mac_key_len > sizeof(transform->mac_enc)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+            goto end;
+        }
+
+        memcpy(transform->mac_enc, mac_enc, mac_key_len);
+        memcpy(transform->mac_dec, mac_dec, mac_key_len);
+    } else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if (minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1) {
+            /* For HMAC-based ciphersuites, initialize the HMAC transforms.
+               For AEAD-based ciphersuites, there is nothing to do here. */
+            if (mac_key_len != 0) {
+                mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
+                mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
+            }
+        } else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+            ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+            goto end;
+        }
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_init != NULL) {
+        ret = 0;
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_init()"));
+
+        if ((ret = mbedtls_ssl_hw_record_init(ssl, key1, key2, keylen,
+                                              transform->iv_enc, transform->iv_dec,
+                                              iv_copy_len,
+                                              mac_enc, mac_dec,
+                                              mac_key_len)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_init", ret);
+            ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+            goto end;
+        }
+    }
+#else
+    ((void) mac_dec);
+    ((void) mac_enc);
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    if (ssl->conf->f_export_keys != NULL) {
+        ssl->conf->f_export_keys(ssl->conf->p_export_keys,
+                                 master, keyblk,
+                                 mac_key_len, keylen,
+                                 iv_copy_len);
+    }
+
+    if (ssl->conf->f_export_keys_ext != NULL) {
+        ssl->conf->f_export_keys_ext(ssl->conf->p_export_keys,
+                                     master, keyblk,
+                                     mac_key_len, keylen,
+                                     iv_copy_len,
+                                     randbytes + 32,
+                                     randbytes,
+                                     tls_prf_get_type(tls_prf));
+    }
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+    /* Only use PSA-based ciphers for TLS-1.2.
+     * That's relevant at least for TLS-1.0, where
+     * we assume that mbedtls_cipher_crypt() updates
+     * the structure field for the IV, which the PSA-based
+     * implementation currently doesn't. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        ret = mbedtls_cipher_setup_psa(&transform->cipher_ctx_enc,
+                                       cipher_info, transform->taglen);
+        if (ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup_psa", ret);
+            goto end;
+        }
+
+        if (ret == 0) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("Successfully setup PSA-based encryption cipher context"));
+            psa_fallthrough = 0;
+        } else {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Failed to setup PSA-based cipher context for record encryption - fall through to default setup."));
+            psa_fallthrough = 1;
+        }
+    } else
+        psa_fallthrough = 1;
+#else
+    psa_fallthrough = 1;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    if (psa_fallthrough == 1)
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
+                                        cipher_info)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
+            goto end;
+        }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    /* Only use PSA-based ciphers for TLS-1.2.
+     * That's relevant at least for TLS-1.0, where
+     * we assume that mbedtls_cipher_crypt() updates
+     * the structure field for the IV, which the PSA-based
+     * implementation currently doesn't. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+        ret = mbedtls_cipher_setup_psa(&transform->cipher_ctx_dec,
+                                       cipher_info, transform->taglen);
+        if (ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup_psa", ret);
+            goto end;
+        }
+
+        if (ret == 0) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("Successfully setup PSA-based decryption cipher context"));
+            psa_fallthrough = 0;
+        } else {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Failed to setup PSA-based cipher context for record decryption - fall through to default setup."));
+            psa_fallthrough = 1;
+        }
+    } else
+        psa_fallthrough = 1;
+#else
+    psa_fallthrough = 1;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    if (psa_fallthrough == 1)
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
+                                        cipher_info)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
+            goto end;
+        }
+
+    if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
+                                     cipher_info->key_bitlen,
+                                     MBEDTLS_ENCRYPT)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
+        goto end;
+    }
+
+    if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
+                                     cipher_info->key_bitlen,
+                                     MBEDTLS_DECRYPT)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
+        goto end;
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if (cipher_info->mode == MBEDTLS_MODE_CBC) {
+        if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
+                                                   MBEDTLS_PADDING_NONE)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
+            goto end;
+        }
+
+        if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
+                                                   MBEDTLS_PADDING_NONE)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
+            goto end;
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+
+    /* Initialize Zlib contexts */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if (compression == MBEDTLS_SSL_COMPRESS_DEFLATE) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Initializing zlib states"));
+
+        memset(&transform->ctx_deflate, 0, sizeof(transform->ctx_deflate));
+        memset(&transform->ctx_inflate, 0, sizeof(transform->ctx_inflate));
+
+        if (deflateInit(&transform->ctx_deflate,
+                        Z_DEFAULT_COMPRESSION)   != Z_OK ||
+                inflateInit(&transform->ctx_inflate) != Z_OK) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Failed to initialize compression"));
+            ret = MBEDTLS_ERR_SSL_COMPRESSION_FAILED;
+            goto end;
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+end:
+    mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
+    return (ret);
+}
+
+/*
+ * Set appropriate PRF function and other SSL / TLS 1.0/1.1 / TLS1.2 functions
+ *
+ * Inputs:
+ * - SSL/TLS minor version
+ * - hash associated with the ciphersuite (only used by TLS 1.2)
+ *
+ * Outputs:
+ * - the tls_prf, calc_verify and calc_finished members of handshake structure
+ */
+static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
+                                  int minor_ver,
+                                  mbedtls_md_type_t hash) {
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA512_C)
+    (void) hash;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+        handshake->tls_prf = ssl3_prf;
+        handshake->calc_verify = ssl_calc_verify_ssl;
+        handshake->calc_finished = ssl_calc_finished_ssl;
+    } else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if (minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
+            handshake->tls_prf = tls1_prf;
+            handshake->calc_verify = ssl_calc_verify_tls;
+            handshake->calc_finished = ssl_calc_finished_tls;
+        } else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+            if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+                    hash == MBEDTLS_MD_SHA384) {
+                handshake->tls_prf = tls_prf_sha384;
+                handshake->calc_verify = ssl_calc_verify_tls_sha384;
+                handshake->calc_finished = ssl_calc_finished_tls_sha384;
+            } else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+                if (minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
+                    handshake->tls_prf = tls_prf_sha256;
+                    handshake->calc_verify = ssl_calc_verify_tls_sha256;
+                    handshake->calc_finished = ssl_calc_finished_tls_sha256;
+                } else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+                {
+                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                }
+
+    return (0);
+}
+
+/*
+ * Compute master secret if needed
+ *
+ * Parameters:
+ * [in/out] handshake
+ *          [in] resume, premaster, extended_ms, calc_verify, tls_prf
+ *               (PSA-PSK) ciphersuite_info, psk_opaque
+ *          [out] premaster (cleared)
+ * [out] master
+ * [in] ssl: optionally used for debugging, EMS and PSA-PSK
+ *      debug: conf->f_dbg, conf->p_dbg
+ *      EMS: passed to calc_verify (debug + (SSL3) session_negotiate)
+ *      PSA-PSA: minor_ver, conf
+ */
+static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
+                              unsigned char *master,
+                              const mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* cf. RFC 5246, Section 8.1:
+     * "The master secret is always exactly 48 bytes in length." */
+    size_t const master_secret_len = 48;
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    unsigned char session_hash[48];
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+    /* The label for the KDF used for key expansion.
+     * This is either "master secret" or "extended master secret"
+     * depending on whether the Extended Master Secret extension
+     * is used. */
+    char const *lbl = "master secret";
+
+    /* The salt for the KDF used for key expansion.
+     * - If the Extended Master Secret extension is not used,
+     *   this is ClientHello.Random + ServerHello.Random
+     *   (see Sect. 8.1 in RFC 5246).
+     * - If the Extended Master Secret extension is used,
+     *   this is the transcript of the handshake so far.
+     *   (see Sect. 4 in RFC 7627). */
+    unsigned char const *salt = handshake->randbytes;
+    size_t salt_len = 64;
+
+#if !defined(MBEDTLS_DEBUG_C) &&                    \
+    !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
+    !(defined(MBEDTLS_USE_PSA_CRYPTO) &&            \
+      defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
+    ssl = NULL; /* make sure we don't use it except for those cases */
+    (void) ssl;
+#endif
+
+    if (handshake->resume != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
+        return (0);
+    }
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
+        lbl  = "extended master secret";
+        salt = session_hash;
+        handshake->calc_verify(ssl, session_hash, &salt_len);
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
+                              session_hash, salt_len);
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) &&          \
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+            ssl_use_opaque_psk(ssl) == 1) {
+        /* Perform PSK-to-MS expansion in a single step. */
+        psa_status_t status;
+        psa_algorithm_t alg;
+        psa_key_id_t psk;
+        psa_key_derivation_operation_t derivation =
+            PSA_KEY_DERIVATION_OPERATION_INIT;
+        mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
+
+        psk = mbedtls_ssl_get_opaque_psk(ssl);
+
+        if (hash_alg == MBEDTLS_MD_SHA384)
+            alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
+        else
+            alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
+
+        status = setup_psa_key_derivation(&derivation, psk, alg,
+                                          salt, salt_len,
+                                          (unsigned char const *) lbl,
+                                          (size_t) strlen(lbl),
+                                          master_secret_len);
+        if (status != PSA_SUCCESS) {
+            psa_key_derivation_abort(&derivation);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+
+        status = psa_key_derivation_output_bytes(&derivation,
+                                                 master,
+                                                 master_secret_len);
+        if (status != PSA_SUCCESS) {
+            psa_key_derivation_abort(&derivation);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+
+        status = psa_key_derivation_abort(&derivation);
+        if (status != PSA_SUCCESS)
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+    } else
+#endif
+    {
+        ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
+                                 lbl, salt, salt_len,
+                                 master,
+                                 master_secret_len);
+        if (ret != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
+            return (ret);
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
+                              handshake->premaster,
+                              handshake->pmslen);
+
+        mbedtls_platform_zeroize(handshake->premaster,
+                                 sizeof(handshake->premaster));
+    }
+
+    return (0);
+}
+
+int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_ssl_ciphersuite_t *const ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
+
+    /* Set PRF, calc_verify and calc_finished function pointers */
+    ret = ssl_set_handshake_prfs(ssl->handshake,
+                                 ssl->minor_ver,
+                                 ciphersuite_info->mac);
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
+        return (ret);
+    }
+
+    /* Compute master secret if needed */
+    ret = ssl_compute_master(ssl->handshake,
+                             ssl->session_negotiate->master,
+                             ssl);
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
+        return (ret);
+    }
+
+    /* Swap the client and server random values:
+     * - MS derivation wanted client+server (RFC 5246 8.1)
+     * - key derivation wants server+client (RFC 5246 6.3) */
+    {
+        unsigned char tmp[64];
+        memcpy(tmp, ssl->handshake->randbytes, 64);
+        memcpy(ssl->handshake->randbytes, tmp + 32, 32);
+        memcpy(ssl->handshake->randbytes + 32, tmp, 32);
+        mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    }
+
+    /* Populate transform structure */
+    ret = ssl_populate_transform(ssl->transform_negotiate,
+                                 ssl->session_negotiate->ciphersuite,
+                                 ssl->session_negotiate->master,
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                                 ssl->session_negotiate->encrypt_then_mac,
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+                                 ssl->session_negotiate->trunc_hmac,
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+                                 ssl->session_negotiate->compression,
+#endif
+                                 ssl->handshake->tls_prf,
+                                 ssl->handshake->randbytes,
+                                 ssl->minor_ver,
+                                 ssl->conf->endpoint,
+                                 ssl);
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_populate_transform", ret);
+        return (ret);
+    }
+
+    /* We no longer need Server/ClientHello.random values */
+    mbedtls_platform_zeroize(ssl->handshake->randbytes,
+                             sizeof(ssl->handshake->randbytes));
+
+    /* Allocate compression buffer */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if (ssl->session_negotiate->compression == MBEDTLS_SSL_COMPRESS_DEFLATE &&
+            ssl->compress_buf == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Allocating compression buffer"));
+        ssl->compress_buf = mbedtls_calloc(1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN);
+        if (ssl->compress_buf == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
+                                      MBEDTLS_SSL_COMPRESS_BUFFER_LEN));
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+void ssl_calc_verify_ssl(const mbedtls_ssl_context *ssl,
+                         unsigned char *hash,
+                         size_t *hlen) {
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char pad_1[48];
+    unsigned char pad_2[48];
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify ssl"));
+
+    mbedtls_md5_init(&md5);
+    mbedtls_sha1_init(&sha1);
+
+    mbedtls_md5_clone(&md5, &ssl->handshake->fin_md5);
+    mbedtls_sha1_clone(&sha1, &ssl->handshake->fin_sha1);
+
+    memset(pad_1, 0x36, 48);
+    memset(pad_2, 0x5C, 48);
+
+    mbedtls_md5_update_ret(&md5, ssl->session_negotiate->master, 48);
+    mbedtls_md5_update_ret(&md5, pad_1, 48);
+    mbedtls_md5_finish_ret(&md5, hash);
+
+    mbedtls_md5_starts_ret(&md5);
+    mbedtls_md5_update_ret(&md5, ssl->session_negotiate->master, 48);
+    mbedtls_md5_update_ret(&md5, pad_2, 48);
+    mbedtls_md5_update_ret(&md5, hash,  16);
+    mbedtls_md5_finish_ret(&md5, hash);
+
+    mbedtls_sha1_update_ret(&sha1, ssl->session_negotiate->master, 48);
+    mbedtls_sha1_update_ret(&sha1, pad_1, 40);
+    mbedtls_sha1_finish_ret(&sha1, hash + 16);
+
+    mbedtls_sha1_starts_ret(&sha1);
+    mbedtls_sha1_update_ret(&sha1, ssl->session_negotiate->master, 48);
+    mbedtls_sha1_update_ret(&sha1, pad_2, 40);
+    mbedtls_sha1_update_ret(&sha1, hash + 16, 20);
+    mbedtls_sha1_finish_ret(&sha1, hash + 16);
+
+    *hlen = 36;
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+
+    mbedtls_md5_free(&md5);
+    mbedtls_sha1_free(&sha1);
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+void ssl_calc_verify_tls(const mbedtls_ssl_context *ssl,
+                         unsigned char *hash,
+                         size_t *hlen) {
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify tls"));
+
+    mbedtls_md5_init(&md5);
+    mbedtls_sha1_init(&sha1);
+
+    mbedtls_md5_clone(&md5, &ssl->handshake->fin_md5);
+    mbedtls_sha1_clone(&sha1, &ssl->handshake->fin_sha1);
+
+    mbedtls_md5_finish_ret(&md5,  hash);
+    mbedtls_sha1_finish_ret(&sha1, hash + 16);
+
+    *hlen = 36;
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+
+    mbedtls_md5_free(&md5);
+    mbedtls_sha1_free(&sha1);
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
+                                unsigned char *hash,
+                                size_t *hlen) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    size_t hash_size;
+    psa_status_t status;
+    psa_hash_operation_t sha256_psa = psa_hash_operation_init();
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256"));
+    status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
+        return;
+    }
+
+    status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
+        return;
+    }
+
+    *hlen = 32;
+    MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
+#else
+    mbedtls_sha256_context sha256;
+
+    mbedtls_sha256_init(&sha256);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
+
+    mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
+    mbedtls_sha256_finish_ret(&sha256, hash);
+
+    *hlen = 32;
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+
+    mbedtls_sha256_free(&sha256);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    return;
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
+                                unsigned char *hash,
+                                size_t *hlen) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    size_t hash_size;
+    psa_status_t status;
+    psa_hash_operation_t sha384_psa = psa_hash_operation_init();
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384"));
+    status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
+        return;
+    }
+
+    status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
+        return;
+    }
+
+    *hlen = 48;
+    MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
+#else
+    mbedtls_sha512_context sha512;
+
+    mbedtls_sha512_init(&sha512);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
+
+    mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512);
+    mbedtls_sha512_finish_ret(&sha512, hash);
+
+    *hlen = 48;
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+
+    mbedtls_sha512_free(&sha512);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    return;
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) {
+    unsigned char *p = ssl->handshake->premaster;
+    unsigned char *end = p + sizeof(ssl->handshake->premaster);
+    const unsigned char *psk = NULL;
+    size_t psk_len = 0;
+
+    if (mbedtls_ssl_get_psk(ssl, &psk, &psk_len)
+            == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
+        /*
+         * This should never happen because the existence of a PSK is always
+         * checked before calling this function
+         */
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    /*
+     * PMS = struct {
+     *     opaque other_secret<0..2^16-1>;
+     *     opaque psk<0..2^16-1>;
+     * };
+     * with "other_secret" depending on the particular key exchange
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
+        if (end - p < 2)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        *(p++) = (unsigned char)(psk_len >> 8);
+        *(p++) = (unsigned char)(psk_len);
+
+        if (end < p || (size_t)(end - p) < psk_len)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        memset(p, 0, psk_len);
+        p += psk_len;
+    } else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+        if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+            /*
+             * other_secret already set by the ClientKeyExchange message,
+             * and is 48 bytes long
+             */
+            if (end - p < 2)
+                return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+            *p++ = 0;
+            *p++ = 48;
+            p += 48;
+        } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+            if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+                int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+                size_t len;
+
+                /* Write length only when we know the actual value */
+                if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+                                                   p + 2, end - (p + 2), &len,
+                                                   ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+                    return (ret);
+                }
+                *(p++) = (unsigned char)(len >> 8);
+                *(p++) = (unsigned char)(len);
+                p += len;
+
+                MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+            } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+                if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+                    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+                    size_t zlen;
+
+                    if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
+                                                        p + 2, end - (p + 2),
+                                                        ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+                        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
+                        return (ret);
+                    }
+
+                    *(p++) = (unsigned char)(zlen >> 8);
+                    *(p++) = (unsigned char)(zlen);
+                    p += zlen;
+
+                    MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+                                           MBEDTLS_DEBUG_ECDH_Z);
+                } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+                {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+                }
+
+    /* opaque psk<0..2^16-1>; */
+    if (end - p < 2)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    *(p++) = (unsigned char)(psk_len >> 8);
+    *(p++) = (unsigned char)(psk_len);
+
+    if (end < p || (size_t)(end - p) < psk_len)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    memcpy(p, psk, psk_len);
+    p += psk_len;
+
+    ssl->handshake->pmslen = p - ssl->handshake->premaster;
+
+    return (0);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) {
+    /* If renegotiation is not enforced, retransmit until we would reach max
+     * timeout if we were using the usual handshake doubling scheme */
+    if (ssl->conf->renego_max_records < 0) {
+        uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
+        unsigned char doublings = 1;
+
+        while (ratio != 0) {
+            ++doublings;
+            ratio >>= 1;
+        }
+
+        if (++ssl->renego_records_seen > doublings) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
+            return (0);
+        }
+    }
+
+    return (ssl_write_hello_request(ssl));
+}
+#endif
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_clear_peer_cert(mbedtls_ssl_session *session) {
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if (session->peer_cert != NULL) {
+        mbedtls_x509_crt_free(session->peer_cert);
+        mbedtls_free(session->peer_cert);
+        session->peer_cert = NULL;
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (session->peer_cert_digest != NULL) {
+        /* Zeroization is not necessary. */
+        mbedtls_free(session->peer_cert_digest);
+        session->peer_cert_digest      = NULL;
+        session->peer_cert_digest_type = MBEDTLS_MD_NONE;
+        session->peer_cert_digest_len  = 0;
+    }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Handshake functions
+ */
+#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/* No certificate support -> dummy functions */
+int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
+
+    if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
+        ssl->state++;
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+}
+
+int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
+
+    if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
+        ssl->state++;
+        return (0);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+    return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+}
+
+#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+/* Some certificate support -> implement write and parse */
+
+int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, n;
+    const mbedtls_x509_crt *crt;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
+
+    if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
+        ssl->state++;
+        return (0);
+    }
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+        if (ssl->client_auth == 0) {
+            MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
+            ssl->state++;
+            return (0);
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        /*
+         * If using SSLv3 and got no cert, send an Alert message
+         * (otherwise an empty Certificate message will be sent).
+         */
+        if (mbedtls_ssl_own_cert(ssl)  == NULL &&
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+            ssl->out_msglen  = 2;
+            ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+            ssl->out_msg[0]  = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
+            ssl->out_msg[1]  = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
+
+            MBEDTLS_SSL_DEBUG_MSG(2, ("got no certificate to send"));
+            goto write_msg;
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+        if (mbedtls_ssl_own_cert(ssl) == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("got no certificate to send"));
+            return (MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED);
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
+
+    /*
+     *     0  .  0    handshake type
+     *     1  .  3    handshake length
+     *     4  .  6    length of all certs
+     *     7  .  9    length of cert. 1
+     *    10  . n-1   peer certificate
+     *     n  . n+2   length of cert. 2
+     *    n+3 . ...   upper level cert, etc.
+     */
+    i = 7;
+    crt = mbedtls_ssl_own_cert(ssl);
+
+    while (crt != NULL) {
+        n = crt->raw.len;
+        if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
+                                      " > %" MBEDTLS_PRINTF_SIZET,
+                                      i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+            return (MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE);
+        }
+
+        ssl->out_msg[i    ] = (unsigned char)(n >> 16);
+        ssl->out_msg[i + 1] = (unsigned char)(n >>  8);
+        ssl->out_msg[i + 2] = (unsigned char)(n);
+
+        i += 3;
+        memcpy(ssl->out_msg + i, crt->raw.p, n);
+        i += n;
+        crt = crt->next;
+    }
+
+    ssl->out_msg[4]  = (unsigned char)((i - 7) >> 16);
+    ssl->out_msg[5]  = (unsigned char)((i - 7) >>  8);
+    ssl->out_msg[6]  = (unsigned char)((i - 7));
+
+    ssl->out_msglen  = i;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE;
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+write_msg:
+#endif
+
+    ssl->state++;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
+
+    return (ret);
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
+                                        unsigned char *crt_buf,
+                                        size_t crt_buf_len) {
+    mbedtls_x509_crt const *const peer_crt = ssl->session->peer_cert;
+
+    if (peer_crt == NULL)
+        return (-1);
+
+    if (peer_crt->raw.len != crt_buf_len)
+        return (-1);
+
+    return (memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len));
+}
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
+                                        unsigned char *crt_buf,
+                                        size_t crt_buf_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char const *const peer_cert_digest =
+        ssl->session->peer_cert_digest;
+    mbedtls_md_type_t const peer_cert_digest_type =
+        ssl->session->peer_cert_digest_type;
+    mbedtls_md_info_t const *const digest_info =
+        mbedtls_md_info_from_type(peer_cert_digest_type);
+    unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
+    size_t digest_len;
+
+    if (peer_cert_digest == NULL || digest_info == NULL)
+        return (-1);
+
+    digest_len = mbedtls_md_get_size(digest_info);
+    if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN)
+        return (-1);
+
+    ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
+    if (ret != 0)
+        return (-1);
+
+    return (memcmp(tmp_digest, peer_cert_digest, digest_len));
+}
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+/*
+ * Once the certificate message is read, parse it into a cert chain and
+ * perform basic checks, but leave actual verification to the caller
+ */
+static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
+                                       mbedtls_x509_crt *chain) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+    int crt_cnt = 0;
+#endif
+    size_t i, n;
+    uint8_t alert;
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
+            ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+    }
+
+    i = mbedtls_ssl_hs_hdr_len(ssl);
+
+    /*
+     * Same message structure as in mbedtls_ssl_write_certificate()
+     */
+    n = (ssl->in_msg[i + 1] << 8) | ssl->in_msg[i + 2];
+
+    if (ssl->in_msg[i] != 0 ||
+            ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+    }
+
+    /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
+    i += 3;
+
+    /* Iterate through and parse the CRTs in the provided chain. */
+    while (i < ssl->in_hslen) {
+        /* Check that there's room for the next CRT's length fields. */
+        if (i + 3 > ssl->in_hslen) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+            mbedtls_ssl_send_alert_message(ssl,
+                                           MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+        }
+        /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
+         * anything beyond 2**16 ~ 64K. */
+        if (ssl->in_msg[i] != 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+            mbedtls_ssl_send_alert_message(ssl,
+                                           MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+        }
+
+        /* Read length of the next CRT in the chain. */
+        n = ((unsigned int) ssl->in_msg[i + 1] << 8)
+            | (unsigned int) ssl->in_msg[i + 2];
+        i += 3;
+
+        if (n < 128 || i + n > ssl->in_hslen) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+            mbedtls_ssl_send_alert_message(ssl,
+                                           MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+            return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+        }
+
+        /* Check if we're handling the first CRT in the chain. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+        if (crt_cnt++ == 0 &&
+                ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+                ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+            /* During client-side renegotiation, check that the server's
+             * end-CRTs hasn't changed compared to the initial handshake,
+             * mitigating the triple handshake attack. On success, reuse
+             * the original end-CRT instead of parsing it again. */
+            MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
+            if (ssl_check_peer_crt_unchanged(ssl,
+                                             &ssl->in_msg[i],
+                                             n) != 0) {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
+                mbedtls_ssl_send_alert_message(ssl,
+                                               MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
+                return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE);
+            }
+
+            /* Now we can safely free the original chain. */
+            ssl_clear_peer_cert(ssl->session);
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+        /* Parse the next certificate in the chain. */
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
+#else
+        /* If we don't need to store the CRT chain permanently, parse
+         * it in-place from the input buffer instead of making a copy. */
+        ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+        switch (ret) {
+            case 0: /*ok*/
+            case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
+                /* Ignore certificate with an unknown algorithm: maybe a
+                   prior certificate was already trusted. */
+                break;
+
+            case MBEDTLS_ERR_X509_ALLOC_FAILED:
+                alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+                goto crt_parse_der_failed;
+
+            case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+                goto crt_parse_der_failed;
+
+            default:
+                alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+crt_parse_der_failed:
+                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
+                MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
+                return (ret);
+        }
+
+        i += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) {
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
+        return (-1);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /*
+     * Check if the client sent an empty certificate
+     */
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
+        if (ssl->in_msglen  == 2                        &&
+                ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT            &&
+                ssl->in_msg[0]  == MBEDTLS_SSL_ALERT_LEVEL_WARNING  &&
+                ssl->in_msg[1]  == MBEDTLS_SSL_ALERT_MSG_NO_CERT) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("SSLv3 client has no certificate"));
+            return (0);
+        }
+
+        return (-1);
+    }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
+            memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("TLSv1 client has no certificate"));
+        return (0);
+    }
+
+    return (-1);
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/* Check if a certificate message is expected.
+ * Return either
+ * - SSL_CERTIFICATE_EXPECTED, or
+ * - SSL_CERTIFICATE_SKIP
+ * indicating whether a Certificate message is expected or not.
+ */
+#define SSL_CERTIFICATE_EXPECTED 0
+#define SSL_CERTIFICATE_SKIP     1
+static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
+                                            int authmode) {
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+
+    if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info))
+        return (SSL_CERTIFICATE_SKIP);
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+        if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK)
+            return (SSL_CERTIFICATE_SKIP);
+
+        if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+            ssl->session_negotiate->verify_result =
+                MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+            return (SSL_CERTIFICATE_SKIP);
+        }
+    }
+#else
+    ((void) authmode);
+#endif /* MBEDTLS_SSL_SRV_C */
+
+    return (SSL_CERTIFICATE_EXPECTED);
+}
+
+static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
+                                        int authmode,
+                                        mbedtls_x509_crt *chain,
+                                        void *rs_ctx) {
+    int ret = 0;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->handshake->ciphersuite_info;
+    int have_ca_chain = 0;
+
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
+
+    if (authmode == MBEDTLS_SSL_VERIFY_NONE)
+        return (0);
+
+    if (ssl->f_vrfy != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
+        f_vrfy = ssl->f_vrfy;
+        p_vrfy = ssl->p_vrfy;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
+        f_vrfy = ssl->conf->f_vrfy;
+        p_vrfy = ssl->conf->p_vrfy;
+    }
+
+    /*
+     * Main check: verify certificate
+     */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    if (ssl->conf->f_ca_cb != NULL) {
+        ((void) rs_ctx);
+        have_ca_chain = 1;
+
+        MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
+        ret = mbedtls_x509_crt_verify_with_ca_cb(
+                  chain,
+                  ssl->conf->f_ca_cb,
+                  ssl->conf->p_ca_cb,
+                  ssl->conf->cert_profile,
+                  ssl->hostname,
+                  &ssl->session_negotiate->verify_result,
+                  f_vrfy, p_vrfy);
+    } else
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+    {
+        mbedtls_x509_crt *ca_chain;
+        mbedtls_x509_crl *ca_crl;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if (ssl->handshake->sni_ca_chain != NULL) {
+            ca_chain = ssl->handshake->sni_ca_chain;
+            ca_crl   = ssl->handshake->sni_ca_crl;
+        } else
+#endif
+        {
+            ca_chain = ssl->conf->ca_chain;
+            ca_crl   = ssl->conf->ca_crl;
+        }
+
+        if (ca_chain != NULL)
+            have_ca_chain = 1;
+
+        ret = mbedtls_x509_crt_verify_restartable(
+                  chain,
+                  ca_chain, ca_crl,
+                  ssl->conf->cert_profile,
+                  ssl->hostname,
+                  &ssl->session_negotiate->verify_result,
+                  f_vrfy, p_vrfy, rs_ctx);
+    }
+
+    if (ret != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
+    }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS)
+        return (MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS);
+#endif
+
+    /*
+     * Secondary checks: always done, but change 'ret' only if it was 0
+     */
+
+#if defined(MBEDTLS_ECP_C)
+    {
+        const mbedtls_pk_context *pk = &chain->pk;
+
+        /* If certificate uses an EC key, make sure the curve is OK */
+        if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY) &&
+                mbedtls_ssl_check_curve(ssl, mbedtls_pk_ec(*pk)->grp.id) != 0) {
+            ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+            MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
+            if (ret == 0)
+                ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+        }
+    }
+#endif /* MBEDTLS_ECP_C */
+
+    if (mbedtls_ssl_check_cert_usage(chain,
+                                     ciphersuite_info,
+                                     ! ssl->conf->endpoint,
+                                     &ssl->session_negotiate->verify_result) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
+        if (ret == 0)
+            ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+    }
+
+    /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+     * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+     * with details encoded in the verification flags. All other kinds
+     * of error codes, including those from the user provided f_vrfy
+     * functions, are treated as fatal and lead to a failure of
+     * ssl_parse_certificate even if verification was optional. */
+    if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+            (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+             ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE)) {
+        ret = 0;
+    }
+
+    if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
+        ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+    }
+
+    if (ret != 0) {
+        uint8_t alert;
+
+        /* The certificate may have been rejected for several reasons.
+           Pick one and send the corresponding alert. Which alert to send
+           may be a subject of debate in some cases. */
+        if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER)
+            alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+            alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE)
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE)
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE)
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK)
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY)
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED)
+            alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED)
+            alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
+        else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
+            alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
+        else
+            alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       alert);
+    }
+
+#if defined(MBEDTLS_DEBUG_C)
+    if (ssl->session_negotiate->verify_result != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
+                                  (unsigned int) ssl->session_negotiate->verify_result));
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
+    }
+#endif /* MBEDTLS_DEBUG_C */
+
+    return (ret);
+}
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
+                                        unsigned char *start, size_t len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    /* Remember digest of the peer's end-CRT. */
+    ssl->session_negotiate->peer_cert_digest =
+        mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
+    if (ssl->session_negotiate->peer_cert_digest == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
+                                  MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
+        mbedtls_ssl_send_alert_message(ssl,
+                                       MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    ret = mbedtls_md(mbedtls_md_info_from_type(
+                         MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
+                     start, len,
+                     ssl->session_negotiate->peer_cert_digest);
+
+    ssl->session_negotiate->peer_cert_digest_type =
+        MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
+    ssl->session_negotiate->peer_cert_digest_len =
+        MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
+
+    return (ret);
+}
+
+static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
+                                    unsigned char *start, size_t len) {
+    unsigned char *end = start + len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Make a copy of the peer's raw public key. */
+    mbedtls_pk_init(&ssl->handshake->peer_pubkey);
+    ret = mbedtls_pk_parse_subpubkey(&start, end,
+                                     &ssl->handshake->peer_pubkey);
+    if (ret != 0) {
+        /* We should have parsed the public key before. */
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    return (0);
+}
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) {
+    int ret = 0;
+    int crt_expected;
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+                         ? ssl->handshake->sni_authmode
+                         : ssl->conf->authmode;
+#else
+    const int authmode = ssl->conf->authmode;
+#endif
+    void *rs_ctx = NULL;
+    mbedtls_x509_crt *chain = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
+
+    crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
+    if (crt_expected == SSL_CERTIFICATE_SKIP) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
+        goto exit;
+    }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled &&
+            ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
+        chain = ssl->handshake->ecrs_peer_cert;
+        ssl->handshake->ecrs_peer_cert = NULL;
+        goto crt_verify;
+    }
+#endif
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        /* mbedtls_ssl_read_record may have sent an alert already. We
+           let it decide whether to alert. */
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        goto exit;
+    }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+
+        if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL)
+            ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
+
+        goto exit;
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+    /* Clear existing peer CRT structure in case we tried to
+     * reuse a session but it failed, and allocate a new one. */
+    ssl_clear_peer_cert(ssl->session_negotiate);
+
+    chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+    if (chain == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
+                                  sizeof(mbedtls_x509_crt)));
+        mbedtls_ssl_send_alert_message(ssl,
+                                       MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto exit;
+    }
+    mbedtls_x509_crt_init(chain);
+
+    ret = ssl_parse_certificate_chain(ssl, chain);
+    if (ret != 0)
+        goto exit;
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
+
+crt_verify:
+    if (ssl->handshake->ecrs_enabled)
+        rs_ctx = &ssl->handshake->ecrs_ctx;
+#endif
+
+    ret = ssl_parse_certificate_verify(ssl, authmode,
+                                       chain, rs_ctx);
+    if (ret != 0)
+        goto exit;
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    {
+        unsigned char *crt_start, *pk_start;
+        size_t crt_len, pk_len;
+
+        /* We parse the CRT chain without copying, so
+         * these pointers point into the input buffer,
+         * and are hence still valid after freeing the
+         * CRT chain. */
+
+        crt_start = chain->raw.p;
+        crt_len   = chain->raw.len;
+
+        pk_start = chain->pk_raw.p;
+        pk_len   = chain->pk_raw.len;
+
+        /* Free the CRT structures before computing
+         * digest and copying the peer's public key. */
+        mbedtls_x509_crt_free(chain);
+        mbedtls_free(chain);
+        chain = NULL;
+
+        ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
+        if (ret != 0)
+            goto exit;
+
+        ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
+        if (ret != 0)
+            goto exit;
+    }
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    /* Pass ownership to session structure. */
+    ssl->session_negotiate->peer_cert = chain;
+    chain = NULL;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
+
+exit:
+
+    if (ret == 0)
+        ssl->state++;
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
+        ssl->handshake->ecrs_peer_cert = chain;
+        chain = NULL;
+    }
+#endif
+
+    if (chain != NULL) {
+        mbedtls_x509_crt_free(chain);
+        mbedtls_free(chain);
+    }
+
+    return (ret);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
+                                   const mbedtls_ssl_ciphersuite_t *ciphersuite_info) {
+    ((void) ciphersuite_info);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3)
+        ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+        if (ciphersuite_info->mac == MBEDTLS_MD_SHA384)
+            ssl->handshake->update_checksum = ssl_update_checksum_sha384;
+        else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+            if (ciphersuite_info->mac != MBEDTLS_MD_SHA384)
+                ssl->handshake->update_checksum = ssl_update_checksum_sha256;
+            else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+            {
+                MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+                return;
+            }
+}
+
+void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) {
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_starts_ret(&ssl->handshake->fin_md5);
+    mbedtls_sha1_starts_ret(&ssl->handshake->fin_sha1);
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_abort(&ssl->handshake->fin_sha256_psa);
+    psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
+#else
+    mbedtls_sha256_starts_ret(&ssl->handshake->fin_sha256, 0);
+#endif
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_abort(&ssl->handshake->fin_sha384_psa);
+    psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
+#else
+    mbedtls_sha512_starts_ret(&ssl->handshake->fin_sha512, 1);
+#endif
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+static void ssl_update_checksum_start(mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf, size_t len) {
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_update_ret(&ssl->handshake->fin_md5, buf, len);
+    mbedtls_sha1_update_ret(&ssl->handshake->fin_sha1, buf, len);
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
+#else
+    mbedtls_sha256_update_ret(&ssl->handshake->fin_sha256, buf, len);
+#endif
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
+#else
+    mbedtls_sha512_update_ret(&ssl->handshake->fin_sha512, buf, len);
+#endif
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1(mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len) {
+    mbedtls_md5_update_ret(&ssl->handshake->fin_md5, buf, len);
+    mbedtls_sha1_update_ret(&ssl->handshake->fin_sha1, buf, len);
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
+                                       const unsigned char *buf, size_t len) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
+#else
+    mbedtls_sha256_update_ret(&ssl->handshake->fin_sha256, buf, len);
+#endif
+}
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
+                                       const unsigned char *buf, size_t len) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
+#else
+    mbedtls_sha512_update_ret(&ssl->handshake->fin_sha512, buf, len);
+#endif
+}
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_finished_ssl(
+    mbedtls_ssl_context *ssl, unsigned char *buf, int from) {
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+
+    unsigned char padbuf[48];
+    unsigned char md5sum[16];
+    unsigned char sha1sum[20];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if (!session)
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc  finished ssl"));
+
+    mbedtls_md5_init(&md5);
+    mbedtls_sha1_init(&sha1);
+
+    mbedtls_md5_clone(&md5, &ssl->handshake->fin_md5);
+    mbedtls_sha1_clone(&sha1, &ssl->handshake->fin_sha1);
+
+    /*
+     * SSLv3:
+     *   hash =
+     *      MD5( master + pad2 +
+     *          MD5( handshake + sender + master + pad1 ) )
+     *   + SHA1( master + pad2 +
+     *         SHA1( handshake + sender + master + pad1 ) )
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF(4, "finished  md5 state", (unsigned char *)
+                          md5.state, sizeof(md5.state));
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF(4, "finished sha1 state", (unsigned char *)
+                          sha1.state, sizeof(sha1.state));
+#endif
+
+    sender = (from == MBEDTLS_SSL_IS_CLIENT) ? "CLNT"
+             : "SRVR";
+
+    memset(padbuf, 0x36, 48);
+
+    mbedtls_md5_update_ret(&md5, (const unsigned char *) sender, 4);
+    mbedtls_md5_update_ret(&md5, session->master, 48);
+    mbedtls_md5_update_ret(&md5, padbuf, 48);
+    mbedtls_md5_finish_ret(&md5, md5sum);
+
+    mbedtls_sha1_update_ret(&sha1, (const unsigned char *) sender, 4);
+    mbedtls_sha1_update_ret(&sha1, session->master, 48);
+    mbedtls_sha1_update_ret(&sha1, padbuf, 40);
+    mbedtls_sha1_finish_ret(&sha1, sha1sum);
+
+    memset(padbuf, 0x5C, 48);
+
+    mbedtls_md5_starts_ret(&md5);
+    mbedtls_md5_update_ret(&md5, session->master, 48);
+    mbedtls_md5_update_ret(&md5, padbuf, 48);
+    mbedtls_md5_update_ret(&md5, md5sum, 16);
+    mbedtls_md5_finish_ret(&md5, buf);
+
+    mbedtls_sha1_starts_ret(&sha1);
+    mbedtls_sha1_update_ret(&sha1, session->master, 48);
+    mbedtls_sha1_update_ret(&sha1, padbuf, 40);
+    mbedtls_sha1_update_ret(&sha1, sha1sum, 20);
+    mbedtls_sha1_finish_ret(&sha1, buf + 16);
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, 36);
+
+    mbedtls_md5_free(&md5);
+    mbedtls_sha1_free(&sha1);
+
+    mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
+    mbedtls_platform_zeroize(md5sum, sizeof(md5sum));
+    mbedtls_platform_zeroize(sha1sum, sizeof(sha1sum));
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc  finished"));
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_finished_tls(
+    mbedtls_ssl_context *ssl, unsigned char *buf, int from) {
+    int len = 12;
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padbuf[36];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if (!session)
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc  finished tls"));
+
+    mbedtls_md5_init(&md5);
+    mbedtls_sha1_init(&sha1);
+
+    mbedtls_md5_clone(&md5, &ssl->handshake->fin_md5);
+    mbedtls_sha1_clone(&sha1, &ssl->handshake->fin_sha1);
+
+    /*
+     * TLSv1:
+     *   hash = PRF( master, finished_label,
+     *               MD5( handshake ) + SHA1( handshake ) )[0..11]
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF(4, "finished  md5 state", (unsigned char *)
+                          md5.state, sizeof(md5.state));
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF(4, "finished sha1 state", (unsigned char *)
+                          sha1.state, sizeof(sha1.state));
+#endif
+
+    sender = (from == MBEDTLS_SSL_IS_CLIENT)
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_md5_finish_ret(&md5, padbuf);
+    mbedtls_sha1_finish_ret(&sha1, padbuf + 16);
+
+    ssl->handshake->tls_prf(session->master, 48, sender,
+                            padbuf, 36, buf, len);
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
+
+    mbedtls_md5_free(&md5);
+    mbedtls_sha1_free(&sha1);
+
+    mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc  finished"));
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_calc_finished_tls_sha256(
+    mbedtls_ssl_context *ssl, unsigned char *buf, int from) {
+    int len = 12;
+    const char *sender;
+    unsigned char padbuf[32];
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    size_t hash_size;
+    psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
+    psa_status_t status;
+#else
+    mbedtls_sha256_context sha256;
+#endif
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if (!session)
+        session = ssl->session;
+
+    sender = (from == MBEDTLS_SSL_IS_CLIENT)
+             ? "client finished"
+             : "server finished";
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    sha256_psa = psa_hash_operation_init();
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha256"));
+
+    status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
+        return;
+    }
+
+    status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
+        return;
+    }
+    MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
+#else
+
+    mbedtls_sha256_init(&sha256);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc  finished tls sha256"));
+
+    mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+    MBEDTLS_SSL_DEBUG_BUF(4, "finished sha2 state", (unsigned char *)
+                          sha256.state, sizeof(sha256.state));
+#endif
+
+    mbedtls_sha256_finish_ret(&sha256, padbuf);
+    mbedtls_sha256_free(&sha256);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    ssl->handshake->tls_prf(session->master, 48, sender,
+                            padbuf, 32, buf, len);
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
+
+    mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc  finished"));
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+
+typedef int (*finish_sha384_t)(mbedtls_sha512_context *, unsigned char *);
+
+static void ssl_calc_finished_tls_sha384(
+    mbedtls_ssl_context *ssl, unsigned char *buf, int from) {
+    int len = 12;
+    const char *sender;
+    unsigned char padbuf[48];
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    size_t hash_size;
+    psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
+    psa_status_t status;
+#else
+    mbedtls_sha512_context sha512;
+#endif
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if (!session)
+        session = ssl->session;
+
+    sender = (from == MBEDTLS_SSL_IS_CLIENT)
+             ? "client finished"
+             : "server finished";
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    sha384_psa = psa_hash_operation_init();
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha384"));
+
+    status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
+        return;
+    }
+
+    status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
+    if (status != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
+        return;
+    }
+    MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
+#else
+    mbedtls_sha512_init(&sha512);
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc  finished tls sha384"));
+
+    mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512);
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+    MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *)
+                          sha512.state, sizeof(sha512.state));
+#endif
+    /*
+     * For SHA-384, we can save 16 bytes by keeping padbuf 48 bytes long.
+     * However, to avoid stringop-overflow warning in gcc, we have to cast
+     * mbedtls_sha512_finish_ret().
+     */
+    finish_sha384_t finish = (finish_sha384_t)mbedtls_sha512_finish_ret;
+    finish(&sha512, padbuf);
+
+    mbedtls_sha512_free(&sha512);
+#endif
+
+    ssl->handshake->tls_prf(session->master, 48, sender,
+                            padbuf, 48, buf, len);
+
+    MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
+
+    mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc  finished"));
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) {
+    MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
+
+    /*
+     * Free our handshake params
+     */
+    mbedtls_ssl_handshake_free(ssl);
+    mbedtls_free(ssl->handshake);
+    ssl->handshake = NULL;
+
+    /*
+     * Free the previous transform and swith in the current one
+     */
+    if (ssl->transform) {
+        mbedtls_ssl_transform_free(ssl->transform);
+        mbedtls_free(ssl->transform);
+    }
+    ssl->transform = ssl->transform_negotiate;
+    ssl->transform_negotiate = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
+}
+
+void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) {
+    int resume = ssl->handshake->resume;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+        ssl->renego_status =  MBEDTLS_SSL_RENEGOTIATION_DONE;
+        ssl->renego_records_seen = 0;
+    }
+#endif
+
+    /*
+     * Free the previous session and switch in the current one
+     */
+    if (ssl->session) {
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        /* RFC 7366 3.1: keep the EtM state */
+        ssl->session_negotiate->encrypt_then_mac =
+            ssl->session->encrypt_then_mac;
+#endif
+
+        mbedtls_ssl_session_free(ssl->session);
+        mbedtls_free(ssl->session);
+    }
+    ssl->session = ssl->session_negotiate;
+    ssl->session_negotiate = NULL;
+
+    /*
+     * Add cache entry
+     */
+    if (ssl->conf->f_set_cache != NULL &&
+            ssl->session->id_len != 0 &&
+            resume == 0) {
+        if (ssl->conf->f_set_cache(ssl->conf->p_cache, ssl->session) != 0)
+            MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->handshake->flight != NULL) {
+        /* Cancel handshake timer */
+        mbedtls_ssl_set_timer(ssl, 0);
+
+        /* Keep last flight around in case we need to resend it:
+         * we need the handshake and transform structures for that */
+        MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
+    } else
+#endif
+        mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
+}
+
+int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) {
+    int ret, hash_len;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
+
+    mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
+
+    ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
+
+    /*
+     * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
+     * may define some other value. Currently (early 2016), no defined
+     * ciphersuite does this (and this is unlikely to change as activity has
+     * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
+     */
+    hash_len = (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) ? 36 : 12;
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
+#endif
+
+    ssl->out_msglen  = 4 + hash_len;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;
+
+    /*
+     * In case of session resuming, invert the client and server
+     * ChangeCipherSpec messages order.
+     */
+    if (ssl->handshake->resume != 0) {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER)
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+    } else
+        ssl->state++;
+
+    /*
+     * Switch to our negotiated transform and session parameters for outbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        unsigned char i;
+
+        /* Remember current epoch settings for resending */
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+        memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8);
+
+        /* Set sequence_number to zero */
+        memset(ssl->cur_out_ctr + 2, 0, 6);
+
+        /* Increment epoch */
+        for (i = 2; i > 0; i--)
+            if (++ssl->cur_out_ctr[i - 1] != 0)
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if (i == 0) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
+            return (MBEDTLS_ERR_SSL_COUNTER_WRAPPING);
+        }
+    } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        memset(ssl->cur_out_ctr, 0, 8);
+
+    ssl->transform_out = ssl->transform_negotiate;
+    ssl->session_out = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_activate != NULL) {
+        if ((ret = mbedtls_ssl_hw_record_activate(ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_activate", ret);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        mbedtls_ssl_send_flight_completed(ssl);
+#endif
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+        return (ret);
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define SSL_MAX_HASH_LEN 36
+#else
+#define SSL_MAX_HASH_LEN 12
+#endif
+
+int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned int hash_len;
+    unsigned char buf[SSL_MAX_HASH_LEN];
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
+
+    ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return (ret);
+    }
+
+    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+        return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    }
+
+    /* There is currently no ciphersuite using another length with TLS 1.2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0)
+        hash_len = 36;
+    else
+#endif
+        hash_len = 12;
+
+    if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
+            ssl->in_hslen  != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_FINISHED);
+    }
+
+    if (mbedtls_ssl_safer_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
+                                 buf, hash_len) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+        return (MBEDTLS_ERR_SSL_BAD_HS_FINISHED);
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy(ssl->peer_verify_data, buf, hash_len);
+#endif
+
+    if (ssl->handshake->resume != 0) {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER)
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+    } else
+        ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+        mbedtls_ssl_recv_flight_completed(ssl);
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
+
+    return (0);
+}
+
+static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake) {
+    memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_init(&handshake->fin_md5);
+    mbedtls_sha1_init(&handshake->fin_sha1);
+    mbedtls_md5_starts_ret(&handshake->fin_md5);
+    mbedtls_sha1_starts_ret(&handshake->fin_sha1);
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    handshake->fin_sha256_psa = psa_hash_operation_init();
+    psa_hash_setup(&handshake->fin_sha256_psa, PSA_ALG_SHA_256);
+#else
+    mbedtls_sha256_init(&handshake->fin_sha256);
+    mbedtls_sha256_starts_ret(&handshake->fin_sha256, 0);
+#endif
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    handshake->fin_sha384_psa = psa_hash_operation_init();
+    psa_hash_setup(&handshake->fin_sha384_psa, PSA_ALG_SHA_384);
+#else
+    mbedtls_sha512_init(&handshake->fin_sha512);
+    mbedtls_sha512_starts_ret(&handshake->fin_sha512, 1);
+#endif
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    handshake->update_checksum = ssl_update_checksum_start;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+    mbedtls_ssl_sig_hash_set_init(&handshake->hash_algs);
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_init(&handshake->dhm_ctx);
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_init(&handshake->ecdh_ctx);
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
+#if defined(MBEDTLS_SSL_CLI_C)
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    mbedtls_pk_init(&handshake->peer_pubkey);
+#endif
+}
+
+void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) {
+    memset(transform, 0, sizeof(mbedtls_ssl_transform));
+
+    mbedtls_cipher_init(&transform->cipher_ctx_enc);
+    mbedtls_cipher_init(&transform->cipher_ctx_dec);
+
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+    mbedtls_md_init(&transform->md_ctx_enc);
+    mbedtls_md_init(&transform->md_ctx_dec);
+#endif
+}
+
+void mbedtls_ssl_session_init(mbedtls_ssl_session *session) {
+    memset(session, 0, sizeof(mbedtls_ssl_session));
+}
+
+static int ssl_handshake_init(mbedtls_ssl_context *ssl) {
+    /* Clear old handshake information if present */
+    if (ssl->transform_negotiate)
+        mbedtls_ssl_transform_free(ssl->transform_negotiate);
+    if (ssl->session_negotiate)
+        mbedtls_ssl_session_free(ssl->session_negotiate);
+    if (ssl->handshake)
+        mbedtls_ssl_handshake_free(ssl);
+
+    /*
+     * Either the pointers are now NULL or cleared properly and can be freed.
+     * Now allocate missing structures.
+     */
+    if (ssl->transform_negotiate == NULL) {
+        ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
+    }
+
+    if (ssl->session_negotiate == NULL) {
+        ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
+    }
+
+    if (ssl->handshake == NULL) {
+        ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
+    }
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    /* If the buffers are too small - reallocate */
+
+    handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
+                           MBEDTLS_SSL_OUT_BUFFER_LEN);
+#endif
+
+    /* All pointers should exist and can be directly freed without issue */
+    if (ssl->handshake == NULL ||
+            ssl->transform_negotiate == NULL ||
+            ssl->session_negotiate == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
+
+        mbedtls_free(ssl->handshake);
+        mbedtls_free(ssl->transform_negotiate);
+        mbedtls_free(ssl->session_negotiate);
+
+        ssl->handshake = NULL;
+        ssl->transform_negotiate = NULL;
+        ssl->session_negotiate = NULL;
+
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    }
+
+    /* Initialize structures */
+    mbedtls_ssl_session_init(ssl->session_negotiate);
+    mbedtls_ssl_transform_init(ssl->transform_negotiate);
+    ssl_handshake_params_init(ssl->handshake);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+        else
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        mbedtls_ssl_set_timer(ssl, 0);
+    }
+#endif
+
+    return (0);
+}
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/* Dummy cookie callbacks for defaults */
+static int ssl_cookie_write_dummy(void *ctx,
+                                  unsigned char **p, unsigned char *end,
+                                  const unsigned char *cli_id, size_t cli_id_len) {
+    ((void) ctx);
+    ((void) p);
+    ((void) end);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+}
+
+static int ssl_cookie_check_dummy(void *ctx,
+                                  const unsigned char *cookie, size_t cookie_len,
+                                  const unsigned char *cli_id, size_t cli_id_len) {
+    ((void) ctx);
+    ((void) cookie);
+    ((void) cookie_len);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+/*
+ * Initialize an SSL context
+ */
+void mbedtls_ssl_init(mbedtls_ssl_context *ssl) {
+    memset(ssl, 0, sizeof(mbedtls_ssl_context));
+}
+
+/*
+ * Setup an SSL context
+ */
+
+int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
+                      const mbedtls_ssl_config *conf) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+
+    ssl->conf = conf;
+
+    /*
+     * Prepare base structures
+     */
+
+    /* Set to NULL in case of an error condition */
+    ssl->out_buf = NULL;
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    ssl->in_buf_len = in_buf_len;
+#endif
+    ssl->in_buf = mbedtls_calloc(1, in_buf_len);
+    if (ssl->in_buf == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    ssl->out_buf_len = out_buf_len;
+#endif
+    ssl->out_buf = mbedtls_calloc(1, out_buf_len);
+    if (ssl->out_buf == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+    mbedtls_ssl_reset_in_out_pointers(ssl);
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
+#endif
+
+    if ((ret = ssl_handshake_init(ssl)) != 0)
+        goto error;
+
+    return (0);
+
+error:
+    mbedtls_free(ssl->in_buf);
+    mbedtls_free(ssl->out_buf);
+
+    ssl->conf = NULL;
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    ssl->in_buf_len = 0;
+    ssl->out_buf_len = 0;
+#endif
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
+
+    ssl->in_hdr = NULL;
+    ssl->in_ctr = NULL;
+    ssl->in_len = NULL;
+    ssl->in_iv = NULL;
+    ssl->in_msg = NULL;
+
+    ssl->out_hdr = NULL;
+    ssl->out_ctr = NULL;
+    ssl->out_len = NULL;
+    ssl->out_iv = NULL;
+    ssl->out_msg = NULL;
+
+    return (ret);
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ *
+ * If partial is non-zero, keep data in the input buffer and client ID.
+ * (Use when a DTLS client reconnects from the same port.)
+ */
+int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    size_t in_buf_len = ssl->in_buf_len;
+    size_t out_buf_len = ssl->out_buf_len;
+#else
+    size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) ||     \
+    !defined(MBEDTLS_SSL_SRV_C)
+    ((void) partial);
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+
+    /* Cancel any possibly running timer */
+    mbedtls_ssl_set_timer(ssl, 0);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
+    ssl->renego_records_seen = 0;
+
+    ssl->verify_data_len = 0;
+    memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
+    memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
+#endif
+    ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
+
+    ssl->in_offt = NULL;
+    mbedtls_ssl_reset_in_out_pointers(ssl);
+
+    ssl->in_msgtype = 0;
+    ssl->in_msglen = 0;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    ssl->next_record_offset = 0;
+    ssl->in_epoch = 0;
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    mbedtls_ssl_dtls_replay_reset(ssl);
+#endif
+
+    ssl->in_hslen = 0;
+    ssl->nb_zero = 0;
+
+    ssl->keep_current_message = 0;
+
+    ssl->out_msgtype = 0;
+    ssl->out_msglen = 0;
+    ssl->out_left = 0;
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    if (ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED)
+        ssl->split_done = 0;
+#endif
+
+    memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
+
+    ssl->transform_in = NULL;
+    ssl->transform_out = NULL;
+
+    ssl->session_in = NULL;
+    ssl->session_out = NULL;
+
+    memset(ssl->out_buf, 0, out_buf_len);
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+    if (partial == 0)
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+    {
+        ssl->in_left = 0;
+        memset(ssl->in_buf, 0, in_buf_len);
+    }
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_reset != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_reset()"));
+        if ((ret = mbedtls_ssl_hw_record_reset(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_reset", ret);
+            return (MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
+        }
+    }
+#endif
+
+    if (ssl->transform) {
+        mbedtls_ssl_transform_free(ssl->transform);
+        mbedtls_free(ssl->transform);
+        ssl->transform = NULL;
+    }
+
+    if (ssl->session) {
+        mbedtls_ssl_session_free(ssl->session);
+        mbedtls_free(ssl->session);
+        ssl->session = NULL;
+    }
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl->alpn_chosen = NULL;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    if (partial == 0)
+#endif
+    {
+        mbedtls_free(ssl->cli_id);
+        ssl->cli_id = NULL;
+        ssl->cli_id_len = 0;
+    }
+#endif
+
+    if ((ret = ssl_handshake_init(ssl)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ */
+int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl) {
+    return (mbedtls_ssl_session_reset_int(ssl, 0));
+}
+
+/*
+ * SSL set accessors
+ */
+void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint) {
+    conf->endpoint   = endpoint;
+}
+
+void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport) {
+    conf->transport = transport;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode) {
+    conf->anti_replay = mode;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit) {
+    conf->badmac_limit = limit;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
+                                      unsigned allow_packing) {
+    ssl->disable_datagram_packing = !allow_packing;
+}
+
+void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
+                                        uint32_t min, uint32_t max) {
+    conf->hs_timeout_min = min;
+    conf->hs_timeout_max = max;
+}
+#endif
+
+void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode) {
+    conf->authmode   = authmode;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
+                             int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                             void *p_vrfy) {
+    conf->f_vrfy      = f_vrfy;
+    conf->p_vrfy      = p_vrfy;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng) {
+    conf->f_rng      = f_rng;
+    conf->p_rng      = p_rng;
+}
+
+void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
+                          void (*f_dbg)(void *, int, const char *, int, const char *),
+                          void  *p_dbg) {
+    conf->f_dbg      = f_dbg;
+    conf->p_dbg      = p_dbg;
+}
+
+void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
+                         void *p_bio,
+                         mbedtls_ssl_send_t *f_send,
+                         mbedtls_ssl_recv_t *f_recv,
+                         mbedtls_ssl_recv_timeout_t *f_recv_timeout) {
+    ssl->p_bio          = p_bio;
+    ssl->f_send         = f_send;
+    ssl->f_recv         = f_recv;
+    ssl->f_recv_timeout = f_recv_timeout;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu) {
+    ssl->mtu = mtu;
+}
+#endif
+
+void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout) {
+    conf->read_timeout   = timeout;
+}
+
+void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
+                              void *p_timer,
+                              mbedtls_ssl_set_timer_t *f_set_timer,
+                              mbedtls_ssl_get_timer_t *f_get_timer) {
+    ssl->p_timer        = p_timer;
+    ssl->f_set_timer    = f_set_timer;
+    ssl->f_get_timer    = f_get_timer;
+
+    /* Make sure we start with no timer running */
+    mbedtls_ssl_set_timer(ssl, 0);
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
+                                    void *p_cache,
+                                    int (*f_get_cache)(void *, mbedtls_ssl_session *),
+                                    int (*f_set_cache)(void *, const mbedtls_ssl_session *)) {
+    conf->p_cache = p_cache;
+    conf->f_get_cache = f_get_cache;
+    conf->f_set_cache = f_set_cache;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ssl == NULL ||
+            session == NULL ||
+            ssl->session_negotiate == NULL ||
+            ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
+                                        session)) != 0)
+        return (ret);
+
+    ssl->handshake->resume = 1;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
+                                   const int *ciphersuites) {
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
+}
+
+void mbedtls_ssl_conf_ciphersuites_for_version(mbedtls_ssl_config *conf,
+                                               const int *ciphersuites,
+                                               int major, int minor) {
+    if (major != MBEDTLS_SSL_MAJOR_VERSION_3)
+        return;
+
+    if (minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3)
+        return;
+
+    conf->ciphersuite_list[minor] = ciphersuites;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
+                                   const mbedtls_x509_crt_profile *profile) {
+    conf->cert_profile = profile;
+}
+
+/* Append a new keycert entry to a (possibly empty) list */
+static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
+                               mbedtls_x509_crt *cert,
+                               mbedtls_pk_context *key) {
+    mbedtls_ssl_key_cert *new_cert;
+
+    new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
+    if (new_cert == NULL)
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+    new_cert->cert = cert;
+    new_cert->key  = key;
+    new_cert->next = NULL;
+
+    /* Update head is the list was null, else add to the end */
+    if (*head == NULL) {
+        *head = new_cert;
+    } else {
+        mbedtls_ssl_key_cert *cur = *head;
+        while (cur->next != NULL)
+            cur = cur->next;
+        cur->next = new_cert;
+    }
+
+    return (0);
+}
+
+int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key) {
+    return (ssl_append_key_cert(&conf->key_cert, own_cert, pk_key));
+}
+
+void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl) {
+    conf->ca_chain   = ca_chain;
+    conf->ca_crl     = ca_crl;
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
+     * cannot be used together. */
+    conf->f_ca_cb = NULL;
+    conf->p_ca_cb = NULL;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+}
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
+                            mbedtls_x509_crt_ca_cb_t f_ca_cb,
+                            void *p_ca_cb) {
+    conf->f_ca_cb = f_ca_cb;
+    conf->p_ca_cb = p_ca_cb;
+
+    /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
+     * cannot be used together. */
+    conf->ca_chain   = NULL;
+    conf->ca_crl     = NULL;
+}
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
+                                mbedtls_x509_crt *own_cert,
+                                mbedtls_pk_context *pk_key) {
+    return (ssl_append_key_cert(&ssl->handshake->sni_key_cert,
+                                own_cert, pk_key));
+}
+
+void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *ca_chain,
+                                 mbedtls_x509_crl *ca_crl) {
+    ssl->handshake->sni_ca_chain   = ca_chain;
+    ssl->handshake->sni_ca_crl     = ca_crl;
+}
+
+void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
+                                 int authmode) {
+    ssl->handshake->sni_authmode = authmode;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
+                            int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                            void *p_vrfy) {
+    ssl->f_vrfy = f_vrfy;
+    ssl->p_vrfy = p_vrfy;
+}
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/*
+ * Set EC J-PAKE password for current handshake
+ */
+int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
+                                        const unsigned char *pw,
+                                        size_t pw_len) {
+    mbedtls_ecjpake_role role;
+
+    if (ssl->handshake == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER)
+        role = MBEDTLS_ECJPAKE_SERVER;
+    else
+        role = MBEDTLS_ECJPAKE_CLIENT;
+
+    return (mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
+                                  role,
+                                  MBEDTLS_MD_SHA256,
+                                  MBEDTLS_ECP_DP_SECP256R1,
+                                  pw, pw_len));
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+
+static void ssl_conf_remove_psk(mbedtls_ssl_config *conf) {
+    /* Remove reference to existing PSK, if any. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (! mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
+        /* The maintenance of the PSK key slot is the
+         * user's responsibility. */
+        conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
+    }
+    /* This and the following branch should never
+     * be taken simultaenously as we maintain the
+     * invariant that raw and opaque PSKs are never
+     * configured simultaneously. As a safeguard,
+     * though, `else` is omitted here. */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    if (conf->psk != NULL) {
+        mbedtls_platform_zeroize(conf->psk, conf->psk_len);
+
+        mbedtls_free(conf->psk);
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+
+    /* Remove reference to PSK identity, if any. */
+    if (conf->psk_identity != NULL) {
+        mbedtls_free(conf->psk_identity);
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+}
+
+/* This function assumes that PSK identity in the SSL config is unset.
+ * It checks that the provided identity is well-formed and attempts
+ * to make a copy of it in the SSL config.
+ * On failure, the PSK identity in the config remains unset. */
+static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
+                                     unsigned char const *psk_identity,
+                                     size_t psk_identity_len) {
+    /* Identity len will be encoded on two bytes */
+    if (psk_identity               == NULL ||
+            (psk_identity_len >> 16) != 0    ||
+            psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
+    if (conf->psk_identity == NULL)
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+    conf->psk_identity_len = psk_identity_len;
+    memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
+
+    return (0);
+}
+
+int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
+                         const unsigned char *psk, size_t psk_len,
+                         const unsigned char *psk_identity, size_t psk_identity_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    /* Remove opaque/raw PSK + PSK Identity */
+    ssl_conf_remove_psk(conf);
+
+    /* Check and set raw PSK */
+    if (psk == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    if (psk_len == 0)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    if (psk_len > MBEDTLS_PSK_MAX_LEN)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL)
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+    conf->psk_len = psk_len;
+    memcpy(conf->psk, psk, conf->psk_len);
+
+    /* Check and set PSK Identity */
+    ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
+    if (ret != 0)
+        ssl_conf_remove_psk(conf);
+
+    return (ret);
+}
+
+static void ssl_remove_psk(mbedtls_ssl_context *ssl) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (! mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
+        ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
+    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        if (ssl->handshake->psk != NULL) {
+            mbedtls_platform_zeroize(ssl->handshake->psk,
+                                     ssl->handshake->psk_len);
+            mbedtls_free(ssl->handshake->psk);
+            ssl->handshake->psk_len = 0;
+        }
+}
+
+int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
+                           const unsigned char *psk, size_t psk_len) {
+    if (psk == NULL || ssl->handshake == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (psk_len > MBEDTLS_PSK_MAX_LEN)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl_remove_psk(ssl);
+
+    if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL)
+        return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+    ssl->handshake->psk_len = psk_len;
+    memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
+
+    return (0);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
+                                psa_key_id_t psk,
+                                const unsigned char *psk_identity,
+                                size_t psk_identity_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    /* Clear opaque/raw PSK + PSK Identity, if present. */
+    ssl_conf_remove_psk(conf);
+
+    /* Check and set opaque PSK */
+    if (mbedtls_svc_key_id_is_null(psk))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    conf->psk_opaque = psk;
+
+    /* Check and set PSK Identity */
+    ret = ssl_conf_set_psk_identity(conf, psk_identity,
+                                    psk_identity_len);
+    if (ret != 0)
+        ssl_conf_remove_psk(conf);
+
+    return (ret);
+}
+
+int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
+                                  psa_key_id_t psk) {
+    if ((mbedtls_svc_key_id_is_null(psk)) ||
+            (ssl->handshake == NULL))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl_remove_psk(ssl);
+    ssl->handshake->psk_opaque = psk;
+    return (0);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
+                             int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                                          size_t),
+                             void *p_psk) {
+    conf->f_psk = f_psk;
+    conf->p_psk = p_psk;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_ssl_conf_dh_param(mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_mpi_read_string(&conf->dhm_P, 16, dhm_P)) != 0 ||
+            (ret = mbedtls_mpi_read_string(&conf->dhm_G, 16, dhm_G)) != 0) {
+        mbedtls_mpi_free(&conf->dhm_P);
+        mbedtls_mpi_free(&conf->dhm_G);
+        return (ret);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
+                                  const unsigned char *dhm_P, size_t P_len,
+                                  const unsigned char *dhm_G, size_t G_len) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
+            (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
+        mbedtls_mpi_free(&conf->dhm_P);
+        mbedtls_mpi_free(&conf->dhm_G);
+        return (ret);
+    }
+
+    return (0);
+}
+
+int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_mpi_copy(&conf->dhm_P, &dhm_ctx->P)) != 0 ||
+            (ret = mbedtls_mpi_copy(&conf->dhm_G, &dhm_ctx->G)) != 0) {
+        mbedtls_mpi_free(&conf->dhm_P);
+        mbedtls_mpi_free(&conf->dhm_G);
+        return (ret);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/*
+ * Set the minimum length for Diffie-Hellman parameters
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
+                                     unsigned int bitlen) {
+    conf->dhm_min_bitlen = bitlen;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/*
+ * Set allowed/preferred hashes for handshake signatures
+ */
+void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
+                                 const int *hashes) {
+    conf->sig_hashes = hashes;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Set the allowed elliptic curves
+ */
+void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
+                             const mbedtls_ecp_group_id *curve_list) {
+    conf->curve_list = curve_list;
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) {
+    /* Initialize to suppress unnecessary compiler warning */
+    size_t hostname_len = 0;
+
+    /* Check if new hostname is valid before
+     * making any change to current one */
+    if (hostname != NULL) {
+        hostname_len = strlen(hostname);
+
+        if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    /* Now it's clear that we will overwrite the old hostname,
+     * so we can free it safely */
+
+    if (ssl->hostname != NULL) {
+        mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
+        mbedtls_free(ssl->hostname);
+    }
+
+    /* Passing NULL as hostname shall clear the old one */
+
+    if (hostname == NULL) {
+        ssl->hostname = NULL;
+    } else {
+        ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
+        if (ssl->hostname == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        memcpy(ssl->hostname, hostname, hostname_len);
+
+        ssl->hostname[hostname_len] = '\0';
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
+                          int (*f_sni)(void *, mbedtls_ssl_context *,
+                                       const unsigned char *, size_t),
+                          void *p_sni) {
+    conf->f_sni = f_sni;
+    conf->p_sni = p_sni;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos) {
+    size_t cur_len, tot_len;
+    const char **p;
+
+    /*
+     * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+     * MUST NOT be truncated."
+     * We check lengths now rather than later.
+     */
+    tot_len = 0;
+    for (p = protos; *p != NULL; p++) {
+        cur_len = strlen(*p);
+        tot_len += cur_len;
+
+        if ((cur_len == 0) ||
+                (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
+                (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN))
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    conf->alpn_list = protos;
+
+    return (0);
+}
+
+const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl) {
+    return (ssl->alpn_chosen);
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
+                                               int support_mki_value) {
+    conf->dtls_srtp_mki_support = support_mki_value;
+}
+
+int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
+                                        unsigned char *mki_value,
+                                        uint16_t mki_len) {
+    if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
+        return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+    }
+
+    memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
+    ssl->dtls_srtp_info.mki_len = mki_len;
+    return (0);
+}
+
+int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
+                                                   const mbedtls_ssl_srtp_profile *profiles) {
+    const mbedtls_ssl_srtp_profile *p;
+    size_t list_size = 0;
+
+    /* check the profiles list: all entry must be valid,
+     * its size cannot be more than the total number of supported profiles, currently 4 */
+    for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
+            list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
+            p++) {
+        if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
+            list_size++;
+        } else {
+            /* unsupported value, stop parsing and set the size to an error value */
+            list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
+        }
+    }
+
+    if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
+        conf->dtls_srtp_profile_list = NULL;
+        conf->dtls_srtp_profile_list_len = 0;
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    conf->dtls_srtp_profile_list = profiles;
+    conf->dtls_srtp_profile_list_len = list_size;
+
+    return (0);
+}
+
+void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
+                                                  mbedtls_dtls_srtp_info *dtls_srtp_info) {
+    dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
+    /* do not copy the mki value if there is no chosen profile */
+    if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
+        dtls_srtp_info->mki_len = 0;
+    } else {
+        dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
+        memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
+               ssl->dtls_srtp_info.mki_len);
+    }
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor) {
+    conf->max_major_ver = major;
+    conf->max_minor_ver = minor;
+}
+
+void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor) {
+    conf->min_major_ver = major;
+    conf->min_minor_ver = minor;
+}
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_fallback(mbedtls_ssl_config *conf, char fallback) {
+    conf->fallback = fallback;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
+                                       char cert_req_ca_list) {
+    conf->cert_req_ca_list = cert_req_ca_list;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm) {
+    conf->encrypt_then_mac = etm;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems) {
+    conf->extended_ms = ems;
+}
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+void mbedtls_ssl_conf_arc4_support(mbedtls_ssl_config *conf, char arc4) {
+    conf->arc4_disabled = arc4;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code) {
+    if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
+            ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    conf->mfl_code = mfl_code;
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+void mbedtls_ssl_conf_truncated_hmac(mbedtls_ssl_config *conf, int truncate) {
+    conf->trunc_hmac = truncate;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+void mbedtls_ssl_conf_cbc_record_splitting(mbedtls_ssl_config *conf, char split) {
+    conf->cbc_record_splitting = split;
+}
+#endif
+
+void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy) {
+    conf->allow_legacy_renegotiation = allow_legacy;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation) {
+    conf->disable_renegotiation = renegotiation;
+}
+
+void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records) {
+    conf->renego_max_records = max_records;
+}
+
+void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
+                                           const unsigned char period[8]) {
+    memcpy(conf->renego_period, period, 8);
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets) {
+    conf->session_tickets = use_tickets;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
+                                         mbedtls_ssl_ticket_write_t *f_ticket_write,
+                                         mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+                                         void *p_ticket) {
+    conf->f_ticket_write = f_ticket_write;
+    conf->f_ticket_parse = f_ticket_parse;
+    conf->p_ticket       = p_ticket;
+}
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+void mbedtls_ssl_conf_export_keys_cb(mbedtls_ssl_config *conf,
+                                     mbedtls_ssl_export_keys_t *f_export_keys,
+                                     void *p_export_keys) {
+    conf->f_export_keys = f_export_keys;
+    conf->p_export_keys = p_export_keys;
+}
+
+void mbedtls_ssl_conf_export_keys_ext_cb(mbedtls_ssl_config *conf,
+                                         mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
+                                         void *p_export_keys) {
+    conf->f_export_keys_ext = f_export_keys_ext;
+    conf->p_export_keys = p_export_keys;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+void mbedtls_ssl_conf_async_private_cb(
+    mbedtls_ssl_config *conf,
+    mbedtls_ssl_async_sign_t *f_async_sign,
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+    mbedtls_ssl_async_resume_t *f_async_resume,
+    mbedtls_ssl_async_cancel_t *f_async_cancel,
+    void *async_config_data) {
+    conf->f_async_sign_start = f_async_sign;
+    conf->f_async_decrypt_start = f_async_decrypt;
+    conf->f_async_resume = f_async_resume;
+    conf->f_async_cancel = f_async_cancel;
+    conf->p_async_config_data = async_config_data;
+}
+
+void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf) {
+    return (conf->p_async_config_data);
+}
+
+void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl) {
+    if (ssl->handshake == NULL)
+        return (NULL);
+    else
+        return (ssl->handshake->user_async_ctx);
+}
+
+void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
+                                          void *ctx) {
+    if (ssl->handshake != NULL)
+        ssl->handshake->user_async_ctx = ctx;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * SSL get accessors
+ */
+uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl) {
+    if (ssl->session != NULL)
+        return (ssl->session->verify_result);
+
+    if (ssl->session_negotiate != NULL)
+        return (ssl->session_negotiate->verify_result);
+
+    return (0xFFFFFFFF);
+}
+
+const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl) {
+    if (ssl == NULL || ssl->session == NULL)
+        return (NULL);
+
+    return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
+}
+
+const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        switch (ssl->minor_ver) {
+            case MBEDTLS_SSL_MINOR_VERSION_2:
+                return ("DTLSv1.0");
+
+            case MBEDTLS_SSL_MINOR_VERSION_3:
+                return ("DTLSv1.2");
+
+            default:
+                return ("unknown (DTLS)");
+        }
+    }
+#endif
+
+    switch (ssl->minor_ver) {
+        case MBEDTLS_SSL_MINOR_VERSION_0:
+            return ("SSLv3.0");
+
+        case MBEDTLS_SSL_MINOR_VERSION_1:
+            return ("TLSv1.0");
+
+        case MBEDTLS_SSL_MINOR_VERSION_2:
+            return ("TLSv1.1");
+
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return ("TLSv1.2");
+
+        default:
+            return ("unknown");
+    }
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl) {
+    size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
+    size_t read_mfl;
+
+    /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+            ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
+        return ssl_mfl_code_to_length(ssl->conf->mfl_code);
+    }
+
+    /* Check if a smaller max length was negotiated */
+    if (ssl->session_out != NULL) {
+        read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
+        if (read_mfl < max_len) {
+            max_len = read_mfl;
+        }
+    }
+
+    // During a handshake, use the value being negotiated
+    if (ssl->session_negotiate != NULL) {
+        read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
+        if (read_mfl < max_len) {
+            max_len = read_mfl;
+        }
+    }
+
+    return (max_len);
+}
+
+size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl) {
+    size_t max_len;
+
+    /*
+     * Assume mfl_code is correct since it was checked when set
+     */
+    max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
+
+    /* Check if a smaller max length was negotiated */
+    if (ssl->session_out != NULL &&
+            ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
+        max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
+    }
+
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+            ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
+        max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
+    }
+
+    return (max_len);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+size_t mbedtls_ssl_get_max_frag_len(const mbedtls_ssl_context *ssl) {
+    return mbedtls_ssl_get_output_max_frag_len(ssl);
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl) {
+    /* Return unlimited mtu for client hello messages to avoid fragmentation. */
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+            (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
+             ssl->state == MBEDTLS_SSL_SERVER_HELLO))
+        return (0);
+
+    if (ssl->handshake == NULL || ssl->handshake->mtu == 0)
+        return (ssl->mtu);
+
+    if (ssl->mtu == 0)
+        return (ssl->handshake->mtu);
+
+    return (ssl->mtu < ssl->handshake->mtu ?
+            ssl->mtu : ssl->handshake->mtu);
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl) {
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    (void) ssl;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
+
+    if (max_len > mfl)
+        max_len = mfl;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
+        const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
+        const int ret = mbedtls_ssl_get_record_expansion(ssl);
+        const size_t overhead = (size_t) ret;
+
+        if (ret < 0)
+            return (ret);
+
+        if (mtu <= overhead) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
+            return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
+        }
+
+        if (max_len > mtu - overhead)
+            max_len = mtu - overhead;
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    ((void) ssl);
+#endif
+
+    return ((int) max_len);
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl) {
+    if (ssl == NULL || ssl->session == NULL)
+        return (NULL);
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    return (ssl->session->peer_cert);
+#else
+    return (NULL);
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
+                            mbedtls_ssl_session *dst) {
+    if (ssl == NULL ||
+            dst == NULL ||
+            ssl->session == NULL ||
+            ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    return (mbedtls_ssl_session_copy(dst, ssl->session));
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer(const mbedtls_ssl_context *ssl) {
+    if (ssl == NULL)
+        return (NULL);
+
+    return (ssl->session);
+}
+
+/*
+ * Define ticket header determining Mbed TLS version
+ * and structure of the ticket.
+ */
+
+/*
+ * Define bitflag determining compile-time settings influencing
+ * structure of serialized SSL sessions.
+ */
+
+#if defined(MBEDTLS_HAVE_TIME)
+#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
+#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 0
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT          0
+#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT           1
+#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
+#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT           3
+#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT    4
+#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT           5
+#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT        6
+
+#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG                           \
+    ( (uint16_t) (                                                      \
+        ( SSL_SERIALIZED_SESSION_CONFIG_TIME          << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT          ) | \
+        ( SSL_SERIALIZED_SESSION_CONFIG_CRT           << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT           ) | \
+        ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \
+        ( SSL_SERIALIZED_SESSION_CONFIG_MFL           << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT           ) | \
+        ( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC    << SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT    ) | \
+        ( SSL_SERIALIZED_SESSION_CONFIG_ETM           << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT           ) | \
+        ( SSL_SERIALIZED_SESSION_CONFIG_TICKET        << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT        ) ) )
+
+static unsigned char ssl_serialized_session_header[] = {
+    MBEDTLS_VERSION_MAJOR,
+    MBEDTLS_VERSION_MINOR,
+    MBEDTLS_VERSION_PATCH,
+    (SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8) & 0xFF,
+    (SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0) & 0xFF,
+};
+
+/*
+ * Serialize a session in the following format:
+ * (in the presentation language of TLS, RFC 8446 section 3)
+ *
+ *  opaque mbedtls_version[3];   // major, minor, patch
+ *  opaque session_format[2];    // version-specific 16-bit field determining
+ *                               // the format of the remaining
+ *                               // serialized data.
+ *
+ *  Note: When updating the format, remember to keep
+ *        these version+format bytes.
+ *
+ *                               // In this version, `session_format` determines
+ *                               // the setting of those compile-time
+ *                               // configuration options which influence
+ *                               // the structure of mbedtls_ssl_session.
+ *  uint64 start_time;
+ *  uint8 ciphersuite[2];        // defined by the standard
+ *  uint8 compression;           // 0 or 1
+ *  uint8 session_id_len;        // at most 32
+ *  opaque session_id[32];
+ *  opaque master[48];           // fixed length in the standard
+ *  uint32 verify_result;
+ *  opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
+ *  opaque ticket<0..2^24-1>;    // length 0 means no ticket
+ *  uint32 ticket_lifetime;
+ *  uint8 mfl_code;              // up to 255 according to standard
+ *  uint8 trunc_hmac;            // 0 or 1
+ *  uint8 encrypt_then_mac;      // 0 or 1
+ *
+ * The order is the same as in the definition of the structure, except
+ * verify_result is put before peer_cert so that all mandatory fields come
+ * together in one block.
+ */
+static int ssl_session_save(const mbedtls_ssl_session *session,
+                            unsigned char omit_header,
+                            unsigned char *buf,
+                            size_t buf_len,
+                            size_t *olen) {
+    unsigned char *p = buf;
+    size_t used = 0;
+#if defined(MBEDTLS_HAVE_TIME)
+    uint64_t start;
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    size_t cert_len;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+
+    if (!omit_header) {
+        /*
+         * Add version identifier
+         */
+
+        used += sizeof(ssl_serialized_session_header);
+
+        if (used <= buf_len) {
+            memcpy(p, ssl_serialized_session_header,
+                   sizeof(ssl_serialized_session_header));
+            p += sizeof(ssl_serialized_session_header);
+        }
+    }
+
+    /*
+     * Time
+     */
+#if defined(MBEDTLS_HAVE_TIME)
+    used += 8;
+
+    if (used <= buf_len) {
+        start = (uint64_t) session->start;
+
+        *p++ = (unsigned char)((start >> 56) & 0xFF);
+        *p++ = (unsigned char)((start >> 48) & 0xFF);
+        *p++ = (unsigned char)((start >> 40) & 0xFF);
+        *p++ = (unsigned char)((start >> 32) & 0xFF);
+        *p++ = (unsigned char)((start >> 24) & 0xFF);
+        *p++ = (unsigned char)((start >> 16) & 0xFF);
+        *p++ = (unsigned char)((start >>  8) & 0xFF);
+        *p++ = (unsigned char)((start) & 0xFF);
+    }
+#endif /* MBEDTLS_HAVE_TIME */
+
+    /*
+     * Basic mandatory fields
+     */
+    used += 2   /* ciphersuite */
+            + 1   /* compression */
+            + 1   /* id_len */
+            + sizeof(session->id)
+            + sizeof(session->master)
+            + 4;  /* verify_result */
+
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((session->ciphersuite >> 8) & 0xFF);
+        *p++ = (unsigned char)((session->ciphersuite) & 0xFF);
+
+        *p++ = (unsigned char)(session->compression & 0xFF);
+
+        *p++ = (unsigned char)(session->id_len & 0xFF);
+        memcpy(p, session->id, 32);
+        p += 32;
+
+        memcpy(p, session->master, 48);
+        p += 48;
+
+        *p++ = (unsigned char)((session->verify_result >> 24) & 0xFF);
+        *p++ = (unsigned char)((session->verify_result >> 16) & 0xFF);
+        *p++ = (unsigned char)((session->verify_result >>  8) & 0xFF);
+        *p++ = (unsigned char)((session->verify_result) & 0xFF);
+    }
+
+    /*
+     * Peer's end-entity certificate
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if (session->peer_cert == NULL)
+        cert_len = 0;
+    else
+        cert_len = session->peer_cert->raw.len;
+
+    used += 3 + cert_len;
+
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((cert_len >> 16) & 0xFF);
+        *p++ = (unsigned char)((cert_len >>  8) & 0xFF);
+        *p++ = (unsigned char)((cert_len) & 0xFF);
+
+        if (session->peer_cert != NULL) {
+            memcpy(p, session->peer_cert->raw.p, cert_len);
+            p += cert_len;
+        }
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (session->peer_cert_digest != NULL) {
+        used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
+        if (used <= buf_len) {
+            *p++ = (unsigned char) session->peer_cert_digest_type;
+            *p++ = (unsigned char) session->peer_cert_digest_len;
+            memcpy(p, session->peer_cert_digest,
+                   session->peer_cert_digest_len);
+            p += session->peer_cert_digest_len;
+        }
+    } else {
+        used += 2;
+        if (used <= buf_len) {
+            *p++ = (unsigned char) MBEDTLS_MD_NONE;
+            *p++ = 0;
+        }
+    }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    /*
+     * Session ticket if any, plus associated data
+     */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
+
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((session->ticket_len >> 16) & 0xFF);
+        *p++ = (unsigned char)((session->ticket_len >>  8) & 0xFF);
+        *p++ = (unsigned char)((session->ticket_len) & 0xFF);
+
+        if (session->ticket != NULL) {
+            memcpy(p, session->ticket, session->ticket_len);
+            p += session->ticket_len;
+        }
+
+        *p++ = (unsigned char)((session->ticket_lifetime >> 24) & 0xFF);
+        *p++ = (unsigned char)((session->ticket_lifetime >> 16) & 0xFF);
+        *p++ = (unsigned char)((session->ticket_lifetime >>  8) & 0xFF);
+        *p++ = (unsigned char)((session->ticket_lifetime) & 0xFF);
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    /*
+     * Misc extension-related info
+     */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    used += 1;
+
+    if (used <= buf_len)
+        *p++ = session->mfl_code;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    used += 1;
+
+    if (used <= buf_len)
+        *p++ = (unsigned char)((session->trunc_hmac) & 0xFF);
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    used += 1;
+
+    if (used <= buf_len)
+        *p++ = (unsigned char)((session->encrypt_then_mac) & 0xFF);
+#endif
+
+    /* Done */
+    *olen = used;
+
+    if (used > buf_len)
+        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+
+    return (0);
+}
+
+/*
+ * Public wrapper for ssl_session_save()
+ */
+int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
+                             unsigned char *buf,
+                             size_t buf_len,
+                             size_t *olen) {
+    return (ssl_session_save(session, 0, buf, buf_len, olen));
+}
+
+/*
+ * Deserialize session, see mbedtls_ssl_session_save() for format.
+ *
+ * This internal version is wrapped by a public function that cleans up in
+ * case of error, and has an extra option omit_header.
+ */
+static int ssl_session_load(mbedtls_ssl_session *session,
+                            unsigned char omit_header,
+                            const unsigned char *buf,
+                            size_t len) {
+    const unsigned char *p = buf;
+    const unsigned char *const end = buf + len;
+#if defined(MBEDTLS_HAVE_TIME)
+    uint64_t start;
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    size_t cert_len;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if (!omit_header) {
+        /*
+         * Check version identifier
+         */
+
+        if ((size_t)(end - p) < sizeof(ssl_serialized_session_header))
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        if (memcmp(p, ssl_serialized_session_header,
+                   sizeof(ssl_serialized_session_header)) != 0) {
+            return (MBEDTLS_ERR_SSL_VERSION_MISMATCH);
+        }
+        p += sizeof(ssl_serialized_session_header);
+    }
+
+    /*
+     * Time
+     */
+#if defined(MBEDTLS_HAVE_TIME)
+    if (8 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    start = ((uint64_t) p[0] << 56) |
+            ((uint64_t) p[1] << 48) |
+            ((uint64_t) p[2] << 40) |
+            ((uint64_t) p[3] << 32) |
+            ((uint64_t) p[4] << 24) |
+            ((uint64_t) p[5] << 16) |
+            ((uint64_t) p[6] <<  8) |
+            ((uint64_t) p[7]);
+    p += 8;
+
+    session->start = (time_t) start;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    /*
+     * Basic mandatory fields
+     */
+    if (2 + 1 + 1 + 32 + 48 + 4 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->ciphersuite = (p[0] << 8) | p[1];
+    p += 2;
+
+    session->compression = *p++;
+
+    session->id_len = *p++;
+    memcpy(session->id, p, 32);
+    p += 32;
+
+    memcpy(session->master, p, 48);
+    p += 48;
+
+    session->verify_result = ((uint32_t) p[0] << 24) |
+                             ((uint32_t) p[1] << 16) |
+                             ((uint32_t) p[2] <<  8) |
+                             ((uint32_t) p[3]);
+    p += 4;
+
+    /* Immediately clear invalid pointer values that have been read, in case
+     * we exit early before we replaced them with valid ones. */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    session->peer_cert = NULL;
+#else
+    session->peer_cert_digest = NULL;
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    session->ticket = NULL;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    /*
+     * Peer certificate
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* Deserialize CRT from the end of the ticket. */
+    if (3 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    cert_len = (p[0] << 16) | (p[1] << 8) | p[2];
+    p += 3;
+
+    if (cert_len != 0) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        if (cert_len > (size_t)(end - p))
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+
+        if (session->peer_cert == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        mbedtls_x509_crt_init(session->peer_cert);
+
+        if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
+                                              p, cert_len)) != 0) {
+            mbedtls_x509_crt_free(session->peer_cert);
+            mbedtls_free(session->peer_cert);
+            session->peer_cert = NULL;
+            return (ret);
+        }
+
+        p += cert_len;
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    /* Deserialize CRT digest from the end of the ticket. */
+    if (2 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->peer_cert_digest_type = (mbedtls_md_type_t) * p++;
+    session->peer_cert_digest_len  = (size_t) * p++;
+
+    if (session->peer_cert_digest_len != 0) {
+        const mbedtls_md_info_t *md_info =
+            mbedtls_md_info_from_type(session->peer_cert_digest_type);
+        if (md_info == NULL)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+        if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info))
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        if (session->peer_cert_digest_len > (size_t)(end - p))
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        session->peer_cert_digest =
+            mbedtls_calloc(1, session->peer_cert_digest_len);
+        if (session->peer_cert_digest == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        memcpy(session->peer_cert_digest, p,
+               session->peer_cert_digest_len);
+        p += session->peer_cert_digest_len;
+    }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    /*
+     * Session ticket and associated data
+     */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    if (3 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->ticket_len = (p[0] << 16) | (p[1] << 8) | p[2];
+    p += 3;
+
+    if (session->ticket_len != 0) {
+        if (session->ticket_len > (size_t)(end - p))
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        session->ticket = mbedtls_calloc(1, session->ticket_len);
+        if (session->ticket == NULL)
+            return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
+
+        memcpy(session->ticket, p, session->ticket_len);
+        p += session->ticket_len;
+    }
+
+    if (4 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->ticket_lifetime = ((uint32_t) p[0] << 24) |
+                               ((uint32_t) p[1] << 16) |
+                               ((uint32_t) p[2] <<  8) |
+                               ((uint32_t) p[3]);
+    p += 4;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    /*
+     * Misc extension-related info
+     */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    if (1 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->mfl_code = *p++;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    if (1 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->trunc_hmac = *p++;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    if (1 > (size_t)(end - p))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session->encrypt_then_mac = *p++;
+#endif
+
+    /* Done, should have consumed entire buffer */
+    if (p != end)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    return (0);
+}
+
+/*
+ * Deserialize session: public wrapper for error cleaning
+ */
+int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
+                             const unsigned char *buf,
+                             size_t len) {
+    int ret = ssl_session_load(session, 0, buf, len);
+
+    if (ret != 0)
+        mbedtls_ssl_session_free(session);
+
+    return (ret);
+}
+
+/*
+ * Perform a single step of the SSL handshake
+ */
+int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
+        ret = mbedtls_ssl_handshake_client_step(ssl);
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER)
+        ret = mbedtls_ssl_handshake_server_step(ssl);
+#endif
+
+    return (ret);
+}
+
+/*
+ * Perform the SSL handshake
+ */
+int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) {
+    int ret = 0;
+
+    /* Sanity checks */
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
+                                  "mbedtls_ssl_set_timer_cb() for DTLS"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
+
+    /* Main handshake loop */
+    while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+        ret = mbedtls_ssl_handshake_step(ssl);
+
+        if (ret != 0)
+            break;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
+
+    return (ret);
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+#if defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Write HelloRequest to request renegotiation on server
+ */
+static int ssl_write_hello_request(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
+
+    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
+
+    return (0);
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/*
+ * Actually renegotiate current connection, triggered by either:
+ * - any side: calling mbedtls_ssl_renegotiate(),
+ * - client: receiving a HelloRequest during mbedtls_ssl_read(),
+ * - server: receiving any handshake message on server during mbedtls_ssl_read() after
+ *   the initial handshake is completed.
+ * If the handshake doesn't complete due to waiting for I/O, it will continue
+ * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
+ */
+int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
+
+    if ((ret = ssl_handshake_init(ssl)) != 0)
+        return (ret);
+
+    /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
+     * the ServerHello will have message_seq = 1" */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+        if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER)
+            ssl->handshake->out_msg_seq = 1;
+        else
+            ssl->handshake->in_msg_seq = 1;
+    }
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
+
+    if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+        return (ret);
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
+
+    return (0);
+}
+
+/*
+ * Renegotiate current connection on client,
+ * or request renegotiation on server
+ */
+int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) {
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if (ssl == NULL || ssl->conf == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    /* On server, just send the request */
+    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+        if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+
+        /* Did we already try/start sending HelloRequest? */
+        if (ssl->out_left != 0)
+            return (mbedtls_ssl_flush_output(ssl));
+
+        return (ssl_write_hello_request(ssl));
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    /*
+     * On client, either start the renegotiation process or,
+     * if already in progress, continue the handshake
+     */
+    if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+        if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
+            return (ret);
+        }
+    } else {
+        if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+            return (ret);
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert) {
+    mbedtls_ssl_key_cert *cur = key_cert, *next;
+
+    while (cur != NULL) {
+        next = cur->next;
+        mbedtls_free(cur);
+        cur = next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) {
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    if (handshake == NULL)
+        return;
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
+        ssl->conf->f_async_cancel(ssl);
+        handshake->async_in_progress = 0;
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_free(&handshake->fin_md5);
+    mbedtls_sha1_free(&handshake->fin_sha1);
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_abort(&handshake->fin_sha256_psa);
+#else
+    mbedtls_sha256_free(&handshake->fin_sha256);
+#endif
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_abort(&handshake->fin_sha384_psa);
+#else
+    mbedtls_sha512_free(&handshake->fin_sha512);
+#endif
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_free(&handshake->dhm_ctx);
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_free(&handshake->ecdh_ctx);
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
+#if defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free(handshake->ecjpake_cache);
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    /* explicit void pointer cast for buggy MS compiler */
+    mbedtls_free((void *) handshake->curves);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    if (handshake->psk != NULL) {
+        mbedtls_platform_zeroize(handshake->psk, handshake->psk_len);
+        mbedtls_free(handshake->psk);
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /*
+     * Free only the linked list wrapper, not the keys themselves
+     * since the belong to the SNI callback
+     */
+    if (handshake->sni_key_cert != NULL) {
+        mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
+
+        while (cur != NULL) {
+            next = cur->next;
+            mbedtls_free(cur);
+            cur = next;
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+    mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
+    if (handshake->ecrs_peer_cert != NULL) {
+        mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
+        mbedtls_free(handshake->ecrs_peer_cert);
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    mbedtls_pk_free(&handshake->peer_pubkey);
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    mbedtls_free(handshake->verify_cookie);
+    mbedtls_ssl_flight_free(handshake->flight);
+    mbedtls_ssl_buffering_free(ssl);
+#endif
+
+#if defined(MBEDTLS_ECDH_C) &&                  \
+    defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_destroy_key(handshake->ecdh_psa_privkey);
+#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
+
+    mbedtls_platform_zeroize(handshake,
+                             sizeof(mbedtls_ssl_handshake_params));
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    /* If the buffers are too big - reallocate. Because of the way Mbed TLS
+     * processes datagrams and the fact that a datagram is allowed to have
+     * several records in it, it is possible that the I/O buffers are not
+     * empty at this stage */
+    handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
+                           mbedtls_ssl_get_output_buflen(ssl));
+#endif
+}
+
+void mbedtls_ssl_session_free(mbedtls_ssl_session *session) {
+    if (session == NULL)
+        return;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    ssl_clear_peer_cert(session);
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free(session->ticket);
+#endif
+
+    mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
+}
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 0u
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_ALPN)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
+#endif /* MBEDTLS_SSL_ALPN */
+
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT    0
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT     1
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT      2
+#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT                  3
+
+#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG   \
+    ( (uint32_t) (                              \
+        ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID     << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT     ) | \
+        ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT      << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT      ) | \
+        ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY       << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT       ) | \
+        ( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN                   << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT                   ) | \
+        0u ) )
+
+static unsigned char ssl_serialized_context_header[] = {
+    MBEDTLS_VERSION_MAJOR,
+    MBEDTLS_VERSION_MINOR,
+    MBEDTLS_VERSION_PATCH,
+    (SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8) & 0xFF,
+    (SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0) & 0xFF,
+    (SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 16) & 0xFF,
+    (SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >>  8) & 0xFF,
+    (SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >>  0) & 0xFF,
+};
+
+/*
+ * Serialize a full SSL context
+ *
+ * The format of the serialized data is:
+ * (in the presentation language of TLS, RFC 8446 section 3)
+ *
+ *  // header
+ *  opaque mbedtls_version[3];   // major, minor, patch
+ *  opaque context_format[5];    // version-specific field determining
+ *                               // the format of the remaining
+ *                               // serialized data.
+ *  Note: When updating the format, remember to keep these
+ *        version+format bytes. (We may make their size part of the API.)
+ *
+ *  // session sub-structure
+ *  opaque session<1..2^32-1>;  // see mbedtls_ssl_session_save()
+ *  // transform sub-structure
+ *  uint8 random[64];           // ServerHello.random+ClientHello.random
+ *  uint8 in_cid<0..2^8-1>      // Connection ID: expected incoming value
+ *  uint8 out_cid<0..2^8-1>     // Connection ID: outgoing value to use
+ *  // fields from ssl_context
+ *  uint32 badmac_seen;         // DTLS: number of records with failing MAC
+ *  uint64 in_window_top;       // DTLS: last validated record seq_num
+ *  uint64 in_window;           // DTLS: bitmask for replay protection
+ *  uint8 disable_datagram_packing; // DTLS: only one record per datagram
+ *  uint64 cur_out_ctr;         // Record layer: outgoing sequence number
+ *  uint16 mtu;                 // DTLS: path mtu (max outgoing fragment size)
+ *  uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
+ *
+ * Note that many fields of the ssl_context or sub-structures are not
+ * serialized, as they fall in one of the following categories:
+ *
+ *  1. forced value (eg in_left must be 0)
+ *  2. pointer to dynamically-allocated memory (eg session, transform)
+ *  3. value can be re-derived from other data (eg session keys from MS)
+ *  4. value was temporary (eg content of input buffer)
+ *  5. value will be provided by the user again (eg I/O callbacks and context)
+ */
+int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
+                             unsigned char *buf,
+                             size_t buf_len,
+                             size_t *olen) {
+    unsigned char *p = buf;
+    size_t used = 0;
+    size_t session_len;
+    int ret = 0;
+
+    /*
+     * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
+     * this function's documentation.
+     *
+     * These are due to assumptions/limitations in the implementation. Some of
+     * them are likely to stay (no handshake in progress) some might go away
+     * (only DTLS) but are currently used to simplify the implementation.
+     */
+    /* The initial handshake must be over */
+    if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    if (ssl->handshake != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    /* Double-check that sub-structures are indeed ready */
+    if (ssl->transform == NULL || ssl->session == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    /* There must be no pending incoming or outgoing data */
+    if (mbedtls_ssl_check_pending(ssl) != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    if (ssl->out_left != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    /* Protocol must be DLTS, not TLS */
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    /* Version must be 1.2 */
+    if (ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    /* We must be using an AEAD ciphersuite */
+    if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+    /* Renegotiation must not be enabled */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+#endif
+
+    /*
+     * Version and format identifier
+     */
+    used += sizeof(ssl_serialized_context_header);
+
+    if (used <= buf_len) {
+        memcpy(p, ssl_serialized_context_header,
+               sizeof(ssl_serialized_context_header));
+        p += sizeof(ssl_serialized_context_header);
+    }
+
+    /*
+     * Session (length + data)
+     */
+    ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
+    if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL)
+        return (ret);
+
+    used += 4 + session_len;
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((session_len >> 24) & 0xFF);
+        *p++ = (unsigned char)((session_len >> 16) & 0xFF);
+        *p++ = (unsigned char)((session_len >>  8) & 0xFF);
+        *p++ = (unsigned char)((session_len) & 0xFF);
+
+        ret = ssl_session_save(ssl->session, 1,
+                               p, session_len, &session_len);
+        if (ret != 0)
+            return (ret);
+
+        p += session_len;
+    }
+
+    /*
+     * Transform
+     */
+    used += sizeof(ssl->transform->randbytes);
+    if (used <= buf_len) {
+        memcpy(p, ssl->transform->randbytes,
+               sizeof(ssl->transform->randbytes));
+        p += sizeof(ssl->transform->randbytes);
+    }
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
+    if (used <= buf_len) {
+        *p++ = ssl->transform->in_cid_len;
+        memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
+        p += ssl->transform->in_cid_len;
+
+        *p++ = ssl->transform->out_cid_len;
+        memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
+        p += ssl->transform->out_cid_len;
+    }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    /*
+     * Saved fields from top-level ssl_context structure
+     */
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    used += 4;
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((ssl->badmac_seen >> 24) & 0xFF);
+        *p++ = (unsigned char)((ssl->badmac_seen >> 16) & 0xFF);
+        *p++ = (unsigned char)((ssl->badmac_seen >>  8) & 0xFF);
+        *p++ = (unsigned char)((ssl->badmac_seen) & 0xFF);
+    }
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    used += 16;
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((ssl->in_window_top >> 56) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top >> 48) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top >> 40) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top >> 32) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top >> 24) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top >> 16) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top >>  8) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window_top) & 0xFF);
+
+        *p++ = (unsigned char)((ssl->in_window >> 56) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window >> 48) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window >> 40) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window >> 32) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window >> 24) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window >> 16) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window >>  8) & 0xFF);
+        *p++ = (unsigned char)((ssl->in_window) & 0xFF);
+    }
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    used += 1;
+    if (used <= buf_len) {
+        *p++ = ssl->disable_datagram_packing;
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    used += 8;
+    if (used <= buf_len) {
+        memcpy(p, ssl->cur_out_ctr, 8);
+        p += 8;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    used += 2;
+    if (used <= buf_len) {
+        *p++ = (unsigned char)((ssl->mtu >>  8) & 0xFF);
+        *p++ = (unsigned char)((ssl->mtu) & 0xFF);
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    {
+        const uint8_t alpn_len = ssl->alpn_chosen
+                                 ? (uint8_t) strlen(ssl->alpn_chosen)
+                                 : 0;
+
+        used += 1 + alpn_len;
+        if (used <= buf_len) {
+            *p++ = alpn_len;
+
+            if (ssl->alpn_chosen != NULL) {
+                memcpy(p, ssl->alpn_chosen, alpn_len);
+                p += alpn_len;
+            }
+        }
+    }
+#endif /* MBEDTLS_SSL_ALPN */
+
+    /*
+     * Done
+     */
+    *olen = used;
+
+    if (used > buf_len)
+        return (MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
+
+    return (mbedtls_ssl_session_reset_int(ssl, 0));
+}
+
+/*
+ * Helper to get TLS 1.2 PRF from ciphersuite
+ * (Duplicates bits of logic from ssl_set_handshake_prfs().)
+ */
+typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
+                          const char *label,
+                          const unsigned char *random, size_t rlen,
+                          unsigned char *dstbuf, size_t dlen);
+static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) {
+#if defined(MBEDTLS_SHA512_C)
+    const mbedtls_ssl_ciphersuite_t *const ciphersuite_info =
+        mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
+
+    if (ciphersuite_info->mac == MBEDTLS_MD_SHA384)
+        return (tls_prf_sha384);
+#else
+    (void) ciphersuite_id;
+#endif
+    return (tls_prf_sha256);
+}
+
+/*
+ * Deserialize context, see mbedtls_ssl_context_save() for format.
+ *
+ * This internal version is wrapped by a public function that cleans up in
+ * case of error.
+ */
+static int ssl_context_load(mbedtls_ssl_context *ssl,
+                            const unsigned char *buf,
+                            size_t len) {
+    const unsigned char *p = buf;
+    const unsigned char *const end = buf + len;
+    size_t session_len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /*
+     * The context should have been freshly setup or reset.
+     * Give the user an error in case of obvious misuse.
+     * (Checking session is useful because it won't be NULL if we're
+     * renegotiating, or if the user mistakenly loaded a session first.)
+     */
+    if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
+            ssl->session != NULL) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    /*
+     * We can't check that the config matches the initial one, but we can at
+     * least check it matches the requirements for serializing.
+     */
+    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+            ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
+            ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
+            ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
+            ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+#endif
+            0) {
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
+
+    /*
+     * Check version identifier
+     */
+    if ((size_t)(end - p) < sizeof(ssl_serialized_context_header))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (memcmp(p, ssl_serialized_context_header,
+               sizeof(ssl_serialized_context_header)) != 0) {
+        return (MBEDTLS_ERR_SSL_VERSION_MISMATCH);
+    }
+    p += sizeof(ssl_serialized_context_header);
+
+    /*
+     * Session
+     */
+    if ((size_t)(end - p) < 4)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    session_len = ((size_t) p[0] << 24) |
+                  ((size_t) p[1] << 16) |
+                  ((size_t) p[2] <<  8) |
+                  ((size_t) p[3]);
+    p += 4;
+
+    /* This has been allocated by ssl_handshake_init(), called by
+     * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
+    ssl->session = ssl->session_negotiate;
+    ssl->session_in = ssl->session;
+    ssl->session_out = ssl->session;
+    ssl->session_negotiate = NULL;
+
+    if ((size_t)(end - p) < session_len)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ret = ssl_session_load(ssl->session, 1, p, session_len);
+    if (ret != 0) {
+        mbedtls_ssl_session_free(ssl->session);
+        return (ret);
+    }
+
+    p += session_len;
+
+    /*
+     * Transform
+     */
+
+    /* This has been allocated by ssl_handshake_init(), called by
+     * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
+    ssl->transform = ssl->transform_negotiate;
+    ssl->transform_in = ssl->transform;
+    ssl->transform_out = ssl->transform;
+    ssl->transform_negotiate = NULL;
+
+    /* Read random bytes and populate structure */
+    if ((size_t)(end - p) < sizeof(ssl->transform->randbytes))
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ret = ssl_populate_transform(ssl->transform,
+                                 ssl->session->ciphersuite,
+                                 ssl->session->master,
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+                                 ssl->session->encrypt_then_mac,
+#endif
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+                                 ssl->session->trunc_hmac,
+#endif
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+                                 ssl->session->compression,
+#endif
+                                 ssl_tls12prf_from_cs(ssl->session->ciphersuite),
+                                 p, /* currently pointing to randbytes */
+                                 MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
+                                 ssl->conf->endpoint,
+                                 ssl);
+    if (ret != 0)
+        return (ret);
+
+    p += sizeof(ssl->transform->randbytes);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    /* Read connection IDs and store them */
+    if ((size_t)(end - p) < 1)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl->transform->in_cid_len = *p++;
+
+    if ((size_t)(end - p) < ssl->transform->in_cid_len + 1u)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
+    p += ssl->transform->in_cid_len;
+
+    ssl->transform->out_cid_len = *p++;
+
+    if ((size_t)(end - p) < ssl->transform->out_cid_len)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
+    p += ssl->transform->out_cid_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    /*
+     * Saved fields from top-level ssl_context structure
+     */
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    if ((size_t)(end - p) < 4)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl->badmac_seen = ((uint32_t) p[0] << 24) |
+                       ((uint32_t) p[1] << 16) |
+                       ((uint32_t) p[2] <<  8) |
+                       ((uint32_t) p[3]);
+    p += 4;
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    if ((size_t)(end - p) < 16)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl->in_window_top = ((uint64_t) p[0] << 56) |
+                         ((uint64_t) p[1] << 48) |
+                         ((uint64_t) p[2] << 40) |
+                         ((uint64_t) p[3] << 32) |
+                         ((uint64_t) p[4] << 24) |
+                         ((uint64_t) p[5] << 16) |
+                         ((uint64_t) p[6] <<  8) |
+                         ((uint64_t) p[7]);
+    p += 8;
+
+    ssl->in_window = ((uint64_t) p[0] << 56) |
+                     ((uint64_t) p[1] << 48) |
+                     ((uint64_t) p[2] << 40) |
+                     ((uint64_t) p[3] << 32) |
+                     ((uint64_t) p[4] << 24) |
+                     ((uint64_t) p[5] << 16) |
+                     ((uint64_t) p[6] <<  8) |
+                     ((uint64_t) p[7]);
+    p += 8;
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if ((size_t)(end - p) < 1)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl->disable_datagram_packing = *p++;
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if ((size_t)(end - p) < 8)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    memcpy(ssl->cur_out_ctr, p, 8);
+    p += 8;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if ((size_t)(end - p) < 2)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl->mtu = (p[0] << 8) | p[1];
+    p += 2;
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    {
+        uint8_t alpn_len;
+        const char **cur;
+
+        if ((size_t)(end - p) < 1)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        alpn_len = *p++;
+
+        if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
+            /* alpn_chosen should point to an item in the configured list */
+            for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
+                if (strlen(*cur) == alpn_len &&
+                        memcmp(p, cur, alpn_len) == 0) {
+                    ssl->alpn_chosen = *cur;
+                    break;
+                }
+            }
+        }
+
+        /* can only happen on conf mismatch */
+        if (alpn_len != 0 && ssl->alpn_chosen == NULL)
+            return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+        p += alpn_len;
+    }
+#endif /* MBEDTLS_SSL_ALPN */
+
+    /*
+     * Forced fields from top-level ssl_context structure
+     *
+     * Most of them already set to the correct value by mbedtls_ssl_init() and
+     * mbedtls_ssl_reset(), so we only need to set the remaining ones.
+     */
+    ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+
+    ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+    ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
+
+    /* Adjust pointers for header fields of outgoing records to
+     * the given transform, accounting for explicit IV and CID. */
+    mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    ssl->in_epoch = 1;
+#endif
+
+    /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
+     * which we don't want - otherwise we'd end up freeing the wrong transform
+     * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
+     * inappropriately. */
+    if (ssl->handshake != NULL) {
+        mbedtls_ssl_handshake_free(ssl);
+        mbedtls_free(ssl->handshake);
+        ssl->handshake = NULL;
+    }
+
+    /*
+     * Done - should have consumed entire buffer
+     */
+    if (p != end)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    return (0);
+}
+
+/*
+ * Deserialize context: public wrapper for error cleaning
+ */
+int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
+                             const unsigned char *buf,
+                             size_t len) {
+    int ret = ssl_context_load(context, buf, len);
+
+    if (ret != 0)
+        mbedtls_ssl_free(context);
+
+    return (ret);
+}
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+
+/*
+ * Free an SSL context
+ */
+void mbedtls_ssl_free(mbedtls_ssl_context *ssl) {
+    if (ssl == NULL)
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
+
+    if (ssl->out_buf != NULL) {
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+        size_t out_buf_len = ssl->out_buf_len;
+#else
+        size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+        mbedtls_platform_zeroize(ssl->out_buf, out_buf_len);
+        mbedtls_free(ssl->out_buf);
+        ssl->out_buf = NULL;
+    }
+
+    if (ssl->in_buf != NULL) {
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+        size_t in_buf_len = ssl->in_buf_len;
+#else
+        size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
+        mbedtls_platform_zeroize(ssl->in_buf, in_buf_len);
+        mbedtls_free(ssl->in_buf);
+        ssl->in_buf = NULL;
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if (ssl->compress_buf != NULL) {
+        mbedtls_platform_zeroize(ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN);
+        mbedtls_free(ssl->compress_buf);
+    }
+#endif
+
+    if (ssl->transform) {
+        mbedtls_ssl_transform_free(ssl->transform);
+        mbedtls_free(ssl->transform);
+    }
+
+    if (ssl->handshake) {
+        mbedtls_ssl_handshake_free(ssl);
+        mbedtls_ssl_transform_free(ssl->transform_negotiate);
+        mbedtls_ssl_session_free(ssl->session_negotiate);
+
+        mbedtls_free(ssl->handshake);
+        mbedtls_free(ssl->transform_negotiate);
+        mbedtls_free(ssl->session_negotiate);
+    }
+
+    if (ssl->session) {
+        mbedtls_ssl_session_free(ssl->session);
+        mbedtls_free(ssl->session);
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if (ssl->hostname != NULL) {
+        mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
+        mbedtls_free(ssl->hostname);
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if (mbedtls_ssl_hw_record_finish != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_finish()"));
+        mbedtls_ssl_hw_record_finish(ssl);
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    mbedtls_free(ssl->cli_id);
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
+
+    /* Actually clear after last debug message */
+    mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
+}
+
+/*
+ * Initialze mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) {
+    memset(conf, 0, sizeof(mbedtls_ssl_config));
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+static int ssl_preset_default_hashes[] = {
+#if defined(MBEDTLS_SHA512_C)
+    MBEDTLS_MD_SHA512,
+    MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
+    MBEDTLS_MD_SHA1,
+#endif
+    MBEDTLS_MD_NONE
+};
+#endif
+
+static int ssl_preset_suiteb_ciphersuites[] = {
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    0
+};
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+static int ssl_preset_suiteb_hashes[] = {
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA384,
+    MBEDTLS_MD_NONE
+};
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP384R1,
+#endif
+    MBEDTLS_ECP_DP_NONE
+};
+#endif
+
+/*
+ * Load default in mbedtls_ssl_config
+ */
+int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
+                                int endpoint, int transport, int preset) {
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#endif
+
+    /* Use the functions here so that they are covered in tests,
+     * but otherwise access member directly for efficiency */
+    mbedtls_ssl_conf_endpoint(conf, endpoint);
+    mbedtls_ssl_conf_transport(conf, transport);
+
+    /*
+     * Things that are common to all presets
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
+        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#endif
+    }
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    conf->f_cookie_write = ssl_cookie_write_dummy;
+    conf->f_cookie_check = ssl_cookie_check_dummy;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
+    conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
+    memset(conf->renego_period,     0x00, 2);
+    memset(conf->renego_period + 2, 0xFF, 6);
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+    if (endpoint == MBEDTLS_SSL_IS_SERVER) {
+        const unsigned char dhm_p[] =
+            MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
+        const unsigned char dhm_g[] =
+            MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
+
+        if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
+                                                 dhm_p, sizeof(dhm_p),
+                                                 dhm_g, sizeof(dhm_g))) != 0) {
+            return (ret);
+        }
+    }
+#endif
+
+    /*
+     * Preset-specific defaults
+     */
+    switch (preset) {
+        /*
+         * NSA Suite B
+         */
+        case MBEDTLS_SSL_PRESET_SUITEB:
+            conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+            conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+                conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+                    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+                        conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                            ssl_preset_suiteb_ciphersuites;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+            conf->sig_hashes = ssl_preset_suiteb_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = ssl_preset_suiteb_curves;
+#endif
+            break;
+
+        /*
+         * Default
+         */
+        default:
+            conf->min_major_ver = (MBEDTLS_SSL_MIN_MAJOR_VERSION >
+                                   MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION) ?
+                                  MBEDTLS_SSL_MIN_MAJOR_VERSION :
+                                  MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+            conf->min_minor_ver = (MBEDTLS_SSL_MIN_MINOR_VERSION >
+                                   MBEDTLS_SSL_MIN_VALID_MINOR_VERSION) ?
+                                  MBEDTLS_SSL_MIN_MINOR_VERSION :
+                                  MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
+#endif
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+                conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+                    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+                        conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                            mbedtls_ssl_list_ciphersuites();
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_default;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+            conf->sig_hashes = ssl_preset_default_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = mbedtls_ecp_grp_id_list();
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+            conf->dhm_min_bitlen = 1024;
+#endif
+    }
+
+    return (0);
+}
+
+/*
+ * Free mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) {
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi_free(&conf->dhm_P);
+    mbedtls_mpi_free(&conf->dhm_G);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    if (conf->psk != NULL) {
+        mbedtls_platform_zeroize(conf->psk, conf->psk_len);
+        mbedtls_free(conf->psk);
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+
+    if (conf->psk_identity != NULL) {
+        mbedtls_platform_zeroize(conf->psk_identity, conf->psk_identity_len);
+        mbedtls_free(conf->psk_identity);
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    ssl_key_cert_free(conf->key_cert);
+#endif
+
+    mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
+}
+
+#if defined(MBEDTLS_PK_C) && \
+    ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
+/*
+ * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
+ */
+unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) {
+#if defined(MBEDTLS_RSA_C)
+    if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+        return (MBEDTLS_SSL_SIG_RSA);
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA))
+        return (MBEDTLS_SSL_SIG_ECDSA);
+#endif
+    return (MBEDTLS_SSL_SIG_ANON);
+}
+
+unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) {
+    switch (type) {
+        case MBEDTLS_PK_RSA:
+            return (MBEDTLS_SSL_SIG_RSA);
+        case MBEDTLS_PK_ECDSA:
+        case MBEDTLS_PK_ECKEY:
+            return (MBEDTLS_SSL_SIG_ECDSA);
+        default:
+            return (MBEDTLS_SSL_SIG_ANON);
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) {
+    switch (sig) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_SSL_SIG_RSA:
+            return (MBEDTLS_PK_RSA);
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_SSL_SIG_ECDSA:
+            return (MBEDTLS_PK_ECDSA);
+#endif
+        default:
+            return (MBEDTLS_PK_NONE);
+    }
+}
+#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set,
+                                                mbedtls_pk_type_t sig_alg) {
+    switch (sig_alg) {
+        case MBEDTLS_PK_RSA:
+            return (set->rsa);
+        case MBEDTLS_PK_ECDSA:
+            return (set->ecdsa);
+        default:
+            return (MBEDTLS_MD_NONE);
+    }
+}
+
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set,
+                                  mbedtls_pk_type_t sig_alg,
+                                  mbedtls_md_type_t md_alg) {
+    switch (sig_alg) {
+        case MBEDTLS_PK_RSA:
+            if (set->rsa == MBEDTLS_MD_NONE)
+                set->rsa = md_alg;
+            break;
+
+        case MBEDTLS_PK_ECDSA:
+            if (set->ecdsa == MBEDTLS_MD_NONE)
+                set->ecdsa = md_alg;
+            break;
+
+        default:
+            break;
+    }
+}
+
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set,
+                                         mbedtls_md_type_t md_alg) {
+    set->rsa   = md_alg;
+    set->ecdsa = md_alg;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+/*
+ * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
+ */
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) {
+    switch (hash) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return (MBEDTLS_MD_MD5);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            return (MBEDTLS_MD_SHA1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA224:
+            return (MBEDTLS_MD_SHA224);
+        case MBEDTLS_SSL_HASH_SHA256:
+            return (MBEDTLS_MD_SHA256);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            return (MBEDTLS_MD_SHA384);
+        case MBEDTLS_SSL_HASH_SHA512:
+            return (MBEDTLS_MD_SHA512);
+#endif
+        default:
+            return (MBEDTLS_MD_NONE);
+    }
+}
+
+/*
+ * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
+ */
+unsigned char mbedtls_ssl_hash_from_md_alg(int md) {
+    switch (md) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return (MBEDTLS_SSL_HASH_MD5);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return (MBEDTLS_SSL_HASH_SHA1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return (MBEDTLS_SSL_HASH_SHA224);
+        case MBEDTLS_MD_SHA256:
+            return (MBEDTLS_SSL_HASH_SHA256);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return (MBEDTLS_SSL_HASH_SHA384);
+        case MBEDTLS_MD_SHA512:
+            return (MBEDTLS_SSL_HASH_SHA512);
+#endif
+        default:
+            return (MBEDTLS_SSL_HASH_NONE);
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Check if a curve proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) {
+    const mbedtls_ecp_group_id *gid;
+
+    if (ssl->conf->curve_list == NULL)
+        return (-1);
+
+    for (gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++)
+        if (*gid == grp_id)
+            return (0);
+
+    return (-1);
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/*
+ * Check if a hash proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl,
+                               mbedtls_md_type_t md) {
+    const int *cur;
+
+    if (ssl->conf->sig_hashes == NULL)
+        return (-1);
+
+    for (cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++)
+        if (*cur == (int) md)
+            return (0);
+
+    return (-1);
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
+                                 const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                                 int cert_endpoint,
+                                 uint32_t *flags) {
+    int ret = 0;
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    int usage = 0;
+#endif
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    const char *ext_oid;
+    size_t ext_len;
+#endif
+
+#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) &&          \
+    !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    ((void) cert);
+    ((void) cert_endpoint);
+    ((void) flags);
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
+        /* Server part of the key exchange */
+        switch (ciphersuite->key_exchange) {
+            case MBEDTLS_KEY_EXCHANGE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+                usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+                usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+                usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
+                break;
+
+            /* Don't use default: we want warnings when adding new values */
+            case MBEDTLS_KEY_EXCHANGE_NONE:
+            case MBEDTLS_KEY_EXCHANGE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+                usage = 0;
+        }
+    } else {
+        /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
+        usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+    }
+
+    if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
+        *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+        ret = -1;
+    }
+#else
+    ((void) ciphersuite);
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
+        ext_oid = MBEDTLS_OID_SERVER_AUTH;
+        ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
+    } else {
+        ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+        ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
+    }
+
+    if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
+        *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
+        ret = -1;
+    }
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+    return (ret);
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3)
+        return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+
+    switch (md) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls;
+            break;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA256:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+    }
+
+    return 0;
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
+    (void) ssl;
+    (void) md;
+
+    return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl,
+                                            unsigned char *output,
+                                            unsigned char *data, size_t data_len) {
+    int ret = 0;
+    mbedtls_md5_context mbedtls_md5;
+    mbedtls_sha1_context mbedtls_sha1;
+
+    mbedtls_md5_init(&mbedtls_md5);
+    mbedtls_sha1_init(&mbedtls_sha1);
+
+    /*
+     * digitally-signed struct {
+     *     opaque md5_hash[16];
+     *     opaque sha_hash[20];
+     * };
+     *
+     * md5_hash
+     *     MD5(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     * sha_hash
+     *     SHA(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     */
+    if ((ret = mbedtls_md5_starts_ret(&mbedtls_md5)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md5_starts_ret", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md5_update_ret(&mbedtls_md5,
+                                      ssl->handshake->randbytes, 64)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md5_update_ret", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md5_update_ret(&mbedtls_md5, data, data_len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md5_update_ret", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md5_finish_ret(&mbedtls_md5, output)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md5_finish_ret", ret);
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_starts_ret(&mbedtls_sha1)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_sha1_starts_ret", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_sha1_update_ret(&mbedtls_sha1,
+                                       ssl->handshake->randbytes, 64)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_sha1_update_ret", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_sha1_update_ret(&mbedtls_sha1, data,
+                                       data_len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_sha1_update_ret", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_sha1_finish_ret(&mbedtls_sha1,
+                                       output + 16)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_sha1_finish_ret", ret);
+        goto exit;
+    }
+
+exit:
+    mbedtls_md5_free(&mbedtls_md5);
+    mbedtls_sha1_free(&mbedtls_sha1);
+
+    if (ret != 0)
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+
+    return (ret);
+
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
+                                           unsigned char *hash, size_t *hashlen,
+                                           unsigned char *data, size_t data_len,
+                                           mbedtls_md_type_t md_alg) {
+    psa_status_t status;
+    psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+    psa_algorithm_t hash_alg = mbedtls_psa_translate_md(md_alg);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
+
+    if ((status = psa_hash_setup(&hash_operation,
+                                 hash_alg)) != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
+        goto exit;
+    }
+
+    if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
+                                  64)) != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
+        goto exit;
+    }
+
+    if ((status = psa_hash_update(&hash_operation,
+                                  data, data_len)) != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
+        goto exit;
+    }
+
+    if ((status = psa_hash_finish(&hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
+                                  hashlen)) != PSA_SUCCESS) {
+        MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
+        goto exit;
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+        switch (status) {
+            case PSA_ERROR_NOT_SUPPORTED:
+                return (MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE);
+            case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
+            case PSA_ERROR_BUFFER_TOO_SMALL:
+                return (MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+            case PSA_ERROR_INSUFFICIENT_MEMORY:
+                return (MBEDTLS_ERR_MD_ALLOC_FAILED);
+            default:
+                return (MBEDTLS_ERR_MD_HW_ACCEL_FAILED);
+        }
+    }
+    return (0);
+}
+
+#else
+
+int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
+                                           unsigned char *hash, size_t *hashlen,
+                                           unsigned char *data, size_t data_len,
+                                           mbedtls_md_type_t md_alg) {
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
+    *hashlen = mbedtls_md_get_size(md_info);
+
+    MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
+
+    mbedtls_md_init(&ctx);
+
+    /*
+     * digitally-signed struct {
+     *     opaque client_random[32];
+     *     opaque server_random[32];
+     *     ServerDHParams params;
+     * };
+     */
+    if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md_starts(&ctx)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
+        goto exit;
+    }
+    if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free(&ctx);
+
+    if (ret != 0)
+        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+
+    return (ret);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/common/mbedtls/ssl_tls13_keys.c b/common/mbedtls/ssl_tls13_keys.c
new file mode 100644
index 000000000..a3121f62f
--- /dev/null
+++ b/common/mbedtls/ssl_tls13_keys.c
@@ -0,0 +1,332 @@
+/*
+ *  TLS 1.3 key schedule
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 ( the "License" ); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+
+#include "mbedtls/hkdf.h"
+#include "mbedtls/ssl_internal.h"
+#include "ssl_tls13_keys.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#define MBEDTLS_SSL_TLS1_3_LABEL( name, string )       \
+    .name = string,
+
+struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = {
+    /* This seems to work in C, despite the string literal being one
+     * character too long due to the 0-termination. */
+    MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+
+#undef MBEDTLS_SSL_TLS1_3_LABEL
+
+/*
+ * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
+ *
+ * The HkdfLabel is specified in RFC 8446 as follows:
+ *
+ * struct HkdfLabel {
+ *   uint16 length;            // Length of expanded key material
+ *   opaque label<7..255>;     // Always prefixed by "tls13 "
+ *   opaque context<0..255>;   // Usually a communication transcript hash
+ * };
+ *
+ * Parameters:
+ * - desired_length: Length of expanded key material
+ *                   Even though the standard allows expansion to up to
+ *                   2**16 Bytes, TLS 1.3 never uses expansion to more than
+ *                   255 Bytes, so we require `desired_length` to be at most
+ *                   255. This allows us to save a few Bytes of code by
+ *                   hardcoding the writing of the high bytes.
+ * - (label, llen): label + label length, without "tls13 " prefix
+ *                  The label length MUST be less than or equal to
+ *                  MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
+ *                  It is the caller's responsibility to ensure this.
+ *                  All (label, label length) pairs used in TLS 1.3
+ *                  can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
+ * - (ctx, clen): context + context length
+ *                The context length MUST be less than or equal to
+ *                MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
+ *                It is the caller's responsibility to ensure this.
+ * - dst: Target buffer for HkdfLabel structure,
+ *        This MUST be a writable buffer of size
+ *        at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
+ * - dlen: Pointer at which to store the actual length of
+ *         the HkdfLabel structure on success.
+ */
+
+static const char tls1_3_label_prefix[6] = "tls13 ";
+
+#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
+    (   2                  /* expansion length           */ \
+      + 1                  /* label length               */ \
+      + label_len                                           \
+      + 1                  /* context length             */ \
+      + context_len )
+
+#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN                      \
+    SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(                             \
+                     sizeof(tls1_3_label_prefix) +                      \
+                     MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN,     \
+                     MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
+
+static void ssl_tls1_3_hkdf_encode_label(
+    size_t desired_length,
+    const unsigned char *label, size_t llen,
+    const unsigned char *ctx, size_t clen,
+    unsigned char *dst, size_t *dlen) {
+    size_t total_label_len =
+        sizeof(tls1_3_label_prefix) + llen;
+    size_t total_hkdf_lbl_len =
+        SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(total_label_len, clen);
+
+    unsigned char *p = dst;
+
+    /* Add the size of the expanded key material.
+     * We're hardcoding the high byte to 0 here assuming that we never use
+     * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
+#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
+#error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \
+value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
+#endif
+
+    *p++ = 0;
+    *p++ = (unsigned char)((desired_length >> 0) & 0xFF);
+
+    /* Add label incl. prefix */
+    *p++ = (unsigned char)(total_label_len & 0xFF);
+    memcpy(p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix));
+    p += sizeof(tls1_3_label_prefix);
+    memcpy(p, label, llen);
+    p += llen;
+
+    /* Add context value */
+    *p++ = (unsigned char)(clen & 0xFF);
+    if (clen != 0)
+        memcpy(p, ctx, clen);
+
+    /* Return total length to the caller.  */
+    *dlen = total_hkdf_lbl_len;
+}
+
+int mbedtls_ssl_tls1_3_hkdf_expand_label(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *secret, size_t slen,
+    const unsigned char *label, size_t llen,
+    const unsigned char *ctx, size_t clen,
+    unsigned char *buf, size_t blen) {
+    const mbedtls_md_info_t *md;
+    unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
+    size_t hkdf_label_len;
+
+    if (llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN) {
+        /* Should never happen since this is an internal
+         * function, and we know statically which labels
+         * are allowed. */
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    if (clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN) {
+        /* Should not happen, as above. */
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    if (blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN) {
+        /* Should not happen, as above. */
+        return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+    }
+
+    md = mbedtls_md_info_from_type(hash_alg);
+    if (md == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    ssl_tls1_3_hkdf_encode_label(blen,
+                                 label, llen,
+                                 ctx, clen,
+                                 hkdf_label,
+                                 &hkdf_label_len);
+
+    return (mbedtls_hkdf_expand(md,
+                                secret, slen,
+                                hkdf_label, hkdf_label_len,
+                                buf, blen));
+}
+
+/*
+ * The traffic keying material is generated from the following inputs:
+ *
+ *  - One secret value per sender.
+ *  - A purpose value indicating the specific value being generated
+ *  - The desired lengths of key and IV.
+ *
+ * The expansion itself is based on HKDF:
+ *
+ *   [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
+ *   [sender]_write_iv  = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
+ *
+ * [sender] denotes the sending side and the Secret value is provided
+ * by the function caller. Note that we generate server and client side
+ * keys in a single function call.
+ */
+int mbedtls_ssl_tls1_3_make_traffic_keys(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *client_secret,
+    const unsigned char *server_secret,
+    size_t slen, size_t key_len, size_t iv_len,
+    mbedtls_ssl_key_set *keys) {
+    int ret = 0;
+
+    ret = mbedtls_ssl_tls1_3_hkdf_expand_label(hash_alg,
+                                               client_secret, slen,
+                                               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(key),
+                                               NULL, 0,
+                                               keys->client_write_key, key_len);
+    if (ret != 0)
+        return (ret);
+
+    ret = mbedtls_ssl_tls1_3_hkdf_expand_label(hash_alg,
+                                               server_secret, slen,
+                                               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(key),
+                                               NULL, 0,
+                                               keys->server_write_key, key_len);
+    if (ret != 0)
+        return (ret);
+
+    ret = mbedtls_ssl_tls1_3_hkdf_expand_label(hash_alg,
+                                               client_secret, slen,
+                                               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(iv),
+                                               NULL, 0,
+                                               keys->client_write_iv, iv_len);
+    if (ret != 0)
+        return (ret);
+
+    ret = mbedtls_ssl_tls1_3_hkdf_expand_label(hash_alg,
+                                               server_secret, slen,
+                                               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(iv),
+                                               NULL, 0,
+                                               keys->server_write_iv, iv_len);
+    if (ret != 0)
+        return (ret);
+
+    keys->key_len = key_len;
+    keys->iv_len = iv_len;
+
+    return (0);
+}
+
+int mbedtls_ssl_tls1_3_derive_secret(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *secret, size_t slen,
+    const unsigned char *label, size_t llen,
+    const unsigned char *ctx, size_t clen,
+    int ctx_hashed,
+    unsigned char *dstbuf, size_t buflen) {
+    int ret;
+    unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
+
+    const mbedtls_md_info_t *md;
+    md = mbedtls_md_info_from_type(hash_alg);
+    if (md == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    if (ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED) {
+        ret = mbedtls_md(md, ctx, clen, hashed_context);
+        if (ret != 0)
+            return (ret);
+        clen = mbedtls_md_get_size(md);
+    } else {
+        if (clen > sizeof(hashed_context)) {
+            /* This should never happen since this function is internal
+             * and the code sets `ctx_hashed` correctly.
+             * Let's double-check nonetheless to not run at the risk
+             * of getting a stack overflow. */
+            return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+        }
+
+        memcpy(hashed_context, ctx, clen);
+    }
+
+    return (mbedtls_ssl_tls1_3_hkdf_expand_label(hash_alg,
+                                                 secret, slen,
+                                                 label, llen,
+                                                 hashed_context, clen,
+                                                 dstbuf, buflen));
+}
+
+int mbedtls_ssl_tls1_3_evolve_secret(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *secret_old,
+    const unsigned char *input, size_t input_len,
+    unsigned char *secret_new) {
+    int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+    size_t hlen, ilen;
+    unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
+    unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
+
+    const mbedtls_md_info_t *md;
+    md = mbedtls_md_info_from_type(hash_alg);
+    if (md == NULL)
+        return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+    hlen = mbedtls_md_get_size(md);
+
+    /* For non-initial runs, call Derive-Secret( ., "derived", "")
+     * on the old secret. */
+    if (secret_old != NULL) {
+        ret = mbedtls_ssl_tls1_3_derive_secret(
+                  hash_alg,
+                  secret_old, hlen,
+                  MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(derived),
+                  NULL, 0, /* context */
+                  MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+                  tmp_secret, hlen);
+        if (ret != 0)
+            goto cleanup;
+    }
+
+    if (input != NULL) {
+        memcpy(tmp_input, input, input_len);
+        ilen = input_len;
+    } else {
+        ilen = hlen;
+    }
+
+    /* HKDF-Extract takes a salt and input key material.
+     * The salt is the old secret, and the input key material
+     * is the input secret (PSK / ECDHE). */
+    ret = mbedtls_hkdf_extract(md,
+                               tmp_secret, hlen,
+                               tmp_input, ilen,
+                               secret_new);
+    if (ret != 0)
+        goto cleanup;
+
+    ret = 0;
+
+cleanup:
+
+    mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret));
+    mbedtls_platform_zeroize(tmp_input,  sizeof(tmp_input));
+    return (ret);
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
diff --git a/common/mbedtls/ssl_tls13_keys.h b/common/mbedtls/ssl_tls13_keys.h
new file mode 100644
index 000000000..51ef3c6d9
--- /dev/null
+++ b/common/mbedtls/ssl_tls13_keys.h
@@ -0,0 +1,272 @@
+/*
+ *  TLS 1.3 key schedule
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 ( the "License" ); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
+#define MBEDTLS_SSL_TLS1_3_KEYS_H
+
+/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
+ * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union
+ * below. */
+#define MBEDTLS_SSL_TLS1_3_LABEL_LIST                               \
+    MBEDTLS_SSL_TLS1_3_LABEL( finished    , "finished"     ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( resumption  , "resumption"   ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd"  ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( exporter    , "exporter"     ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( key         , "key"          ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( iv          , "iv"           ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic"  ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic"  ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( e_exp_master, "e exp master" ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( res_master  , "res master"   ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( exp_master  , "exp master"   ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( ext_binder  , "ext binder"   ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( res_binder  , "res binder"   ) \
+    MBEDTLS_SSL_TLS1_3_LABEL( derived     , "derived"      )
+
+#define MBEDTLS_SSL_TLS1_3_LABEL( name, string )       \
+    const unsigned char name    [ sizeof(string) - 1 ];
+
+union mbedtls_ssl_tls1_3_labels_union {
+    MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+struct mbedtls_ssl_tls1_3_labels_struct {
+    MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+#undef MBEDTLS_SSL_TLS1_3_LABEL
+
+extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels;
+
+#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL )  \
+    mbedtls_ssl_tls1_3_labels.LABEL,              \
+    sizeof(mbedtls_ssl_tls1_3_labels.LABEL)
+
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN  \
+    sizeof( union mbedtls_ssl_tls1_3_labels_union )
+
+/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
+ * Since contexts are always hashes of message transcripts, this can
+ * be approximated from above by the maximum hash size. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN  \
+    MBEDTLS_MD_MAX_SIZE
+
+/* Maximum desired length for expanded key material generated
+ * by HKDF-Expand-Label.
+ *
+ * Warning: If this ever needs to be increased, the implementation
+ * ssl_tls1_3_hkdf_encode_label() in ssl_tls13_keys.c needs to be
+ * adjusted since it currently assumes that HKDF key expansion
+ * is never used with more than 255 Bytes of output. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
+
+/**
+ * \brief           The \c HKDF-Expand-Label function from
+ *                  the TLS 1.3 standard RFC 8446.
+ *
+ * <tt>
+ *                  HKDF-Expand-Label( Secret, Label, Context, Length ) =
+ *                       HKDF-Expand( Secret, HkdfLabel, Length )
+ * </tt>
+ *
+ * \param hash_alg  The identifier for the hash algorithm to use.
+ * \param secret    The \c Secret argument to \c HKDF-Expand-Label.
+ *                  This must be a readable buffer of length \p slen Bytes.
+ * \param slen      The length of \p secret in Bytes.
+ * \param label     The \c Label argument to \c HKDF-Expand-Label.
+ *                  This must be a readable buffer of length \p llen Bytes.
+ * \param llen      The length of \p label in Bytes.
+ * \param ctx       The \c Context argument to \c HKDF-Expand-Label.
+ *                  This must be a readable buffer of length \p clen Bytes.
+ * \param clen      The length of \p context in Bytes.
+ * \param buf       The destination buffer to hold the expanded secret.
+ *                  This must be a writable buffer of length \p blen Bytes.
+ * \param blen      The desired size of the expanded secret in Bytes.
+ *
+ * \returns         \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+
+int mbedtls_ssl_tls1_3_hkdf_expand_label(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *secret, size_t slen,
+    const unsigned char *label, size_t llen,
+    const unsigned char *ctx, size_t clen,
+    unsigned char *buf, size_t blen);
+
+/**
+ * \brief           This function is part of the TLS 1.3 key schedule.
+ *                  It extracts key and IV for the actual client/server traffic
+ *                  from the client/server traffic secrets.
+ *
+ * From RFC 8446:
+ *
+ * <tt>
+ *   [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
+ *   [sender]_write_iv  = HKDF-Expand-Label(Secret, "iv", "", iv_length)*
+ * </tt>
+ *
+ * \param hash_alg      The identifier for the hash algorithm to be used
+ *                      for the HKDF-based expansion of the secret.
+ * \param client_secret The client traffic secret.
+ *                      This must be a readable buffer of size \p slen Bytes
+ * \param server_secret The server traffic secret.
+ *                      This must be a readable buffer of size \p slen Bytes
+ * \param slen          Length of the secrets \p client_secret and
+ *                      \p server_secret in Bytes.
+ * \param key_len       The desired length of the key to be extracted in Bytes.
+ * \param iv_len        The desired length of the IV to be extracted in Bytes.
+ * \param keys          The address of the structure holding the generated
+ *                      keys and IVs.
+ *
+ * \returns             \c 0 on success.
+ * \returns             A negative error code on failure.
+ */
+
+int mbedtls_ssl_tls1_3_make_traffic_keys(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *client_secret,
+    const unsigned char *server_secret,
+    size_t slen, size_t key_len, size_t iv_len,
+    mbedtls_ssl_key_set *keys);
+
+
+#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0
+#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED   1
+
+/**
+ * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446.
+ *
+ * <tt>
+ *   Derive-Secret( Secret, Label, Messages ) =
+ *      HKDF-Expand-Label( Secret, Label,
+ *                         Hash( Messages ),
+ *                         Hash.Length ) )
+ * </tt>
+ *
+ * \param hash_alg   The identifier for the hash function used for the
+ *                   applications of HKDF.
+ * \param secret     The \c Secret argument to the \c Derive-Secret function.
+ *                   This must be a readable buffer of length \p slen Bytes.
+ * \param slen       The length of \p secret in Bytes.
+ * \param label      The \c Label argument to the \c Derive-Secret function.
+ *                   This must be a readable buffer of length \p llen Bytes.
+ * \param llen       The length of \p label in Bytes.
+ * \param ctx        The hash of the \c Messages argument to the
+ *                   \c Derive-Secret function, or the \c Messages argument
+ *                   itself, depending on \p context_already_hashed.
+ * \param clen       The length of \p hash.
+ * \param ctx_hashed This indicates whether the \p ctx contains the hash of
+ *                   the \c Messages argument in the application of the
+ *                   \c Derive-Secret function
+ *                   (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether
+ *                   it is the content of \c Messages itself, in which case
+ *                   the function takes care of the hashing
+ *                   (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED).
+ * \param dstbuf     The target buffer to write the output of
+ *                   \c Derive-Secret to. This must be a writable buffer of
+ *                   size \p buflen Bytes.
+ * \param buflen     The length of \p dstbuf in Bytes.
+ *
+ * \returns        \c 0 on success.
+ * \returns        A negative error code on failure.
+ */
+int mbedtls_ssl_tls1_3_derive_secret(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *secret, size_t slen,
+    const unsigned char *label, size_t llen,
+    const unsigned char *ctx, size_t clen,
+    int ctx_hashed,
+    unsigned char *dstbuf, size_t buflen);
+
+/**
+ * \brief Compute the next secret in the TLS 1.3 key schedule
+ *
+ * The TLS 1.3 key schedule proceeds as follows to compute
+ * the three main secrets during the handshake: The early
+ * secret for early data, the handshake secret for all
+ * other encrypted handshake messages, and the master
+ * secret for all application traffic.
+ *
+ * <tt>
+ *                    0
+ *                    |
+ *                    v
+ *     PSK ->  HKDF-Extract = Early Secret
+ *                    |
+ *                    v
+ *     Derive-Secret( ., "derived", "" )
+ *                    |
+ *                    v
+ *  (EC)DHE -> HKDF-Extract = Handshake Secret
+ *                    |
+ *                    v
+ *     Derive-Secret( ., "derived", "" )
+ *                    |
+ *                    v
+ *     0 -> HKDF-Extract = Master Secret
+ * </tt>
+ *
+ * Each of the three secrets in turn is the basis for further
+ * key derivations, such as the derivation of traffic keys and IVs;
+ * see e.g. mbedtls_ssl_tls1_3_make_traffic_keys().
+ *
+ * This function implements one step in this evolution of secrets:
+ *
+ * <tt>
+ *                old_secret
+ *                    |
+ *                    v
+ *     Derive-Secret( ., "derived", "" )
+ *                    |
+ *                    v
+ *     input -> HKDF-Extract = new_secret
+ * </tt>
+ *
+ * \param hash_alg    The identifier for the hash function used for the
+ *                    applications of HKDF.
+ * \param secret_old  The address of the buffer holding the old secret
+ *                    on function entry. If not \c NULL, this must be a
+ *                    readable buffer whose size matches the output size
+ *                    of the hash function represented by \p hash_alg.
+ *                    If \c NULL, an all \c 0 array will be used instead.
+ * \param input       The address of the buffer holding the additional
+ *                    input for the key derivation (e.g., the PSK or the
+ *                    ephemeral (EC)DH secret). If not \c NULL, this must be
+ *                    a readable buffer whose size \p input_len Bytes.
+ *                    If \c NULL, an all \c 0 array will be used instead.
+ * \param input_len   The length of \p input in Bytes.
+ * \param secret_new  The address of the buffer holding the new secret
+ *                    on function exit. This must be a writable buffer
+ *                    whose size matches the output size of the hash
+ *                    function represented by \p hash_alg.
+ *                    This may be the same as \p secret_old.
+ *
+ * \returns           \c 0 on success.
+ * \returns           A negative error code on failure.
+ */
+
+int mbedtls_ssl_tls1_3_evolve_secret(
+    mbedtls_md_type_t hash_alg,
+    const unsigned char *secret_old,
+    const unsigned char *input, size_t input_len,
+    unsigned char *secret_new);
+
+#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
diff --git a/common/mbedtls/threading.c b/common/mbedtls/threading.c
index 1f9e3a053..be3b58658 100644
--- a/common/mbedtls/threading.c
+++ b/common/mbedtls/threading.c
@@ -1,41 +1,77 @@
 /*
  *  Threading abstraction layer
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
 #endif
 
+#include "common.h"
+
 #if defined(MBEDTLS_THREADING_C)
 
 #include "mbedtls/threading.h"
 
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define THREADING_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
+
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
 #if defined(MBEDTLS_THREADING_PTHREAD)
 static void threading_mutex_init_pthread(mbedtls_threading_mutex_t *mutex) {
     if (mutex == NULL)
         return;
 
+    /* A nonzero value of is_valid indicates a successfully initialized
+     * mutex. This is a workaround for not being able to return an error
+     * code for this function. The lock/unlock functions return an error
+     * if is_valid is nonzero. The Mbed TLS unit test code uses this field
+     * to distinguish more states of the mutex; see
+     * tests/src/threading_helpers for details. */
     mutex->is_valid = pthread_mutex_init(&mutex->mutex, NULL) == 0;
 }
 
@@ -109,6 +145,9 @@ void mbedtls_threading_set_alt(void (*mutex_init)(mbedtls_threading_mutex_t *),
 #if defined(MBEDTLS_FS_IO)
     mbedtls_mutex_init(&mbedtls_threading_readdir_mutex);
 #endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_init(&mbedtls_threading_gmtime_mutex);
+#endif
 }
 
 /*
@@ -118,6 +157,9 @@ void mbedtls_threading_free_alt(void) {
 #if defined(MBEDTLS_FS_IO)
     mbedtls_mutex_free(&mbedtls_threading_readdir_mutex);
 #endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_free(&mbedtls_threading_gmtime_mutex);
+#endif
 }
 #endif /* MBEDTLS_THREADING_ALT */
 
@@ -130,5 +172,8 @@ void mbedtls_threading_free_alt(void) {
 #if defined(MBEDTLS_FS_IO)
 mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
 #endif
+#if defined(THREADING_USE_GMTIME)
+mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
+#endif
 
 #endif /* MBEDTLS_THREADING_C */
diff --git a/common/mbedtls/threading.h b/common/mbedtls/threading.h
index 2cac7fbd9..346cd723b 100644
--- a/common/mbedtls/threading.h
+++ b/common/mbedtls/threading.h
@@ -4,30 +4,26 @@
  * \brief Threading abstraction layer
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_THREADING_H
 #define MBEDTLS_THREADING_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -38,7 +34,10 @@
 extern "C" {
 #endif
 
+/* MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
 #define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE         -0x001A  /**< The selected feature is not available. */
+
 #define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E  /**< Locking / unlocking / free failed with error code. */
 
@@ -46,6 +45,9 @@ extern "C" {
 #include <pthread.h>
 typedef struct mbedtls_threading_mutex_t {
     pthread_mutex_t mutex;
+    /* is_valid is 0 after a failed init or a free, and nonzero after a
+     * successful init. This field is not considered part of the public
+     * API of Mbed TLS and may change without notice. */
     char is_valid;
 } mbedtls_threading_mutex_t;
 #endif
@@ -100,6 +102,17 @@ extern int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *mutex);
 #if defined(MBEDTLS_FS_IO)
 extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
 #endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+/* This mutex may or may not be used in the default definition of
+ * mbedtls_platform_gmtime_r(), but in order to determine that,
+ * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
+ * With the current approach, this declaration is orphaned, lacking
+ * an accompanying definition, in case mbedtls_platform_gmtime_r()
+ * doesn't need it, but that's not a problem. */
+extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
 #endif /* MBEDTLS_THREADING_C */
 
 #ifdef __cplusplus
diff --git a/common/mbedtls/timing.c b/common/mbedtls/timing.c
index 8f31ff01e..26629a831 100644
--- a/common/mbedtls/timing.c
+++ b/common/mbedtls/timing.c
@@ -1,31 +1,23 @@
 /*
  *  Portable interface to the CPU cycle counter
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
@@ -42,7 +34,7 @@
 
 #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
     !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
-    !defined(__HAIKU__)
+    !defined(__HAIKU__) && !defined(__midipix__)
 #error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
 #endif
 
@@ -53,7 +45,7 @@
 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
 
 #include <windows.h>
-#include <winbase.h>
+#include <process.h>
 
 struct _hr_time {
     LARGE_INTEGER start;
@@ -216,19 +208,11 @@ unsigned long mbedtls_timing_hardclock(void) {
     struct timeval tv_cur;
 
     if (hardclock_init == 0) {
-#ifdef __MINGW32__
-        mingw_gettimeofday(&tv_init, NULL);
-#else
         gettimeofday(&tv_init, NULL);
-#endif
         hardclock_init = 1;
     }
 
-#ifdef __MINGW32__
-    mingw_gettimeofday(&tv_cur, NULL);
-#else
     gettimeofday(&tv_cur, NULL);
-#endif
     return ((tv_cur.tv_sec  - tv_init.tv_sec) * 1000000
             + (tv_cur.tv_usec - tv_init.tv_usec));
 }
@@ -258,16 +242,15 @@ unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int r
 /* It's OK to use a global because alarm() is supposed to be global anyway */
 static DWORD alarmMs;
 
-static DWORD WINAPI TimerProc(LPVOID TimerContext) {
-    ((void) TimerContext);
+static void TimerProc(void *TimerContext) {
+    (void) TimerContext;
     Sleep(alarmMs);
     mbedtls_timing_alarmed = 1;
-    return (TRUE);
+    /* _endthread will be called implicitly on return
+     * That ensures execution of thread funcition's epilogue */
 }
 
 void mbedtls_set_alarm(int seconds) {
-    DWORD ThreadId;
-
     if (seconds == 0) {
         /* No need to create a thread for this simple case.
          * Also, this shorcut is more reliable at least on MinGW32 */
@@ -277,7 +260,7 @@ void mbedtls_set_alarm(int seconds) {
 
     mbedtls_timing_alarmed = 0;
     alarmMs = seconds * 1000;
-    CloseHandle(CreateThread(NULL, 0, TimerProc, NULL, 0, &ThreadId));
+    (void) _beginthread(TimerProc, 0, NULL);
 }
 
 #else /* _WIN32 && !EFIX64 && !EFI32 */
diff --git a/common/mbedtls/timing.h b/common/mbedtls/timing.h
index 733585a87..597ef7521 100644
--- a/common/mbedtls/timing.h
+++ b/common/mbedtls/timing.h
@@ -4,30 +4,26 @@
  * \brief Portable interface to timeouts and to the CPU cycle counter
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_TIMING_H
 #define MBEDTLS_TIMING_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
diff --git a/common/mbedtls/version.c b/common/mbedtls/version.c
new file mode 100644
index 000000000..db6fcbd53
--- /dev/null
+++ b/common/mbedtls/version.c
@@ -0,0 +1,41 @@
+/*
+ *  Version information
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+#include <string.h>
+
+unsigned int mbedtls_version_get_number(void) {
+    return (MBEDTLS_VERSION_NUMBER);
+}
+
+void mbedtls_version_get_string(char *string) {
+    memcpy(string, MBEDTLS_VERSION_STRING,
+           sizeof(MBEDTLS_VERSION_STRING));
+}
+
+void mbedtls_version_get_string_full(char *string) {
+    memcpy(string, MBEDTLS_VERSION_STRING_FULL,
+           sizeof(MBEDTLS_VERSION_STRING_FULL));
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/common/mbedtls/version.h b/common/mbedtls/version.h
new file mode 100644
index 000000000..ab40c0be8
--- /dev/null
+++ b/common/mbedtls/version.h
@@ -0,0 +1,110 @@
+/**
+ * \file version.h
+ *
+ * \brief Run-time version information
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * This set of compile-time defines and run-time variables can be used to
+ * determine the version number of the mbed TLS library used.
+ */
+#ifndef MBEDTLS_VERSION_H
+#define MBEDTLS_VERSION_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/**
+ * The version number x.y.z is split into three parts.
+ * Major, Minor, Patchlevel
+ */
+#define MBEDTLS_VERSION_MAJOR  2
+#define MBEDTLS_VERSION_MINOR  26
+#define MBEDTLS_VERSION_PATCH  0
+
+/**
+ * The single version number has the following structure:
+ *    MMNNPP00
+ *    Major version | Minor version | Patch version
+ */
+#define MBEDTLS_VERSION_NUMBER         0x021A0000
+#define MBEDTLS_VERSION_STRING         "2.26.0"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.26.0"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Get the version number.
+ *
+ * \return          The constructed version number in the format
+ *                  MMNNPP00 (Major, Minor, Patch).
+ */
+unsigned int mbedtls_version_get_number(void);
+
+/**
+ * Get the version string ("x.y.z").
+ *
+ * \param string    The string that will receive the value.
+ *                  (Should be at least 9 bytes in size)
+ */
+void mbedtls_version_get_string(char *string);
+
+/**
+ * Get the full version string ("mbed TLS x.y.z").
+ *
+ * \param string    The string that will receive the value. The mbed TLS version
+ *                  string will use 18 bytes AT MOST including a terminating
+ *                  null byte.
+ *                  (So the buffer should be at least 18 bytes to receive this
+ *                  version string).
+ */
+void mbedtls_version_get_string_full(char *string);
+
+/**
+ * \brief           Check if support for a feature was compiled into this
+ *                  mbed TLS binary. This allows you to see at runtime if the
+ *                  library was for instance compiled with or without
+ *                  Multi-threading support.
+ *
+ * \note            only checks against defines in the sections "System
+ *                  support", "mbed TLS modules" and "mbed TLS feature
+ *                  support" in config.h
+ *
+ * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
+ *
+ * \return          0 if the feature is present,
+ *                  -1 if the feature is not present and
+ *                  -2 if support for feature checking as a whole was not
+ *                  compiled in.
+ */
+int mbedtls_version_check_feature(const char *feature);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_VERSION_C */
+
+#endif /* version.h */
diff --git a/common/mbedtls/version_features.c b/common/mbedtls/version_features.c
new file mode 100644
index 000000000..83568a442
--- /dev/null
+++ b/common/mbedtls/version_features.c
@@ -0,0 +1,864 @@
+/*
+ *  Version feature information
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+
+#include <string.h>
+
+static const char *const features[] = {
+#if defined(MBEDTLS_VERSION_FEATURES)
+#if defined(MBEDTLS_HAVE_ASM)
+    "MBEDTLS_HAVE_ASM",
+#endif /* MBEDTLS_HAVE_ASM */
+#if defined(MBEDTLS_NO_UDBL_DIVISION)
+    "MBEDTLS_NO_UDBL_DIVISION",
+#endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+    "MBEDTLS_NO_64BIT_MULTIPLICATION",
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
+#if defined(MBEDTLS_HAVE_SSE2)
+    "MBEDTLS_HAVE_SSE2",
+#endif /* MBEDTLS_HAVE_SSE2 */
+#if defined(MBEDTLS_HAVE_TIME)
+    "MBEDTLS_HAVE_TIME",
+#endif /* MBEDTLS_HAVE_TIME */
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    "MBEDTLS_HAVE_TIME_DATE",
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+    "MBEDTLS_PLATFORM_MEMORY",
+#endif /* MBEDTLS_PLATFORM_MEMORY */
+#if defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+    "MBEDTLS_PLATFORM_NO_STD_FUNCTIONS",
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+    "MBEDTLS_PLATFORM_EXIT_ALT",
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+    "MBEDTLS_PLATFORM_TIME_ALT",
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+    "MBEDTLS_PLATFORM_FPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+    "MBEDTLS_PLATFORM_PRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+    "MBEDTLS_PLATFORM_SNPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+    "MBEDTLS_PLATFORM_VSNPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+    "MBEDTLS_PLATFORM_NV_SEED_ALT",
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#if defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+    "MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT",
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+    "MBEDTLS_DEPRECATED_WARNING",
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+    "MBEDTLS_DEPRECATED_REMOVED",
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_CHECK_PARAMS)
+    "MBEDTLS_CHECK_PARAMS",
+#endif /* MBEDTLS_CHECK_PARAMS */
+#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+    "MBEDTLS_CHECK_PARAMS_ASSERT",
+#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
+#if defined(MBEDTLS_TIMING_ALT)
+    "MBEDTLS_TIMING_ALT",
+#endif /* MBEDTLS_TIMING_ALT */
+#if defined(MBEDTLS_AES_ALT)
+    "MBEDTLS_AES_ALT",
+#endif /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_ARC4_ALT)
+    "MBEDTLS_ARC4_ALT",
+#endif /* MBEDTLS_ARC4_ALT */
+#if defined(MBEDTLS_ARIA_ALT)
+    "MBEDTLS_ARIA_ALT",
+#endif /* MBEDTLS_ARIA_ALT */
+#if defined(MBEDTLS_BLOWFISH_ALT)
+    "MBEDTLS_BLOWFISH_ALT",
+#endif /* MBEDTLS_BLOWFISH_ALT */
+#if defined(MBEDTLS_CAMELLIA_ALT)
+    "MBEDTLS_CAMELLIA_ALT",
+#endif /* MBEDTLS_CAMELLIA_ALT */
+#if defined(MBEDTLS_CCM_ALT)
+    "MBEDTLS_CCM_ALT",
+#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+    "MBEDTLS_CHACHA20_ALT",
+#endif /* MBEDTLS_CHACHA20_ALT */
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+    "MBEDTLS_CHACHAPOLY_ALT",
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+#if defined(MBEDTLS_CMAC_ALT)
+    "MBEDTLS_CMAC_ALT",
+#endif /* MBEDTLS_CMAC_ALT */
+#if defined(MBEDTLS_DES_ALT)
+    "MBEDTLS_DES_ALT",
+#endif /* MBEDTLS_DES_ALT */
+#if defined(MBEDTLS_DHM_ALT)
+    "MBEDTLS_DHM_ALT",
+#endif /* MBEDTLS_DHM_ALT */
+#if defined(MBEDTLS_ECJPAKE_ALT)
+    "MBEDTLS_ECJPAKE_ALT",
+#endif /* MBEDTLS_ECJPAKE_ALT */
+#if defined(MBEDTLS_GCM_ALT)
+    "MBEDTLS_GCM_ALT",
+#endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_NIST_KW_ALT)
+    "MBEDTLS_NIST_KW_ALT",
+#endif /* MBEDTLS_NIST_KW_ALT */
+#if defined(MBEDTLS_MD2_ALT)
+    "MBEDTLS_MD2_ALT",
+#endif /* MBEDTLS_MD2_ALT */
+#if defined(MBEDTLS_MD4_ALT)
+    "MBEDTLS_MD4_ALT",
+#endif /* MBEDTLS_MD4_ALT */
+#if defined(MBEDTLS_MD5_ALT)
+    "MBEDTLS_MD5_ALT",
+#endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_POLY1305_ALT)
+    "MBEDTLS_POLY1305_ALT",
+#endif /* MBEDTLS_POLY1305_ALT */
+#if defined(MBEDTLS_RIPEMD160_ALT)
+    "MBEDTLS_RIPEMD160_ALT",
+#endif /* MBEDTLS_RIPEMD160_ALT */
+#if defined(MBEDTLS_RSA_ALT)
+    "MBEDTLS_RSA_ALT",
+#endif /* MBEDTLS_RSA_ALT */
+#if defined(MBEDTLS_SHA1_ALT)
+    "MBEDTLS_SHA1_ALT",
+#endif /* MBEDTLS_SHA1_ALT */
+#if defined(MBEDTLS_SHA256_ALT)
+    "MBEDTLS_SHA256_ALT",
+#endif /* MBEDTLS_SHA256_ALT */
+#if defined(MBEDTLS_SHA512_ALT)
+    "MBEDTLS_SHA512_ALT",
+#endif /* MBEDTLS_SHA512_ALT */
+#if defined(MBEDTLS_XTEA_ALT)
+    "MBEDTLS_XTEA_ALT",
+#endif /* MBEDTLS_XTEA_ALT */
+#if defined(MBEDTLS_ECP_ALT)
+    "MBEDTLS_ECP_ALT",
+#endif /* MBEDTLS_ECP_ALT */
+#if defined(MBEDTLS_MD2_PROCESS_ALT)
+    "MBEDTLS_MD2_PROCESS_ALT",
+#endif /* MBEDTLS_MD2_PROCESS_ALT */
+#if defined(MBEDTLS_MD4_PROCESS_ALT)
+    "MBEDTLS_MD4_PROCESS_ALT",
+#endif /* MBEDTLS_MD4_PROCESS_ALT */
+#if defined(MBEDTLS_MD5_PROCESS_ALT)
+    "MBEDTLS_MD5_PROCESS_ALT",
+#endif /* MBEDTLS_MD5_PROCESS_ALT */
+#if defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+    "MBEDTLS_RIPEMD160_PROCESS_ALT",
+#endif /* MBEDTLS_RIPEMD160_PROCESS_ALT */
+#if defined(MBEDTLS_SHA1_PROCESS_ALT)
+    "MBEDTLS_SHA1_PROCESS_ALT",
+#endif /* MBEDTLS_SHA1_PROCESS_ALT */
+#if defined(MBEDTLS_SHA256_PROCESS_ALT)
+    "MBEDTLS_SHA256_PROCESS_ALT",
+#endif /* MBEDTLS_SHA256_PROCESS_ALT */
+#if defined(MBEDTLS_SHA512_PROCESS_ALT)
+    "MBEDTLS_SHA512_PROCESS_ALT",
+#endif /* MBEDTLS_SHA512_PROCESS_ALT */
+#if defined(MBEDTLS_DES_SETKEY_ALT)
+    "MBEDTLS_DES_SETKEY_ALT",
+#endif /* MBEDTLS_DES_SETKEY_ALT */
+#if defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+    "MBEDTLS_DES_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+    "MBEDTLS_DES3_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES3_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+    "MBEDTLS_AES_SETKEY_ENC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_ENC_ALT */
+#if defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+    "MBEDTLS_AES_SETKEY_DEC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_DEC_ALT */
+#if defined(MBEDTLS_AES_ENCRYPT_ALT)
+    "MBEDTLS_AES_ENCRYPT_ALT",
+#endif /* MBEDTLS_AES_ENCRYPT_ALT */
+#if defined(MBEDTLS_AES_DECRYPT_ALT)
+    "MBEDTLS_AES_DECRYPT_ALT",
+#endif /* MBEDTLS_AES_DECRYPT_ALT */
+#if defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+    "MBEDTLS_ECDH_GEN_PUBLIC_ALT",
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+#if defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+    "MBEDTLS_ECDH_COMPUTE_SHARED_ALT",
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    "MBEDTLS_ECDSA_VERIFY_ALT",
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    "MBEDTLS_ECDSA_SIGN_ALT",
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+    "MBEDTLS_ECDSA_GENKEY_ALT",
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    "MBEDTLS_ECP_INTERNAL_ALT",
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK)
+    "MBEDTLS_ECP_NO_FALLBACK",
+#endif /* MBEDTLS_ECP_NO_FALLBACK */
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    "MBEDTLS_ECP_ADD_MIXED_ALT",
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    "MBEDTLS_ECP_DOUBLE_JAC_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    "MBEDTLS_ECP_NORMALIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    "MBEDTLS_TEST_NULL_ENTROPY",
+#endif /* MBEDTLS_TEST_NULL_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    "MBEDTLS_ENTROPY_HARDWARE_ALT",
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#if defined(MBEDTLS_AES_ROM_TABLES)
+    "MBEDTLS_AES_ROM_TABLES",
+#endif /* MBEDTLS_AES_ROM_TABLES */
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+    "MBEDTLS_AES_FEWER_TABLES",
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+    "MBEDTLS_CAMELLIA_SMALL_MEMORY",
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    "MBEDTLS_CIPHER_MODE_CBC",
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    "MBEDTLS_CIPHER_MODE_CFB",
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    "MBEDTLS_CIPHER_MODE_CTR",
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    "MBEDTLS_CIPHER_MODE_OFB",
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    "MBEDTLS_CIPHER_MODE_XTS",
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    "MBEDTLS_CIPHER_NULL_CIPHER",
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    "MBEDTLS_CIPHER_PADDING_PKCS7",
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    "MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+    "MBEDTLS_CTR_DRBG_USE_128_BIT_KEY",
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+    "MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    "MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP521R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP512R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE25519_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE448_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+    "MBEDTLS_ECP_NIST_OPTIM",
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    "MBEDTLS_ECP_NO_INTERNAL_RNG",
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    "MBEDTLS_ECP_RESTARTABLE",
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    "MBEDTLS_ECDH_LEGACY_CONTEXT",
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    "MBEDTLS_ECDSA_DETERMINISTIC",
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+    "MBEDTLS_PK_PARSE_EC_EXTENDED",
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+    "MBEDTLS_ERROR_STRERROR_DUMMY",
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+#if defined(MBEDTLS_GENPRIME)
+    "MBEDTLS_GENPRIME",
+#endif /* MBEDTLS_GENPRIME */
+#if defined(MBEDTLS_FS_IO)
+    "MBEDTLS_FS_IO",
+#endif /* MBEDTLS_FS_IO */
+#if defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    "MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES",
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    "MBEDTLS_NO_PLATFORM_ENTROPY",
+#endif /* MBEDTLS_NO_PLATFORM_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+    "MBEDTLS_ENTROPY_FORCE_SHA256",
+#endif /* MBEDTLS_ENTROPY_FORCE_SHA256 */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    "MBEDTLS_ENTROPY_NV_SEED",
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+    "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER",
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    "MBEDTLS_MEMORY_DEBUG",
+#endif /* MBEDTLS_MEMORY_DEBUG */
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    "MBEDTLS_MEMORY_BACKTRACE",
+#endif /* MBEDTLS_MEMORY_BACKTRACE */
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    "MBEDTLS_PK_RSA_ALT_SUPPORT",
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+#if defined(MBEDTLS_PKCS1_V15)
+    "MBEDTLS_PKCS1_V15",
+#endif /* MBEDTLS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+    "MBEDTLS_PKCS1_V21",
+#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+    "MBEDTLS_PSA_CRYPTO_CLIENT",
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+    "MBEDTLS_PSA_CRYPTO_DRIVERS",
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    "MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG",
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+#if defined(MBEDTLS_PSA_CRYPTO_SPM)
+    "MBEDTLS_PSA_CRYPTO_SPM",
+#endif /* MBEDTLS_PSA_CRYPTO_SPM */
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+    "MBEDTLS_PSA_INJECT_ENTROPY",
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    "MBEDTLS_RSA_NO_CRT",
+#endif /* MBEDTLS_RSA_NO_CRT */
+#if defined(MBEDTLS_SELF_TEST)
+    "MBEDTLS_SELF_TEST",
+#endif /* MBEDTLS_SELF_TEST */
+#if defined(MBEDTLS_SHA256_SMALLER)
+    "MBEDTLS_SHA256_SMALLER",
+#endif /* MBEDTLS_SHA256_SMALLER */
+#if defined(MBEDTLS_SHA512_SMALLER)
+    "MBEDTLS_SHA512_SMALLER",
+#endif /* MBEDTLS_SHA512_SMALLER */
+#if defined(MBEDTLS_SHA512_NO_SHA384)
+    "MBEDTLS_SHA512_NO_SHA384",
+#endif /* MBEDTLS_SHA512_NO_SHA384 */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+    "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
+#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_RECORD_CHECKING)
+    "MBEDTLS_SSL_RECORD_CHECKING",
+#endif /* MBEDTLS_SSL_RECORD_CHECKING */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    "MBEDTLS_SSL_DTLS_CONNECTION_ID",
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    "MBEDTLS_SSL_ASYNC_PRIVATE",
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+    "MBEDTLS_SSL_CONTEXT_SERIALIZATION",
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    "MBEDTLS_SSL_DEBUG_ALL",
+#endif /* MBEDTLS_SSL_DEBUG_ALL */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    "MBEDTLS_SSL_ENCRYPT_THEN_MAC",
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    "MBEDTLS_SSL_EXTENDED_MASTER_SECRET",
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    "MBEDTLS_SSL_FALLBACK_SCSV",
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    "MBEDTLS_SSL_KEEP_PEER_CERTIFICATE",
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    "MBEDTLS_SSL_HW_RECORD_ACCEL",
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    "MBEDTLS_SSL_CBC_RECORD_SPLITTING",
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    "MBEDTLS_SSL_RENEGOTIATION",
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+    "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO",
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    "MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE",
+#endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH",
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    "MBEDTLS_SSL_PROTO_SSL3",
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+    "MBEDTLS_SSL_PROTO_TLS1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    "MBEDTLS_SSL_PROTO_TLS1_1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    "MBEDTLS_SSL_PROTO_TLS1_2",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+    "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    "MBEDTLS_SSL_PROTO_DTLS",
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_ALPN)
+    "MBEDTLS_SSL_ALPN",
+#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    "MBEDTLS_SSL_DTLS_ANTI_REPLAY",
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    "MBEDTLS_SSL_DTLS_HELLO_VERIFY",
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    "MBEDTLS_SSL_DTLS_SRTP",
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE",
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    "MBEDTLS_SSL_DTLS_BADMAC_LIMIT",
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    "MBEDTLS_SSL_SESSION_TICKETS",
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    "MBEDTLS_SSL_EXPORT_KEYS",
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    "MBEDTLS_SSL_SERVER_NAME_INDICATION",
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    "MBEDTLS_SSL_TRUNCATED_HMAC",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+    "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+    "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH",
+#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+    "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+    "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+#if defined(MBEDTLS_TEST_HOOKS)
+    "MBEDTLS_TEST_HOOKS",
+#endif /* MBEDTLS_TEST_HOOKS */
+#if defined(MBEDTLS_THREADING_ALT)
+    "MBEDTLS_THREADING_ALT",
+#endif /* MBEDTLS_THREADING_ALT */
+#if defined(MBEDTLS_THREADING_PTHREAD)
+    "MBEDTLS_THREADING_PTHREAD",
+#endif /* MBEDTLS_THREADING_PTHREAD */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    "MBEDTLS_USE_PSA_CRYPTO",
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+    "MBEDTLS_PSA_CRYPTO_CONFIG",
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+#if defined(MBEDTLS_VERSION_FEATURES)
+    "MBEDTLS_VERSION_FEATURES",
+#endif /* MBEDTLS_VERSION_FEATURES */
+#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3",
+#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
+#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+    "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION",
+#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    "MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK",
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    "MBEDTLS_X509_RSASSA_PSS_SUPPORT",
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    "MBEDTLS_ZLIB_SUPPORT",
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_AESNI_C)
+    "MBEDTLS_AESNI_C",
+#endif /* MBEDTLS_AESNI_C */
+#if defined(MBEDTLS_AES_C)
+    "MBEDTLS_AES_C",
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_ARC4_C)
+    "MBEDTLS_ARC4_C",
+#endif /* MBEDTLS_ARC4_C */
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    "MBEDTLS_ASN1_PARSE_C",
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#if defined(MBEDTLS_ASN1_WRITE_C)
+    "MBEDTLS_ASN1_WRITE_C",
+#endif /* MBEDTLS_ASN1_WRITE_C */
+#if defined(MBEDTLS_BASE64_C)
+    "MBEDTLS_BASE64_C",
+#endif /* MBEDTLS_BASE64_C */
+#if defined(MBEDTLS_BIGNUM_C)
+    "MBEDTLS_BIGNUM_C",
+#endif /* MBEDTLS_BIGNUM_C */
+#if defined(MBEDTLS_BLOWFISH_C)
+    "MBEDTLS_BLOWFISH_C",
+#endif /* MBEDTLS_BLOWFISH_C */
+#if defined(MBEDTLS_CAMELLIA_C)
+    "MBEDTLS_CAMELLIA_C",
+#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+    "MBEDTLS_ARIA_C",
+#endif /* MBEDTLS_ARIA_C */
+#if defined(MBEDTLS_CCM_C)
+    "MBEDTLS_CCM_C",
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CERTS_C)
+    "MBEDTLS_CERTS_C",
+#endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CHACHA20_C)
+    "MBEDTLS_CHACHA20_C",
+#endif /* MBEDTLS_CHACHA20_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    "MBEDTLS_CHACHAPOLY_C",
+#endif /* MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_CIPHER_C)
+    "MBEDTLS_CIPHER_C",
+#endif /* MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_CMAC_C)
+    "MBEDTLS_CMAC_C",
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_CTR_DRBG_C)
+    "MBEDTLS_CTR_DRBG_C",
+#endif /* MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_DEBUG_C)
+    "MBEDTLS_DEBUG_C",
+#endif /* MBEDTLS_DEBUG_C */
+#if defined(MBEDTLS_DES_C)
+    "MBEDTLS_DES_C",
+#endif /* MBEDTLS_DES_C */
+#if defined(MBEDTLS_DHM_C)
+    "MBEDTLS_DHM_C",
+#endif /* MBEDTLS_DHM_C */
+#if defined(MBEDTLS_ECDH_C)
+    "MBEDTLS_ECDH_C",
+#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_ECDSA_C)
+    "MBEDTLS_ECDSA_C",
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_ECJPAKE_C)
+    "MBEDTLS_ECJPAKE_C",
+#endif /* MBEDTLS_ECJPAKE_C */
+#if defined(MBEDTLS_ECP_C)
+    "MBEDTLS_ECP_C",
+#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_ENTROPY_C)
+    "MBEDTLS_ENTROPY_C",
+#endif /* MBEDTLS_ENTROPY_C */
+#if defined(MBEDTLS_ERROR_C)
+    "MBEDTLS_ERROR_C",
+#endif /* MBEDTLS_ERROR_C */
+#if defined(MBEDTLS_GCM_C)
+    "MBEDTLS_GCM_C",
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_HAVEGE_C)
+    "MBEDTLS_HAVEGE_C",
+#endif /* MBEDTLS_HAVEGE_C */
+#if defined(MBEDTLS_HKDF_C)
+    "MBEDTLS_HKDF_C",
+#endif /* MBEDTLS_HKDF_C */
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    "MBEDTLS_HMAC_DRBG_C",
+#endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_NIST_KW_C)
+    "MBEDTLS_NIST_KW_C",
+#endif /* MBEDTLS_NIST_KW_C */
+#if defined(MBEDTLS_MD_C)
+    "MBEDTLS_MD_C",
+#endif /* MBEDTLS_MD_C */
+#if defined(MBEDTLS_MD2_C)
+    "MBEDTLS_MD2_C",
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    "MBEDTLS_MD4_C",
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    "MBEDTLS_MD5_C",
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+    "MBEDTLS_MEMORY_BUFFER_ALLOC_C",
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+#if defined(MBEDTLS_NET_C)
+    "MBEDTLS_NET_C",
+#endif /* MBEDTLS_NET_C */
+#if defined(MBEDTLS_OID_C)
+    "MBEDTLS_OID_C",
+#endif /* MBEDTLS_OID_C */
+#if defined(MBEDTLS_PADLOCK_C)
+    "MBEDTLS_PADLOCK_C",
+#endif /* MBEDTLS_PADLOCK_C */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    "MBEDTLS_PEM_PARSE_C",
+#endif /* MBEDTLS_PEM_PARSE_C */
+#if defined(MBEDTLS_PEM_WRITE_C)
+    "MBEDTLS_PEM_WRITE_C",
+#endif /* MBEDTLS_PEM_WRITE_C */
+#if defined(MBEDTLS_PK_C)
+    "MBEDTLS_PK_C",
+#endif /* MBEDTLS_PK_C */
+#if defined(MBEDTLS_PK_PARSE_C)
+    "MBEDTLS_PK_PARSE_C",
+#endif /* MBEDTLS_PK_PARSE_C */
+#if defined(MBEDTLS_PK_WRITE_C)
+    "MBEDTLS_PK_WRITE_C",
+#endif /* MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PKCS5_C)
+    "MBEDTLS_PKCS5_C",
+#endif /* MBEDTLS_PKCS5_C */
+#if defined(MBEDTLS_PKCS11_C)
+    "MBEDTLS_PKCS11_C",
+#endif /* MBEDTLS_PKCS11_C */
+#if defined(MBEDTLS_PKCS12_C)
+    "MBEDTLS_PKCS12_C",
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PLATFORM_C)
+    "MBEDTLS_PLATFORM_C",
+#endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_POLY1305_C)
+    "MBEDTLS_POLY1305_C",
+#endif /* MBEDTLS_POLY1305_C */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    "MBEDTLS_PSA_CRYPTO_C",
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    "MBEDTLS_PSA_CRYPTO_SE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    "MBEDTLS_PSA_CRYPTO_STORAGE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+    "MBEDTLS_PSA_ITS_FILE_C",
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
+#if defined(MBEDTLS_RIPEMD160_C)
+    "MBEDTLS_RIPEMD160_C",
+#endif /* MBEDTLS_RIPEMD160_C */
+#if defined(MBEDTLS_RSA_C)
+    "MBEDTLS_RSA_C",
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_SHA1_C)
+    "MBEDTLS_SHA1_C",
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    "MBEDTLS_SHA256_C",
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    "MBEDTLS_SHA512_C",
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SSL_CACHE_C)
+    "MBEDTLS_SSL_CACHE_C",
+#endif /* MBEDTLS_SSL_CACHE_C */
+#if defined(MBEDTLS_SSL_COOKIE_C)
+    "MBEDTLS_SSL_COOKIE_C",
+#endif /* MBEDTLS_SSL_COOKIE_C */
+#if defined(MBEDTLS_SSL_TICKET_C)
+    "MBEDTLS_SSL_TICKET_C",
+#endif /* MBEDTLS_SSL_TICKET_C */
+#if defined(MBEDTLS_SSL_CLI_C)
+    "MBEDTLS_SSL_CLI_C",
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    "MBEDTLS_SSL_SRV_C",
+#endif /* MBEDTLS_SSL_SRV_C */
+#if defined(MBEDTLS_SSL_TLS_C)
+    "MBEDTLS_SSL_TLS_C",
+#endif /* MBEDTLS_SSL_TLS_C */
+#if defined(MBEDTLS_THREADING_C)
+    "MBEDTLS_THREADING_C",
+#endif /* MBEDTLS_THREADING_C */
+#if defined(MBEDTLS_TIMING_C)
+    "MBEDTLS_TIMING_C",
+#endif /* MBEDTLS_TIMING_C */
+#if defined(MBEDTLS_VERSION_C)
+    "MBEDTLS_VERSION_C",
+#endif /* MBEDTLS_VERSION_C */
+#if defined(MBEDTLS_X509_USE_C)
+    "MBEDTLS_X509_USE_C",
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    "MBEDTLS_X509_CRT_PARSE_C",
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    "MBEDTLS_X509_CRL_PARSE_C",
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+    "MBEDTLS_X509_CSR_PARSE_C",
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#if defined(MBEDTLS_X509_CREATE_C)
+    "MBEDTLS_X509_CREATE_C",
+#endif /* MBEDTLS_X509_CREATE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+    "MBEDTLS_X509_CRT_WRITE_C",
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+    "MBEDTLS_X509_CSR_WRITE_C",
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+#if defined(MBEDTLS_XTEA_C)
+    "MBEDTLS_XTEA_C",
+#endif /* MBEDTLS_XTEA_C */
+#endif /* MBEDTLS_VERSION_FEATURES */
+    NULL
+};
+
+int mbedtls_version_check_feature(const char *feature) {
+    const char *const *idx = features;
+
+    if (*idx == NULL)
+        return (-2);
+
+    if (feature == NULL)
+        return (-1);
+
+    while (*idx != NULL) {
+        if (!strcmp(*idx, feature))
+            return (0);
+        idx++;
+    }
+    return (-1);
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/common/mbedtls/x509.c b/common/mbedtls/x509.c
index 8b9043033..7aeee2599 100644
--- a/common/mbedtls/x509.c
+++ b/common/mbedtls/x509.c
@@ -1,24 +1,20 @@
 /*
  *  X.509 common functions for parsing and verification
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -31,20 +27,13 @@
  *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
  */
 
-/* Ensure gmtime_r is available even with -std=c99; must be included before
- * config.h, which pulls in glibc's features.h. Harmless on other platforms. */
-#define _POSIX_C_SOURCE 200112L
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_X509_USE_C)
 
 #include "mbedtls/x509.h"
 #include "mbedtls/asn1.h"
+#include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 
 #include <stdio.h>
@@ -69,18 +58,26 @@
 #include "mbedtls/platform_time.h"
 #endif
 #if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_util.h"
 #include <time.h>
 #endif
 
-#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
-#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
+#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val)                      \
+    do                                                  \
+    {                                                   \
+        if( ( val ) < ( min ) || ( val ) > ( max ) )    \
+        {                                               \
+            return( ret );                              \
+        }                                               \
+    } while( 0 )
 
 /*
  *  CertificateSerialNumber  ::=  INTEGER
  */
 int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
                             mbedtls_x509_buf *serial) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if ((end - *p) < 1)
         return (MBEDTLS_ERR_X509_INVALID_SERIAL +
@@ -110,7 +107,7 @@ int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
  */
 int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
                               mbedtls_x509_buf *alg) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if ((ret = mbedtls_asn1_get_alg_null(p, end, alg)) != 0)
         return (MBEDTLS_ERR_X509_INVALID_ALG + ret);
@@ -119,11 +116,11 @@ int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
 }
 
 /*
- * Parse an algorithm identifier with (optional) paramaters
+ * Parse an algorithm identifier with (optional) parameters
  */
 int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
                          mbedtls_x509_buf *alg, mbedtls_x509_buf *params) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if ((ret = mbedtls_asn1_get_alg(p, end, alg, params)) != 0)
         return (MBEDTLS_ERR_X509_INVALID_ALG + ret);
@@ -142,7 +139,7 @@ int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
  * For HashAlgorithm, parameters MUST be NULL or absent.
  */
 static int x509_get_hash_alg(const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_alg) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p;
     const unsigned char *end;
     mbedtls_x509_buf md_oid;
@@ -153,7 +150,7 @@ static int x509_get_hash_alg(const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_
         return (MBEDTLS_ERR_X509_INVALID_ALG +
                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
 
-    p = (unsigned char *) alg->p;
+    p = alg->p;
     end = p + alg->len;
 
     if (p >= end)
@@ -202,7 +199,7 @@ static int x509_get_hash_alg(const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_
 int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
                                        mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
                                        int *salt_len) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *p;
     const unsigned char *end, *end2;
     size_t len;
@@ -336,7 +333,7 @@ int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
 static int x509_get_attr_type_value(unsigned char **p,
                                     const unsigned char *end,
                                     mbedtls_x509_name *cur) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
     mbedtls_x509_buf *oid;
     mbedtls_x509_buf *val;
@@ -345,6 +342,8 @@ static int x509_get_attr_type_value(unsigned char **p,
                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
         return (MBEDTLS_ERR_X509_INVALID_NAME + ret);
 
+    end = *p + len;
+
     if ((end - *p) < 1)
         return (MBEDTLS_ERR_X509_INVALID_NAME +
                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
@@ -378,6 +377,11 @@ static int x509_get_attr_type_value(unsigned char **p,
     val->p = *p;
     *p += val->len;
 
+    if (*p != end) {
+        return (MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
     cur->next = NULL;
 
     return (0);
@@ -408,7 +412,7 @@ static int x509_get_attr_type_value(unsigned char **p,
  */
 int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
                           mbedtls_x509_name *cur) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t set_len;
     const unsigned char *end_set;
 
@@ -516,7 +520,7 @@ static int x509_date_is_valid(const mbedtls_x509_time *t) {
  */
 static int x509_parse_time(unsigned char **p, size_t len, size_t yearlen,
                            mbedtls_x509_time *tm) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     /*
      * Minimum length is 10 or 12 depending on yearlen
@@ -576,7 +580,7 @@ static int x509_parse_time(unsigned char **p, size_t len, size_t yearlen,
  */
 int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
                           mbedtls_x509_time *tm) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len, year_len;
     unsigned char tag;
 
@@ -604,7 +608,7 @@ int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
 }
 
 int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
     int tag_type;
 
@@ -632,7 +636,7 @@ int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x5
 int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
                              mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
                              void **sig_opts) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if (*sig_opts != NULL)
         return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
@@ -676,28 +680,23 @@ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509
  */
 int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
                          mbedtls_x509_buf *ext, int tag) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
 
-    if (*p == end)
-        return (0);
+    /* Extension structure use EXPLICIT tagging. That is, the actual
+     * `Extensions` structure is wrapped by a tag-length pair using
+     * the respective context-specific tag. */
+    ret = mbedtls_asn1_get_tag(p, end, &ext->len,
+                               MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag);
+    if (ret != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
 
-    ext->tag = **p;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &ext->len,
-                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag)) != 0)
-        return (ret);
-
-    ext->p = *p;
-    end = *p + ext->len;
+    ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
+    ext->p   = *p;
+    end      = *p + ext->len;
 
     /*
      * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
-     *
-     * Extension  ::=  SEQUENCE  {
-     *      extnID      OBJECT IDENTIFIER,
-     *      critical    BOOLEAN DEFAULT FALSE,
-     *      extnValue   OCTET STRING  }
      */
     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
@@ -715,7 +714,7 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
  * than size characters will be written
  */
 int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, n;
     unsigned char c, merge = 0;
     const mbedtls_x509_name *name;
@@ -752,7 +751,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) {
                 break;
 
             c = name->val.p[i];
-            if (c < 32 || c == 127 || (c > 128 && c < 160))
+            if (c < 32 || c >= 127)
                 s[i] = '?';
             else s[i] = c;
         }
@@ -772,7 +771,7 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn) {
  * than size characters will be written
  */
 int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t i, n, nr;
     char *p;
 
@@ -805,7 +804,7 @@ int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *ser
 int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
                               mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
                               const void *sig_opts) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     char *p = buf;
     size_t n = size;
     const char *desc = NULL;
@@ -830,7 +829,7 @@ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *si
         ret = mbedtls_snprintf(p, n, " (%s, MGF1-%s, 0x%02X)",
                                md_info ? mbedtls_md_get_name(md_info) : "???",
                                mgf_md_info ? mbedtls_md_get_name(mgf_md_info) : "???",
-                               pss_opts->expected_salt_len);
+                               (unsigned int) pss_opts->expected_salt_len);
         MBEDTLS_X509_SAFE_SNPRINTF;
     }
 #else
@@ -848,7 +847,7 @@ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *si
 int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name) {
     char *p = buf;
     size_t n = buf_size;
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     ret = mbedtls_snprintf(p, n, "%s key size", name);
     MBEDTLS_X509_SAFE_SNPRINTF;
@@ -867,11 +866,7 @@ static int x509_get_current_time(mbedtls_x509_time *now) {
     int ret = 0;
 
     tt = mbedtls_time(NULL);
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-    lt = gmtime_s(&tm_buf, &tt) == 0 ? &tm_buf : NULL;
-#else
-    lt = gmtime_r(&tt, &tm_buf);
-#endif
+    lt = mbedtls_platform_gmtime_r(&tt, &tm_buf);
 
     if (lt == NULL)
         ret = -1;
@@ -967,8 +962,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from) {
  * Checkup routine
  */
 int mbedtls_x509_self_test(int verbose) {
+    int ret = 0;
 #if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
-    int ret;
     uint32_t flags;
     mbedtls_x509_crt cacert;
     mbedtls_x509_crt clicert;
@@ -976,6 +971,7 @@ int mbedtls_x509_self_test(int verbose) {
     if (verbose != 0)
         mbedtls_printf("  X.509 certificate load: ");
 
+    mbedtls_x509_crt_init(&cacert);
     mbedtls_x509_crt_init(&clicert);
 
     ret = mbedtls_x509_crt_parse(&clicert, (const unsigned char *) mbedtls_test_cli_crt,
@@ -984,18 +980,16 @@ int mbedtls_x509_self_test(int verbose) {
         if (verbose != 0)
             mbedtls_printf("failed\n");
 
-        return (ret);
+        goto cleanup;
     }
 
-    mbedtls_x509_crt_init(&cacert);
-
     ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_ca_crt,
                                  mbedtls_test_ca_crt_len);
     if (ret != 0) {
         if (verbose != 0)
             mbedtls_printf("failed\n");
 
-        return (ret);
+        goto cleanup;
     }
 
     if (verbose != 0)
@@ -1006,20 +1000,19 @@ int mbedtls_x509_self_test(int verbose) {
         if (verbose != 0)
             mbedtls_printf("failed\n");
 
-        return (ret);
+        goto cleanup;
     }
 
     if (verbose != 0)
         mbedtls_printf("passed\n\n");
 
+cleanup:
     mbedtls_x509_crt_free(&cacert);
     mbedtls_x509_crt_free(&clicert);
-
-    return (0);
 #else
     ((void) verbose);
-    return (0);
-#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA256_C */
+    return (ret);
 }
 
 #endif /* MBEDTLS_SELF_TEST */
diff --git a/common/mbedtls/x509.h b/common/mbedtls/x509.h
index 676cf824a..2f430d4dd 100644
--- a/common/mbedtls/x509.h
+++ b/common/mbedtls/x509.h
@@ -4,39 +4,35 @@
  * \brief X.509 generic defines and structures
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_X509_H
 #define MBEDTLS_X509_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "asn1.h"
-#include "pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/pk.h"
 
 #if defined(MBEDTLS_RSA_C)
-#include "rsa.h"
+#include "mbedtls/rsa.h"
 #endif
 
 /**
@@ -111,6 +107,28 @@
 /* \} name */
 /* \} addtogroup x509_module */
 
+/*
+ * X.509 v3 Subject Alternative Name types.
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER
+ */
+#define MBEDTLS_X509_SAN_OTHER_NAME                      0
+#define MBEDTLS_X509_SAN_RFC822_NAME                     1
+#define MBEDTLS_X509_SAN_DNS_NAME                        2
+#define MBEDTLS_X509_SAN_X400_ADDRESS_NAME               3
+#define MBEDTLS_X509_SAN_DIRECTORY_NAME                  4
+#define MBEDTLS_X509_SAN_EDI_PARTY_NAME                  5
+#define MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER     6
+#define MBEDTLS_X509_SAN_IP_ADDRESS                      7
+#define MBEDTLS_X509_SAN_REGISTERED_ID                   8
+
 /*
  * X.509 v3 Key Usage Extension flags
  * Reminder: update x509_info_key_usage() when adding new flags.
@@ -144,24 +162,26 @@
  *
  * Comments refer to the status for using certificates. Status can be
  * different for writing certificates or reading CRLs or CSRs.
+ *
+ * Those are defined in oid.h as oid.c needs them in a data structure. Since
+ * these were previously defined here, let's have aliases for compatibility.
  */
-#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
-#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
-#define MBEDTLS_X509_EXT_KEY_USAGE                   (1 << 2)
-#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
-#define MBEDTLS_X509_EXT_POLICY_MAPPINGS             (1 << 4)
-#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)    /* Supported (DNS) */
-#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
-#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
-#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)    /* Supported */
-#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
-#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
-#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
-#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
-#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
-#define MBEDTLS_X509_EXT_FRESHEST_CRL                (1 << 14)
-
-#define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)
+#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER
+#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER   MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER
+#define MBEDTLS_X509_EXT_KEY_USAGE                MBEDTLS_OID_X509_EXT_KEY_USAGE
+#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES     MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES
+#define MBEDTLS_X509_EXT_POLICY_MAPPINGS          MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS
+#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME         MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME         /* Supported (DNS) */
+#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME          MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME
+#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS  MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS
+#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS        MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS        /* Supported */
+#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS         MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS
+#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS       MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS
+#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE       MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE
+#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS  MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS
+#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY       MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY
+#define MBEDTLS_X509_EXT_FRESHEST_CRL             MBEDTLS_OID_X509_EXT_FRESHEST_CRL
+#define MBEDTLS_X509_EXT_NS_CERT_TYPE             MBEDTLS_OID_X509_EXT_NS_CERT_TYPE
 
 /*
  * Storage format identifiers
@@ -270,6 +290,8 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
  */
 int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -277,6 +299,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
  */
 int mbedtls_x509_self_test(int verbose);
 
+#endif /* MBEDTLS_SELF_TEST */
+
 /*
  * Internal module functions. You probably do not want to use these unless you
  * know you do.
@@ -322,7 +346,7 @@ int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
     do {                                                    \
         if( ret < 0 || (size_t) ret >= n )                  \
             return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );    \
-        \
+                                                            \
         n -= (size_t) ret;                                  \
         p += (size_t) ret;                                  \
     } while( 0 )
diff --git a/common/mbedtls/x509_create.c b/common/mbedtls/x509_create.c
new file mode 100644
index 000000000..9cd33c789
--- /dev/null
+++ b/common/mbedtls/x509_create.c
@@ -0,0 +1,407 @@
+/*
+ *  X.509 base functions for creating certificates / CSRs
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CREATE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+/* Structure linking OIDs for X.509 DN AttributeTypes to their
+ * string representations and default string encodings used by Mbed TLS. */
+typedef struct {
+    const char *name; /* String representation of AttributeType, e.g.
+                      * "CN" or "emailAddress". */
+    size_t name_len;  /* Length of 'name', without trailing 0 byte. */
+    const char *oid;  /* String representation of OID of AttributeType,
+                      * as per RFC 5280, Appendix A.1. */
+    int default_tag;  /* The default character encoding used for the
+                      * given attribute type, e.g.
+                      * MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
+} x509_attr_descriptor_t;
+
+#define ADD_STRLEN( s )     s, sizeof( s ) - 1
+
+/* X.509 DN attributes from RFC 5280, Appendix A.1. */
+static const x509_attr_descriptor_t x509_attrs[] = {
+    {
+        ADD_STRLEN("CN"),
+        MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("commonName"),
+        MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("C"),
+        MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING
+    },
+    {
+        ADD_STRLEN("countryName"),
+        MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING
+    },
+    {
+        ADD_STRLEN("O"),
+        MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("organizationName"),
+        MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("L"),
+        MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("locality"),
+        MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("R"),
+        MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING
+    },
+    {
+        ADD_STRLEN("OU"),
+        MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("organizationalUnitName"),
+        MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("ST"),
+        MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("stateOrProvinceName"),
+        MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("emailAddress"),
+        MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING
+    },
+    {
+        ADD_STRLEN("serialNumber"),
+        MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING
+    },
+    {
+        ADD_STRLEN("postalAddress"),
+        MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING
+    },
+    {
+        ADD_STRLEN("postalCode"),
+        MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING
+    },
+    {
+        ADD_STRLEN("dnQualifier"),
+        MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING
+    },
+    {
+        ADD_STRLEN("title"),
+        MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("surName"),
+        MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("SN"),
+        MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("givenName"),
+        MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("GN"),
+        MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("initials"),
+        MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("pseudonym"),
+        MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("generationQualifier"),
+        MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING
+    },
+    {
+        ADD_STRLEN("domainComponent"),
+        MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING
+    },
+    {
+        ADD_STRLEN("DC"),
+        MBEDTLS_OID_DOMAIN_COMPONENT,   MBEDTLS_ASN1_IA5_STRING
+    },
+    { NULL, 0, NULL, MBEDTLS_ASN1_NULL }
+};
+
+static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, size_t name_len) {
+    const x509_attr_descriptor_t *cur;
+
+    for (cur = x509_attrs; cur->name != NULL; cur++)
+        if (cur->name_len == name_len &&
+                strncmp(cur->name, name, name_len) == 0)
+            break;
+
+    if (cur->name == NULL)
+        return (NULL);
+
+    return (cur);
+}
+
+int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name) {
+    int ret = 0;
+    const char *s = name, *c = s;
+    const char *end = s + strlen(s);
+    const char *oid = NULL;
+    const x509_attr_descriptor_t *attr_descr = NULL;
+    int in_tag = 1;
+    char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+    char *d = data;
+
+    /* Clear existing chain if present */
+    mbedtls_asn1_free_named_data_list(head);
+
+    while (c <= end) {
+        if (in_tag && *c == '=') {
+            if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) {
+                ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
+                goto exit;
+            }
+
+            oid = attr_descr->oid;
+            s = c + 1;
+            in_tag = 0;
+            d = data;
+        }
+
+        if (!in_tag && *c == '\\' && c != end) {
+            c++;
+
+            /* Check for valid escaped characters */
+            if (c == end || *c != ',') {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        } else if (!in_tag && (*c == ',' || c == end)) {
+            mbedtls_asn1_named_data *cur =
+                mbedtls_asn1_store_named_data(head, oid, strlen(oid),
+                                              (unsigned char *) data,
+                                              d - data);
+
+            if (cur == NULL) {
+                return (MBEDTLS_ERR_X509_ALLOC_FAILED);
+            }
+
+            // set tagType
+            cur->val.tag = attr_descr->default_tag;
+
+            while (c < end && *(c + 1) == ' ')
+                c++;
+
+            s = c + 1;
+            in_tag = 1;
+        }
+
+        if (!in_tag && s != c + 1) {
+            *(d++) = *c;
+
+            if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+
+        c++;
+    }
+
+exit:
+
+    return (ret);
+}
+
+/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
+ * to store the critical boolean for us
+ */
+int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                               int critical, const unsigned char *val, size_t val_len) {
+    mbedtls_asn1_named_data *cur;
+
+    if ((cur = mbedtls_asn1_store_named_data(head, oid, oid_len,
+                                             NULL, val_len + 1)) == NULL) {
+        return (MBEDTLS_ERR_X509_ALLOC_FAILED);
+    }
+
+    cur->val.p[0] = critical;
+    memcpy(cur->val.p + 1, val, val_len);
+
+    return (0);
+}
+
+/*
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_write_name(unsigned char **p, unsigned char *start, mbedtls_asn1_named_data *cur_name) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    const char *oid             = (const char *)cur_name->oid.p;
+    size_t oid_len              = cur_name->oid.len;
+    const unsigned char *name   = cur_name->val.p;
+    size_t name_len             = cur_name->val.len;
+
+    // Write correct string tag and value
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tagged_string(p, start,
+                                                               cur_name->val.tag,
+                                                               (const char *) name,
+                                                               name_len));
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid,
+                                                     oid_len));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SET));
+
+    return ((int) len);
+}
+
+int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
+                             mbedtls_asn1_named_data *first) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur = first;
+
+    while (cur != NULL) {
+        MBEDTLS_ASN1_CHK_ADD(len, x509_write_name(p, start, cur));
+        cur = cur->next;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return ((int) len);
+}
+
+int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
+                           const char *oid, size_t oid_len,
+                           unsigned char *sig, size_t size) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    if (*p < start || (size_t)(*p - start) < size)
+        return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+
+    len = size;
+    (*p) -= len;
+    memcpy(*p, sig, len);
+
+    if (*p - start < 1)
+        return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
+
+    *--(*p) = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_BIT_STRING));
+
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier(p, start, oid,
+                         oid_len, 0));
+
+    return ((int) len);
+}
+
+static int x509_write_extension(unsigned char **p, unsigned char *start,
+                                mbedtls_asn1_named_data *ext) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, ext->val.p + 1,
+                                                            ext->val.len - 1));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, ext->val.len - 1));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_OCTET_STRING));
+
+    if (ext->val.p[0] != 0) {
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_bool(p, start, 1));
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, ext->oid.p,
+                                                            ext->oid.len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, ext->oid.len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_OID));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return ((int) len);
+}
+
+/*
+ * Extension  ::=  SEQUENCE  {
+ *     extnID      OBJECT IDENTIFIER,
+ *     critical    BOOLEAN DEFAULT FALSE,
+ *     extnValue   OCTET STRING
+ *                 -- contains the DER encoding of an ASN.1 value
+ *                 -- corresponding to the extension type identified
+ *                 -- by extnID
+ *     }
+ */
+int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
+                                  mbedtls_asn1_named_data *first) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur_ext = first;
+
+    while (cur_ext != NULL) {
+        MBEDTLS_ASN1_CHK_ADD(len, x509_write_extension(p, start, cur_ext));
+        cur_ext = cur_ext->next;
+    }
+
+    return ((int) len);
+}
+
+#endif /* MBEDTLS_X509_CREATE_C */
diff --git a/common/mbedtls/x509_crl.c b/common/mbedtls/x509_crl.c
index 1bf08213f..595ba95fe 100644
--- a/common/mbedtls/x509_crl.c
+++ b/common/mbedtls/x509_crl.c
@@ -1,24 +1,20 @@
 /*
  *  X.509 Certidicate Revocation List (CRL) parsing
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -31,15 +27,12 @@
  *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
 
 #include "mbedtls/x509_crl.h"
+#include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
 
@@ -75,7 +68,7 @@
 static int x509_crl_get_version(unsigned char **p,
                                 const unsigned char *end,
                                 int *ver) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
         if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
@@ -99,18 +92,19 @@ static int x509_crl_get_version(unsigned char **p,
 static int x509_get_crl_ext(unsigned char **p,
                             const unsigned char *end,
                             mbedtls_x509_buf *ext) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (*p == end)
+        return (0);
 
     /*
      * crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
      *                              -- if present, version MUST be v2
      */
-    if ((ret = mbedtls_x509_get_ext(p, end, ext, 0)) != 0) {
-        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
-            return (0);
-
+    if ((ret = mbedtls_x509_get_ext(p, end, ext, 0)) != 0)
         return (ret);
-    }
+
+    end = ext->p + ext->len;
 
     while (*p < end) {
         /*
@@ -174,7 +168,7 @@ static int x509_get_crl_ext(unsigned char **p,
 static int x509_get_crl_entry_ext(unsigned char **p,
                                   const unsigned char *end,
                                   mbedtls_x509_buf *ext) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len = 0;
 
     /* OPTIONAL */
@@ -224,7 +218,7 @@ static int x509_get_crl_entry_ext(unsigned char **p,
 static int x509_get_entries(unsigned char **p,
                             const unsigned char *end,
                             mbedtls_x509_crl_entry *entry) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t entry_len;
     mbedtls_x509_crl_entry *cur_entry = entry;
 
@@ -245,12 +239,12 @@ static int x509_get_entries(unsigned char **p,
         size_t len2;
         const unsigned char *end2;
 
+        cur_entry->raw.tag = **p;
         if ((ret = mbedtls_asn1_get_tag(p, end, &len2,
                                         MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) {
             return (ret);
         }
 
-        cur_entry->raw.tag = **p;
         cur_entry->raw.p = *p;
         cur_entry->raw.len = len2;
         end2 = *p + len2;
@@ -284,7 +278,7 @@ static int x509_get_entries(unsigned char **p,
  */
 int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
                                const unsigned char *buf, size_t buflen) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
     unsigned char *p = NULL, *end = NULL;
     mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
@@ -501,8 +495,8 @@ int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
  */
 int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) {
 #if defined(MBEDTLS_PEM_PARSE_C)
-    int ret;
-    size_t use_len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t use_len = 0;
     mbedtls_pem_context pem;
     int is_pem = 0;
 
@@ -559,7 +553,7 @@ int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, si
  * Load one or more CRLs and add them to the chained list
  */
 int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n;
     unsigned char *buf;
 
@@ -585,7 +579,7 @@ int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path) {
  */
 int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix,
                           const mbedtls_x509_crl *crl) {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t n;
     char *p;
     const mbedtls_x509_crl_entry *entry;
diff --git a/common/mbedtls/x509_crl.h b/common/mbedtls/x509_crl.h
index dc4bce8fc..e5e77345b 100644
--- a/common/mbedtls/x509_crl.h
+++ b/common/mbedtls/x509_crl.h
@@ -4,35 +4,31 @@
  * \brief X.509 certificate revocation list parsing
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_X509_CRL_H
 #define MBEDTLS_X509_CRL_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "x509.h"
+#include "mbedtls/x509.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -111,7 +107,7 @@ int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
 /**
  * \brief          Parse one or more CRLs and append them to the chained list
  *
- * \note           Mutliple CRLs are accepted only if using PEM format
+ * \note           Multiple CRLs are accepted only if using PEM format
  *
  * \param chain    points to the start of the chain
  * \param buf      buffer holding the CRL data in PEM or DER format
@@ -126,7 +122,7 @@ int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, si
 /**
  * \brief          Load one or more CRLs and append them to the chained list
  *
- * \note           Mutliple CRLs are accepted only if using PEM format
+ * \note           Multiple CRLs are accepted only if using PEM format
  *
  * \param chain    points to the start of the chain
  * \param path     filename to read the CRLs from (in PEM or DER encoding)
diff --git a/common/mbedtls/x509_crt.c b/common/mbedtls/x509_crt.c
index 9f8e64ed6..850893f0a 100644
--- a/common/mbedtls/x509_crt.c
+++ b/common/mbedtls/x509_crt.c
@@ -1,24 +1,20 @@
 /*
  *  X.509 certificate parsing and verification
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -33,28 +29,30 @@
  *  [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
  */
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 
 #include "mbedtls/x509_crt.h"
+#include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
 
-#include <stdio.h>
 #include <string.h>
 
 #if defined(MBEDTLS_PEM_PARSE_C)
 #include "mbedtls/pem.h"
 #endif
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
+#include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_free       free
 #define mbedtls_calloc    calloc
@@ -221,1414 +219,6 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
     return (-1);
 }
 
-/*
- *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
- */
-static int x509_get_version(unsigned char **p,
-                            const unsigned char *end,
-                            int *ver) {
-    int ret;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0)) != 0) {
-        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
-            *ver = 0;
-            return (0);
-        }
-
-        return (ret);
-    }
-
-    end = *p + len;
-
-    if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_VERSION + ret);
-
-    if (*p != end)
-        return (MBEDTLS_ERR_X509_INVALID_VERSION +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    return (0);
-}
-
-/*
- *  Validity ::= SEQUENCE {
- *       notBefore      Time,
- *       notAfter       Time }
- */
-static int x509_get_dates(unsigned char **p,
-                          const unsigned char *end,
-                          mbedtls_x509_time *from,
-                          mbedtls_x509_time *to) {
-    int ret;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_DATE + ret);
-
-    end = *p + len;
-
-    if ((ret = mbedtls_x509_get_time(p, end, from)) != 0)
-        return (ret);
-
-    if ((ret = mbedtls_x509_get_time(p, end, to)) != 0)
-        return (ret);
-
-    if (*p != end)
-        return (MBEDTLS_ERR_X509_INVALID_DATE +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    return (0);
-}
-
-/*
- * X.509 v2/v3 unique identifier (not parsed)
- */
-static int x509_get_uid(unsigned char **p,
-                        const unsigned char *end,
-                        mbedtls_x509_buf *uid, int n) {
-    int ret;
-
-    if (*p == end)
-        return (0);
-
-    uid->tag = **p;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len,
-                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n)) != 0) {
-        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
-            return (0);
-
-        return (ret);
-    }
-
-    uid->p = *p;
-    *p += uid->len;
-
-    return (0);
-}
-
-static int x509_get_basic_constraints(unsigned char **p,
-                                      const unsigned char *end,
-                                      int *ca_istrue,
-                                      int *max_pathlen) {
-    int ret;
-    size_t len;
-
-    /*
-     * BasicConstraints ::= SEQUENCE {
-     *      cA                      BOOLEAN DEFAULT FALSE,
-     *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
-     */
-    *ca_istrue = 0; /* DEFAULT FALSE */
-    *max_pathlen = 0; /* endless */
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-    if (*p == end)
-        return (0);
-
-    if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) {
-        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
-            ret = mbedtls_asn1_get_int(p, end, ca_istrue);
-
-        if (ret != 0)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-        if (*ca_istrue != 0)
-            *ca_istrue = 1;
-    }
-
-    if (*p == end)
-        return (0);
-
-    if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-    if (*p != end)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    (*max_pathlen)++;
-
-    return (0);
-}
-
-static int x509_get_ns_cert_type(unsigned char **p,
-                                 const unsigned char *end,
-                                 unsigned char *ns_cert_type) {
-    int ret;
-    mbedtls_x509_bitstring bs = { 0, 0, NULL };
-
-    if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-    if (bs.len != 1)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
-
-    /* Get actual bitstring */
-    *ns_cert_type = *bs.p;
-    return (0);
-}
-
-static int x509_get_key_usage(unsigned char **p,
-                              const unsigned char *end,
-                              unsigned int *key_usage) {
-    int ret;
-    size_t i;
-    mbedtls_x509_bitstring bs = { 0, 0, NULL };
-
-    if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-    if (bs.len < 1)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
-
-    /* Get actual bitstring */
-    *key_usage = 0;
-    for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
-        *key_usage |= (unsigned int) bs.p[i] << (8 * i);
-    }
-
-    return (0);
-}
-
-/*
- * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
- *
- * KeyPurposeId ::= OBJECT IDENTIFIER
- */
-static int x509_get_ext_key_usage(unsigned char **p,
-                                  const unsigned char *end,
-                                  mbedtls_x509_sequence *ext_key_usage) {
-    int ret;
-
-    if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-    /* Sequence length must be >= 1 */
-    if (ext_key_usage->buf.p == NULL)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
-
-    return (0);
-}
-
-/*
- * SubjectAltName ::= GeneralNames
- *
- * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * GeneralName ::= CHOICE {
- *      otherName                       [0]     OtherName,
- *      rfc822Name                      [1]     IA5String,
- *      dNSName                         [2]     IA5String,
- *      x400Address                     [3]     ORAddress,
- *      directoryName                   [4]     Name,
- *      ediPartyName                    [5]     EDIPartyName,
- *      uniformResourceIdentifier       [6]     IA5String,
- *      iPAddress                       [7]     OCTET STRING,
- *      registeredID                    [8]     OBJECT IDENTIFIER }
- *
- * OtherName ::= SEQUENCE {
- *      type-id    OBJECT IDENTIFIER,
- *      value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- * EDIPartyName ::= SEQUENCE {
- *      nameAssigner            [0]     DirectoryString OPTIONAL,
- *      partyName               [1]     DirectoryString }
- *
- * NOTE: we only parse and use dNSName at this point.
- */
-static int x509_get_subject_alt_name(unsigned char **p,
-                                     const unsigned char *end,
-                                     mbedtls_x509_sequence *subject_alt_name) {
-    int ret;
-    size_t len, tag_len;
-    mbedtls_asn1_buf *buf;
-    unsigned char tag;
-    mbedtls_asn1_sequence *cur = subject_alt_name;
-
-    /* Get main sequence tag */
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-    if (*p + len != end)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    while (*p < end) {
-        if ((end - *p) < 1)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                    MBEDTLS_ERR_ASN1_OUT_OF_DATA);
-
-        tag = **p;
-        (*p)++;
-        if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-        if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
-                MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
-        }
-
-        /* Skip everything but DNS name */
-        if (tag != (MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2)) {
-            *p += tag_len;
-            continue;
-        }
-
-        /* Allocate and assign next pointer */
-        if (cur->buf.p != NULL) {
-            if (cur->next != NULL)
-                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS);
-
-            cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
-
-            if (cur->next == NULL)
-                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                        MBEDTLS_ERR_ASN1_ALLOC_FAILED);
-
-            cur = cur->next;
-        }
-
-        buf = &(cur->buf);
-        buf->tag = tag;
-        buf->p = *p;
-        buf->len = tag_len;
-        *p += buf->len;
-    }
-
-    /* Set final sequence entry's next pointer to NULL */
-    cur->next = NULL;
-
-    if (*p != end)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    return (0);
-}
-
-/*
- * X.509 v3 extensions
- *
- */
-static int x509_get_crt_ext(unsigned char **p,
-                            const unsigned char *end,
-                            mbedtls_x509_crt *crt) {
-    int ret;
-    size_t len;
-    unsigned char *end_ext_data, *end_ext_octet;
-
-    if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) {
-        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
-            return (0);
-
-        return (ret);
-    }
-
-    while (*p < end) {
-        /*
-         * Extension  ::=  SEQUENCE  {
-         *      extnID      OBJECT IDENTIFIER,
-         *      critical    BOOLEAN DEFAULT FALSE,
-         *      extnValue   OCTET STRING  }
-         */
-        mbedtls_x509_buf extn_oid = {0, 0, NULL};
-        int is_critical = 0; /* DEFAULT FALSE */
-        int ext_type = 0;
-
-        if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-        end_ext_data = *p + len;
-
-        /* Get extension ID */
-        if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
-                                        MBEDTLS_ASN1_OID)) != 0)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-        extn_oid.tag = MBEDTLS_ASN1_OID;
-        extn_oid.p = *p;
-        *p += extn_oid.len;
-
-        /* Get optional critical */
-        if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
-                (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-        /* Data should be octet string type */
-        if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
-                                        MBEDTLS_ASN1_OCTET_STRING)) != 0)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
-
-        end_ext_octet = *p + len;
-
-        if (end_ext_octet != end_ext_data)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-        /*
-         * Detect supported extensions
-         */
-        ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
-
-        if (ret != 0) {
-            /* No parser found, skip extension */
-            *p = end_ext_octet;
-
-#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
-            if (is_critical) {
-                /* Data is marked as critical: fail */
-                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
-            }
-#endif
-            continue;
-        }
-
-        /* Forbid repeated extensions */
-        if ((crt->ext_types & ext_type) != 0)
-            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS);
-
-        crt->ext_types |= ext_type;
-
-        switch (ext_type) {
-            case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
-                /* Parse basic constraints */
-                if ((ret = x509_get_basic_constraints(p, end_ext_octet,
-                                                      &crt->ca_istrue, &crt->max_pathlen)) != 0)
-                    return (ret);
-                break;
-
-            case MBEDTLS_X509_EXT_KEY_USAGE:
-                /* Parse key usage */
-                if ((ret = x509_get_key_usage(p, end_ext_octet,
-                                              &crt->key_usage)) != 0)
-                    return (ret);
-                break;
-
-            case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
-                /* Parse extended key usage */
-                if ((ret = x509_get_ext_key_usage(p, end_ext_octet,
-                                                  &crt->ext_key_usage)) != 0)
-                    return (ret);
-                break;
-
-            case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
-                /* Parse subject alt name */
-                if ((ret = x509_get_subject_alt_name(p, end_ext_octet,
-                                                     &crt->subject_alt_names)) != 0)
-                    return (ret);
-                break;
-
-            case MBEDTLS_X509_EXT_NS_CERT_TYPE:
-                /* Parse netscape certificate type */
-                if ((ret = x509_get_ns_cert_type(p, end_ext_octet,
-                                                 &crt->ns_cert_type)) != 0)
-                    return (ret);
-                break;
-
-            default:
-                return (MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE);
-        }
-    }
-
-    if (*p != end)
-        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-
-    return (0);
-}
-
-/*
- * Parse and fill a single X.509 certificate in DER format
- */
-static int x509_crt_parse_der_core(mbedtls_x509_crt *crt, const unsigned char *buf,
-                                   size_t buflen) {
-    int ret;
-    size_t len;
-    unsigned char *p, *end, *crt_end;
-    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
-
-    memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
-    memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
-    memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
-
-    /*
-     * Check for valid input
-     */
-    if (crt == NULL || buf == NULL)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    // Use the original buffer until we figure out actual length
-    p = (unsigned char *) buf;
-    len = buflen;
-    end = p + len;
-
-    /*
-     * Certificate  ::=  SEQUENCE  {
-     *      tbsCertificate       TBSCertificate,
-     *      signatureAlgorithm   AlgorithmIdentifier,
-     *      signatureValue       BIT STRING  }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT);
-    }
-
-    if (len > (size_t)(end - p)) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-    crt_end = p + len;
-
-    // Create and populate a new buffer for the raw field
-    crt->raw.len = crt_end - buf;
-    crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
-    if (p == NULL)
-        return (MBEDTLS_ERR_X509_ALLOC_FAILED);
-
-    memcpy(p, buf, crt->raw.len);
-
-    // Direct pointers to the new buffer
-    p += crt->raw.len - len;
-    end = crt_end = p + len;
-
-    /*
-     * TBSCertificate  ::=  SEQUENCE  {
-     */
-    crt->tbs.p = p;
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
-    }
-
-    end = p + len;
-    crt->tbs.len = end - crt->tbs.p;
-
-    /*
-     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
-     *
-     * CertificateSerialNumber  ::=  INTEGER
-     *
-     * signature            AlgorithmIdentifier
-     */
-    if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
-            (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 ||
-            (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid,
-                                        &sig_params1)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    if (crt->version < 0 || crt->version > 2) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_UNKNOWN_VERSION);
-    }
-
-    crt->version++;
-
-    if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
-                                        &crt->sig_md, &crt->sig_pk,
-                                        &crt->sig_opts)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    /*
-     * issuer               Name
-     */
-    crt->issuer_raw.p = p;
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
-    }
-
-    if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    crt->issuer_raw.len = p - crt->issuer_raw.p;
-
-    /*
-     * Validity ::= SEQUENCE {
-     *      notBefore      Time,
-     *      notAfter       Time }
-     *
-     */
-    if ((ret = x509_get_dates(&p, end, &crt->valid_from,
-                              &crt->valid_to)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    /*
-     * subject              Name
-     */
-    crt->subject_raw.p = p;
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
-    }
-
-    if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    crt->subject_raw.len = p - crt->subject_raw.p;
-
-    /*
-     * SubjectPublicKeyInfo
-     */
-    if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    /*
-     *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
-     *                       -- If present, version shall be v2 or v3
-     *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
-     *                       -- If present, version shall be v2 or v3
-     *  extensions      [3]  EXPLICIT Extensions OPTIONAL
-     *                       -- If present, version shall be v3
-     */
-    if (crt->version == 2 || crt->version == 3) {
-        ret = x509_get_uid(&p, end, &crt->issuer_id,  1);
-        if (ret != 0) {
-            mbedtls_x509_crt_free(crt);
-            return (ret);
-        }
-    }
-
-    if (crt->version == 2 || crt->version == 3) {
-        ret = x509_get_uid(&p, end, &crt->subject_id,  2);
-        if (ret != 0) {
-            mbedtls_x509_crt_free(crt);
-            return (ret);
-        }
-    }
-
-#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
-    if (crt->version == 3)
-#endif
-    {
-        ret = x509_get_crt_ext(&p, end, crt);
-        if (ret != 0) {
-            mbedtls_x509_crt_free(crt);
-            return (ret);
-        }
-    }
-
-    if (p != end) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    end = crt_end;
-
-    /*
-     *  }
-     *  -- end of TBSCertificate
-     *
-     *  signatureAlgorithm   AlgorithmIdentifier,
-     *  signatureValue       BIT STRING
-     */
-    if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    if (crt->sig_oid.len != sig_oid2.len ||
-            memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 ||
-            sig_params1.len != sig_params2.len ||
-            (sig_params1.len != 0 &&
-             memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_SIG_MISMATCH);
-    }
-
-    if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) {
-        mbedtls_x509_crt_free(crt);
-        return (ret);
-    }
-
-    if (p != end) {
-        mbedtls_x509_crt_free(crt);
-        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
-                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    return (0);
-}
-
-/*
- * Parse one X.509 certificate in DER format from a buffer and add them to a
- * chained list
- */
-int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf,
-                               size_t buflen) {
-    int ret;
-    mbedtls_x509_crt *crt = chain, *prev = NULL;
-
-    /*
-     * Check for valid input
-     */
-    if (crt == NULL || buf == NULL)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    while (crt->version != 0 && crt->next != NULL) {
-        prev = crt;
-        crt = crt->next;
-    }
-
-    /*
-     * Add new certificate on the end of the chain if needed.
-     */
-    if (crt->version != 0 && crt->next == NULL) {
-        crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
-
-        if (crt->next == NULL)
-            return (MBEDTLS_ERR_X509_ALLOC_FAILED);
-
-        prev = crt;
-        mbedtls_x509_crt_init(crt->next);
-        crt = crt->next;
-    }
-
-    if ((ret = x509_crt_parse_der_core(crt, buf, buflen)) != 0) {
-        if (prev)
-            prev->next = NULL;
-
-        if (crt != chain)
-            mbedtls_free(crt);
-
-        return (ret);
-    }
-
-    return (0);
-}
-
-/*
- * Parse one or more PEM certificates from a buffer and add them to the chained
- * list
- */
-int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen) {
-#if defined(MBEDTLS_PEM_PARSE_C)
-    int success = 0, first_error = 0, total_failed = 0;
-    int buf_format = MBEDTLS_X509_FORMAT_DER;
-#endif
-
-    /*
-     * Check for valid input
-     */
-    if (chain == NULL || buf == NULL)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    /*
-     * Determine buffer content. Buffer contains either one DER certificate or
-     * one or more PEM certificates.
-     */
-#if defined(MBEDTLS_PEM_PARSE_C)
-    if (buflen != 0 && buf[buflen - 1] == '\0' &&
-            strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) {
-        buf_format = MBEDTLS_X509_FORMAT_PEM;
-    }
-
-    if (buf_format == MBEDTLS_X509_FORMAT_DER)
-        return mbedtls_x509_crt_parse_der(chain, buf, buflen);
-#else
-    return mbedtls_x509_crt_parse_der(chain, buf, buflen);
-#endif
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-    if (buf_format == MBEDTLS_X509_FORMAT_PEM) {
-        int ret;
-        mbedtls_pem_context pem;
-
-        /* 1 rather than 0 since the terminating NULL byte is counted in */
-        while (buflen > 1) {
-            size_t use_len;
-            mbedtls_pem_init(&pem);
-
-            /* If we get there, we know the string is null-terminated */
-            ret = mbedtls_pem_read_buffer(&pem,
-                                          "-----BEGIN CERTIFICATE-----",
-                                          "-----END CERTIFICATE-----",
-                                          buf, NULL, 0, &use_len);
-
-            if (ret == 0) {
-                /*
-                 * Was PEM encoded
-                 */
-                buflen -= use_len;
-                buf += use_len;
-            } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) {
-                return (ret);
-            } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-                mbedtls_pem_free(&pem);
-
-                /*
-                 * PEM header and footer were found
-                 */
-                buflen -= use_len;
-                buf += use_len;
-
-                if (first_error == 0)
-                    first_error = ret;
-
-                total_failed++;
-                continue;
-            } else
-                break;
-
-            ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen);
-
-            mbedtls_pem_free(&pem);
-
-            if (ret != 0) {
-                /*
-                 * Quit parsing on a memory error
-                 */
-                if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED)
-                    return (ret);
-
-                if (first_error == 0)
-                    first_error = ret;
-
-                total_failed++;
-                continue;
-            }
-
-            success = 1;
-        }
-    }
-
-    if (success)
-        return (total_failed);
-    else if (first_error)
-        return (first_error);
-    else
-        return (MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT);
-#endif /* MBEDTLS_PEM_PARSE_C */
-}
-
-#if defined(MBEDTLS_FS_IO)
-/*
- * Load one or more certificates and add them to the chained list
- */
-int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path) {
-    int ret;
-    size_t n;
-    unsigned char *buf;
-
-    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0)
-        return (ret);
-
-    ret = mbedtls_x509_crt_parse(chain, buf, n);
-
-    mbedtls_platform_zeroize(buf, n);
-    mbedtls_free(buf);
-
-    return (ret);
-}
-
-int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path) {
-    int ret = 0;
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-    int w_ret;
-    WCHAR szDir[MAX_PATH];
-    char filename[MAX_PATH];
-    char *p;
-    size_t len = strlen(path);
-
-    WIN32_FIND_DATAW file_data;
-    HANDLE hFind;
-
-    if (len > MAX_PATH - 3)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    memset(szDir, 0, sizeof(szDir));
-    memset(filename, 0, MAX_PATH);
-    memcpy(filename, path, len);
-    filename[len++] = '\\';
-    p = filename + len;
-    filename[len++] = '*';
-
-    w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int)len, szDir,
-                                MAX_PATH - 3);
-    if (w_ret == 0)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    hFind = FindFirstFileW(szDir, &file_data);
-    if (hFind == INVALID_HANDLE_VALUE)
-        return (MBEDTLS_ERR_X509_FILE_IO_ERROR);
-
-    len = MAX_PATH - len;
-    do {
-        memset(p, 0, len);
-
-        if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
-            continue;
-
-        w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName,
-                                    lstrlenW(file_data.cFileName),
-                                    p, (int) len - 1,
-                                    NULL, NULL);
-        if (w_ret == 0) {
-            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
-            goto cleanup;
-        }
-
-        w_ret = mbedtls_x509_crt_parse_file(chain, filename);
-        if (w_ret < 0)
-            ret++;
-        else
-            ret += w_ret;
-    } while (FindNextFileW(hFind, &file_data) != 0);
-
-    if (GetLastError() != ERROR_NO_MORE_FILES)
-        ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
-
-cleanup:
-    FindClose(hFind);
-#else /* _WIN32 */
-    int t_ret;
-    int snp_ret;
-    struct stat sb;
-    struct dirent *entry;
-    char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
-    DIR *dir = opendir(path);
-
-    if (dir == NULL)
-        return (MBEDTLS_ERR_X509_FILE_IO_ERROR);
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) {
-        closedir(dir);
-        return (ret);
-    }
-#endif /* MBEDTLS_THREADING_C */
-
-    while ((entry = readdir(dir)) != NULL) {
-        snp_ret = mbedtls_snprintf(entry_name, sizeof entry_name,
-                                   "%s/%s", path, entry->d_name);
-
-        if (snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name) {
-            ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
-            goto cleanup;
-        } else if (stat(entry_name, &sb) == -1) {
-            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
-            goto cleanup;
-        }
-
-        if (!S_ISREG(sb.st_mode))
-            continue;
-
-        // Ignore parse errors
-        //
-        t_ret = mbedtls_x509_crt_parse_file(chain, entry_name);
-        if (t_ret < 0)
-            ret++;
-        else
-            ret += t_ret;
-    }
-
-cleanup:
-    closedir(dir);
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0)
-        ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-#endif /* MBEDTLS_THREADING_C */
-
-#endif /* _WIN32 */
-
-    return (ret);
-}
-#endif /* MBEDTLS_FS_IO */
-
-static int x509_info_subject_alt_name(char **buf, size_t *size,
-                                      const mbedtls_x509_sequence *subject_alt_name) {
-    size_t i;
-    size_t n = *size;
-    char *p = *buf;
-    const mbedtls_x509_sequence *cur = subject_alt_name;
-    const char *sep = "";
-    size_t sep_len = 0;
-
-    while (cur != NULL) {
-        if (cur->buf.len + sep_len >= n) {
-            *p = '\0';
-            return (MBEDTLS_ERR_X509_BUFFER_TOO_SMALL);
-        }
-
-        n -= cur->buf.len + sep_len;
-        for (i = 0; i < sep_len; i++)
-            *p++ = sep[i];
-        for (i = 0; i < cur->buf.len; i++)
-            *p++ = cur->buf.p[i];
-
-        sep = ", ";
-        sep_len = 2;
-
-        cur = cur->next;
-    }
-
-    *p = '\0';
-
-    *size = n;
-    *buf = p;
-
-    return (0);
-}
-
-#define PRINT_ITEM(i)                           \
-    {                                           \
-        ret = mbedtls_snprintf( p, n, "%s" i, sep );    \
-        MBEDTLS_X509_SAFE_SNPRINTF;                        \
-        sep = ", ";                             \
-    }
-
-#define CERT_TYPE(type,name)                    \
-    if( ns_cert_type & type )                   \
-        PRINT_ITEM( name );
-
-static int x509_info_cert_type(char **buf, size_t *size,
-                               unsigned char ns_cert_type) {
-    int ret;
-    size_t n = *size;
-    char *p = *buf;
-    const char *sep = "";
-
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT,         "SSL Client");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER,         "SSL Server");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL,              "Email");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING,     "Object Signing");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED,           "Reserved");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA,             "SSL CA");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA,           "Email CA");
-    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA,  "Object Signing CA");
-
-    *size = n;
-    *buf = p;
-
-    return (0);
-}
-
-#define KEY_USAGE(code,name)    \
-    if( key_usage & code )      \
-        PRINT_ITEM( name );
-
-static int x509_info_key_usage(char **buf, size_t *size,
-                               unsigned int key_usage) {
-    int ret;
-    size_t n = *size;
-    char *p = *buf;
-    const char *sep = "";
-
-    KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE,    "Digital Signature");
-    KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION,      "Non Repudiation");
-    KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT,     "Key Encipherment");
-    KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT,    "Data Encipherment");
-    KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT,        "Key Agreement");
-    KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN,        "Key Cert Sign");
-    KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN,             "CRL Sign");
-    KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY,        "Encipher Only");
-    KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY,        "Decipher Only");
-
-    *size = n;
-    *buf = p;
-
-    return (0);
-}
-
-static int x509_info_ext_key_usage(char **buf, size_t *size,
-                                   const mbedtls_x509_sequence *extended_key_usage) {
-    int ret;
-    const char *desc;
-    size_t n = *size;
-    char *p = *buf;
-    const mbedtls_x509_sequence *cur = extended_key_usage;
-    const char *sep = "";
-
-    while (cur != NULL) {
-        if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0)
-            desc = "???";
-
-        ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        sep = ", ";
-
-        cur = cur->next;
-    }
-
-    *size = n;
-    *buf = p;
-
-    return (0);
-}
-
-/*
- * Return an informational string about the certificate.
- */
-#define BEFORE_COLON    18
-#define BC              "18"
-int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
-                          const mbedtls_x509_crt *crt) {
-    int ret;
-    size_t n;
-    char *p;
-    char key_size_str[BEFORE_COLON];
-
-    p = buf;
-    n = size;
-
-    if (NULL == crt) {
-        ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n");
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        return ((int)(size - n));
-    }
-
-    ret = mbedtls_snprintf(p, n, "%scert. version     : %d\n",
-                           prefix, crt->version);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-    ret = mbedtls_snprintf(p, n, "%sserial number     : ",
-                           prefix);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_x509_serial_gets(p, n, &crt->serial);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf(p, n, "\n%sissuer name       : ", prefix);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-    ret = mbedtls_x509_dn_gets(p, n, &crt->issuer);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf(p, n, "\n%ssubject name      : ", prefix);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-    ret = mbedtls_x509_dn_gets(p, n, &crt->subject);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf(p, n, "\n%sissued  on        : " \
-                           "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                           crt->valid_from.year, crt->valid_from.mon,
-                           crt->valid_from.day,  crt->valid_from.hour,
-                           crt->valid_from.min,  crt->valid_from.sec);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf(p, n, "\n%sexpires on        : " \
-                           "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                           crt->valid_to.year, crt->valid_to.mon,
-                           crt->valid_to.day,  crt->valid_to.hour,
-                           crt->valid_to.min,  crt->valid_to.sec);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf(p, n, "\n%ssigned using      : ", prefix);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
-                                    crt->sig_md, crt->sig_opts);
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    /* Key size */
-    if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
-                                            mbedtls_pk_get_name(&crt->pk))) != 0) {
-        return (ret);
-    }
-
-    ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
-                           (int) mbedtls_pk_get_bitlen(&crt->pk));
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    /*
-     * Optional extensions
-     */
-
-    if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) {
-        ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix,
-                               crt->ca_istrue ? "true" : "false");
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        if (crt->max_pathlen > 0) {
-            ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1);
-            MBEDTLS_X509_SAFE_SNPRINTF;
-        }
-    }
-
-    if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
-        ret = mbedtls_snprintf(p, n, "\n%ssubject alt name  : ", prefix);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        if ((ret = x509_info_subject_alt_name(&p, &n,
-                                              &crt->subject_alt_names)) != 0)
-            return (ret);
-    }
-
-    if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
-        ret = mbedtls_snprintf(p, n, "\n%scert. type        : ", prefix);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        if ((ret = x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0)
-            return (ret);
-    }
-
-    if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
-        ret = mbedtls_snprintf(p, n, "\n%skey usage         : ", prefix);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        if ((ret = x509_info_key_usage(&p, &n, crt->key_usage)) != 0)
-            return (ret);
-    }
-
-    if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) {
-        ret = mbedtls_snprintf(p, n, "\n%sext key usage     : ", prefix);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        if ((ret = x509_info_ext_key_usage(&p, &n,
-                                           &crt->ext_key_usage)) != 0)
-            return (ret);
-    }
-
-    ret = mbedtls_snprintf(p, n, "\n");
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    return ((int)(size - n));
-}
-
-struct x509_crt_verify_string {
-    int code;
-    const char *string;
-};
-
-static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
-    { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
-    { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
-    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
-    { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
-    { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
-    { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },
-    { MBEDTLS_X509_BADCERT_MISSING,       "Certificate was missing" },
-    { MBEDTLS_X509_BADCERT_SKIP_VERIFY,   "Certificate verification was skipped" },
-    { MBEDTLS_X509_BADCERT_OTHER,         "Other reason (can be used by verify callback)" },
-    { MBEDTLS_X509_BADCERT_FUTURE,        "The certificate validity starts in the future" },
-    { MBEDTLS_X509_BADCRL_FUTURE,         "The CRL is from the future" },
-    { MBEDTLS_X509_BADCERT_KEY_USAGE,     "Usage does not match the keyUsage extension" },
-    { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
-    { MBEDTLS_X509_BADCERT_NS_CERT_TYPE,  "Usage does not match the nsCertType extension" },
-    { MBEDTLS_X509_BADCERT_BAD_MD,        "The certificate is signed with an unacceptable hash." },
-    { MBEDTLS_X509_BADCERT_BAD_PK,        "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
-    { MBEDTLS_X509_BADCERT_BAD_KEY,       "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
-    { MBEDTLS_X509_BADCRL_BAD_MD,         "The CRL is signed with an unacceptable hash." },
-    { MBEDTLS_X509_BADCRL_BAD_PK,         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
-    { MBEDTLS_X509_BADCRL_BAD_KEY,        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
-    { 0, NULL }
-};
-
-int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
-                                 uint32_t flags) {
-    int ret;
-    const struct x509_crt_verify_string *cur;
-    char *p = buf;
-    size_t n = size;
-
-    for (cur = x509_crt_verify_strings; cur->string != NULL ; cur++) {
-        if ((flags & cur->code) == 0)
-            continue;
-
-        ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-        flags ^= cur->code;
-    }
-
-    if (flags != 0) {
-        ret = mbedtls_snprintf(p, n, "%sUnknown reason "
-                               "(this should not happen)\n", prefix);
-        MBEDTLS_X509_SAFE_SNPRINTF;
-    }
-
-    return ((int)(size - n));
-}
-
-#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
-int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
-                                     unsigned int usage) {
-    unsigned int usage_must, usage_may;
-    unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
-                            | MBEDTLS_X509_KU_DECIPHER_ONLY;
-
-    if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0)
-        return (0);
-
-    usage_must = usage & ~may_mask;
-
-    if (((crt->key_usage & ~may_mask) & usage_must) != usage_must)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    usage_may = usage & may_mask;
-
-    if (((crt->key_usage & may_mask) | usage_may) != usage_may)
-        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-
-    return (0);
-}
-#endif
-
-#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
-int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
-                                              const char *usage_oid,
-                                              size_t usage_len) {
-    const mbedtls_x509_sequence *cur;
-
-    /* Extension is not mandatory, absent means no restriction */
-    if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0)
-        return (0);
-
-    /*
-     * Look for the requested usage (or wildcard ANY) in our list
-     */
-    for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) {
-        const mbedtls_x509_buf *cur_oid = &cur->buf;
-
-        if (cur_oid->len == usage_len &&
-                memcmp(cur_oid->p, usage_oid, usage_len) == 0) {
-            return (0);
-        }
-
-        if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0)
-            return (0);
-    }
-
-    return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
-}
-#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
-
-#if defined(MBEDTLS_X509_CRL_PARSE_C)
-/*
- * Return 1 if the certificate is revoked, or 0 otherwise.
- */
-int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) {
-    const mbedtls_x509_crl_entry *cur = &crl->entry;
-
-    while (cur != NULL && cur->serial.len != 0) {
-        if (crt->serial.len == cur->serial.len &&
-                memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) {
-            if (mbedtls_x509_time_is_past(&cur->revocation_date))
-                return (1);
-        }
-
-        cur = cur->next;
-    }
-
-    return (0);
-}
-
-/*
- * Check that the given certificate is not revoked according to the CRL.
- * Skip validation if no CRL for the given CA is present.
- */
-static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
-                              mbedtls_x509_crl *crl_list,
-                              const mbedtls_x509_crt_profile *profile) {
-    int flags = 0;
-    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
-    const mbedtls_md_info_t *md_info;
-
-    if (ca == NULL)
-        return (flags);
-
-    while (crl_list != NULL) {
-        if (crl_list->version == 0 ||
-                crl_list->issuer_raw.len != ca->subject_raw.len ||
-                memcmp(crl_list->issuer_raw.p, ca->subject_raw.p,
-                       crl_list->issuer_raw.len) != 0) {
-            crl_list = crl_list->next;
-            continue;
-        }
-
-        /*
-         * Check if the CA is configured to sign CRLs
-         */
-#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
-        if (mbedtls_x509_crt_check_key_usage(ca, MBEDTLS_X509_KU_CRL_SIGN) != 0) {
-            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
-            break;
-        }
-#endif
-
-        /*
-         * Check if CRL is correctly signed by the trusted CA
-         */
-        if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0)
-            flags |= MBEDTLS_X509_BADCRL_BAD_MD;
-
-        if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0)
-            flags |= MBEDTLS_X509_BADCRL_BAD_PK;
-
-        md_info = mbedtls_md_info_from_type(crl_list->sig_md);
-        if (mbedtls_md(md_info, crl_list->tbs.p, crl_list->tbs.len, hash) != 0) {
-            /* Note: this can't happen except after an internal error */
-            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
-            break;
-        }
-
-        if (x509_profile_check_key(profile, &ca->pk) != 0)
-            flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
-
-        if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
-                                  crl_list->sig_md, hash, mbedtls_md_get_size(md_info),
-                                  crl_list->sig.p, crl_list->sig.len) != 0) {
-            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
-            break;
-        }
-
-        /*
-         * Check for validity of CRL (Do not drop out)
-         */
-        if (mbedtls_x509_time_is_past(&crl_list->next_update))
-            flags |= MBEDTLS_X509_BADCRL_EXPIRED;
-
-        if (mbedtls_x509_time_is_future(&crl_list->this_update))
-            flags |= MBEDTLS_X509_BADCRL_FUTURE;
-
-        /*
-         * Check if certificate is revoked
-         */
-        if (mbedtls_x509_crt_is_revoked(crt, crl_list)) {
-            flags |= MBEDTLS_X509_BADCERT_REVOKED;
-            break;
-        }
-
-        crl_list = crl_list->next;
-    }
-
-    return (flags);
-}
-#endif /* MBEDTLS_X509_CRL_PARSE_C */
-
 /*
  * Like memcmp, but case-insensitive and always returns -1 if different
  */
@@ -1747,28 +337,1983 @@ static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b)
 }
 
 /*
- * Check the signature of a certificate by its parent
+ * Reset (init or clear) a verify_chain
  */
-static int x509_crt_check_signature(const mbedtls_x509_crt *child,
-                                    mbedtls_x509_crt *parent) {
-    const mbedtls_md_info_t *md_info;
-    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain) {
+    size_t i;
 
-    md_info = mbedtls_md_info_from_type(child->sig_md);
-    if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
-        /* Note: this can't happen except after an internal error */
-        return (-1);
+    for (i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++) {
+        ver_chain->items[i].crt = NULL;
+        ver_chain->items[i].flags = (uint32_t) -1;
     }
 
-    if (mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
-                              child->sig_md, hash, mbedtls_md_get_size(md_info),
-                              child->sig.p, child->sig.len) != 0) {
-        return (-1);
+    ver_chain->len = 0;
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    ver_chain->trust_ca_cb_result = NULL;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+}
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ */
+static int x509_get_version(unsigned char **p,
+                            const unsigned char *end,
+                            int *ver) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0)) != 0) {
+        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+            *ver = 0;
+            return (0);
+        }
+
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    end = *p + len;
+
+    if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_VERSION + ret);
+
+    if (*p != end)
+        return (MBEDTLS_ERR_X509_INVALID_VERSION +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    return (0);
+}
+
+/*
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ */
+static int x509_get_dates(unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_x509_time *from,
+                          mbedtls_x509_time *to) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_DATE + ret);
+
+    end = *p + len;
+
+    if ((ret = mbedtls_x509_get_time(p, end, from)) != 0)
+        return (ret);
+
+    if ((ret = mbedtls_x509_get_time(p, end, to)) != 0)
+        return (ret);
+
+    if (*p != end)
+        return (MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    return (0);
+}
+
+/*
+ * X.509 v2/v3 unique identifier (not parsed)
+ */
+static int x509_get_uid(unsigned char **p,
+                        const unsigned char *end,
+                        mbedtls_x509_buf *uid, int n) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (*p == end)
+        return (0);
+
+    uid->tag = **p;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len,
+                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n)) != 0) {
+        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+            return (0);
+
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    uid->p = *p;
+    *p += uid->len;
+
+    return (0);
+}
+
+static int x509_get_basic_constraints(unsigned char **p,
+                                      const unsigned char *end,
+                                      int *ca_istrue,
+                                      int *max_pathlen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    /*
+     * BasicConstraints ::= SEQUENCE {
+     *      cA                      BOOLEAN DEFAULT FALSE,
+     *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+     */
+    *ca_istrue = 0; /* DEFAULT FALSE */
+    *max_pathlen = 0; /* endless */
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if (*p == end)
+        return (0);
+
+    if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) {
+        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+            ret = mbedtls_asn1_get_int(p, end, ca_istrue);
+
+        if (ret != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        if (*ca_istrue != 0)
+            *ca_istrue = 1;
+    }
+
+    if (*p == end)
+        return (0);
+
+    if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if (*p != end)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
+     * overflow, which is an undefined behavior. */
+    if (*max_pathlen == INT_MAX)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+
+    (*max_pathlen)++;
+
+    return (0);
+}
+
+static int x509_get_ns_cert_type(unsigned char **p,
+                                 const unsigned char *end,
+                                 unsigned char *ns_cert_type) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if (bs.len != 1)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+
+    /* Get actual bitstring */
+    *ns_cert_type = *bs.p;
+    return (0);
+}
+
+static int x509_get_key_usage(unsigned char **p,
+                              const unsigned char *end,
+                              unsigned int *key_usage) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if (bs.len < 1)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+
+    /* Get actual bitstring */
+    *key_usage = 0;
+    for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
+        *key_usage |= (unsigned int) bs.p[i] << (8 * i);
     }
 
     return (0);
 }
 
+/*
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * KeyPurposeId ::= OBJECT IDENTIFIER
+ */
+static int x509_get_ext_key_usage(unsigned char **p,
+                                  const unsigned char *end,
+                                  mbedtls_x509_sequence *ext_key_usage) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    /* Sequence length must be >= 1 */
+    if (ext_key_usage->buf.p == NULL)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+
+    return (0);
+}
+
+/*
+ * SubjectAltName ::= GeneralNames
+ *
+ * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * GeneralName ::= CHOICE {
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * EDIPartyName ::= SEQUENCE {
+ *      nameAssigner            [0]     DirectoryString OPTIONAL,
+ *      partyName               [1]     DirectoryString }
+ *
+ * NOTE: we list all types, but only use dNSName and otherName
+ * of type HwModuleName, as defined in RFC 4108, at this point.
+ */
+static int x509_get_subject_alt_name(unsigned char **p,
+                                     const unsigned char *end,
+                                     mbedtls_x509_sequence *subject_alt_name) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len, tag_len;
+    mbedtls_asn1_buf *buf;
+    unsigned char tag;
+    mbedtls_asn1_sequence *cur = subject_alt_name;
+
+    /* Get main sequence tag */
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if (*p + len != end)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    while (*p < end) {
+        mbedtls_x509_subject_alternative_name dummy_san_buf;
+        memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
+
+        tag = **p;
+        (*p)++;
+        if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
+                MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+        }
+
+        /*
+         * Check that the SAN is structured correctly.
+         */
+        ret = mbedtls_x509_parse_subject_alt_name(&(cur->buf), &dummy_san_buf);
+        /*
+         * In case the extension is malformed, return an error,
+         * and clear the allocated sequences.
+         */
+        if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
+            mbedtls_x509_sequence *seq_cur = subject_alt_name->next;
+            mbedtls_x509_sequence *seq_prv;
+            while (seq_cur != NULL) {
+                seq_prv = seq_cur;
+                seq_cur = seq_cur->next;
+                mbedtls_platform_zeroize(seq_prv,
+                                         sizeof(mbedtls_x509_sequence));
+                mbedtls_free(seq_prv);
+            }
+            subject_alt_name->next = NULL;
+            return (ret);
+        }
+
+        /* Allocate and assign next pointer */
+        if (cur->buf.p != NULL) {
+            if (cur->next != NULL)
+                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS);
+
+            cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+            if (cur->next == NULL)
+                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_ALLOC_FAILED);
+
+            cur = cur->next;
+        }
+
+        buf = &(cur->buf);
+        buf->tag = tag;
+        buf->p = *p;
+        buf->len = tag_len;
+        *p += buf->len;
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if (*p != end)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    return (0);
+}
+
+/*
+ * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
+ *
+ * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
+ *
+ * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ * PolicyInformation ::= SEQUENCE {
+ *     policyIdentifier   CertPolicyId,
+ *     policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *                             PolicyQualifierInfo OPTIONAL }
+ *
+ * CertPolicyId ::= OBJECT IDENTIFIER
+ *
+ * PolicyQualifierInfo ::= SEQUENCE {
+ *      policyQualifierId  PolicyQualifierId,
+ *      qualifier          ANY DEFINED BY policyQualifierId }
+ *
+ * -- policyQualifierIds for Internet policy qualifiers
+ *
+ * id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
+ * id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
+ * id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
+ *
+ * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+ *
+ * Qualifier ::= CHOICE {
+ *      cPSuri           CPSuri,
+ *      userNotice       UserNotice }
+ *
+ * CPSuri ::= IA5String
+ *
+ * UserNotice ::= SEQUENCE {
+ *      noticeRef        NoticeReference OPTIONAL,
+ *      explicitText     DisplayText OPTIONAL }
+ *
+ * NoticeReference ::= SEQUENCE {
+ *      organization     DisplayText,
+ *      noticeNumbers    SEQUENCE OF INTEGER }
+ *
+ * DisplayText ::= CHOICE {
+ *      ia5String        IA5String      (SIZE (1..200)),
+ *      visibleString    VisibleString  (SIZE (1..200)),
+ *      bmpString        BMPString      (SIZE (1..200)),
+ *      utf8String       UTF8String     (SIZE (1..200)) }
+ *
+ * NOTE: we only parse and use anyPolicy without qualifiers at this point
+ * as defined in RFC 5280.
+ */
+static int x509_get_certificate_policies(unsigned char **p,
+                                         const unsigned char *end,
+                                         mbedtls_x509_sequence *certificate_policies) {
+    int ret, parse_ret = 0;
+    size_t len;
+    mbedtls_asn1_buf *buf;
+    mbedtls_asn1_sequence *cur = certificate_policies;
+
+    /* Get main sequence tag */
+    ret = mbedtls_asn1_get_tag(p, end, &len,
+                               MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+    if (ret != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if (*p + len != end)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    /*
+     * Cannot be an empty sequence.
+     */
+    if (len == 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    while (*p < end) {
+        mbedtls_x509_buf policy_oid;
+        const unsigned char *policy_end;
+
+        /*
+         * Get the policy sequence
+         */
+        if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        policy_end = *p + len;
+
+        if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
+                                        MBEDTLS_ASN1_OID)) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        policy_oid.tag = MBEDTLS_ASN1_OID;
+        policy_oid.len = len;
+        policy_oid.p = *p;
+
+        /*
+         * Only AnyPolicy is currently supported when enforcing policy.
+         */
+        if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) {
+            /*
+             * Set the parsing return code but continue parsing, in case this
+             * extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+             * is configured.
+             */
+            parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+        }
+
+        /* Allocate and assign next pointer */
+        if (cur->buf.p != NULL) {
+            if (cur->next != NULL)
+                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS);
+
+            cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+            if (cur->next == NULL)
+                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_ALLOC_FAILED);
+
+            cur = cur->next;
+        }
+
+        buf = &(cur->buf);
+        buf->tag = policy_oid.tag;
+        buf->p = policy_oid.p;
+        buf->len = policy_oid.len;
+
+        *p += len;
+
+        /*
+         * If there is an optional qualifier, then *p < policy_end
+         * Check the Qualifier len to verify it doesn't exceed policy_end.
+         */
+        if (*p < policy_end) {
+            if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
+                                            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+            /*
+             * Skip the optional policy qualifiers.
+             */
+            *p += len;
+        }
+
+        if (*p != policy_end)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if (*p != end)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    return (parse_ret);
+}
+
+/*
+ * X.509 v3 extensions
+ *
+ */
+static int x509_get_crt_ext(unsigned char **p,
+                            const unsigned char *end,
+                            mbedtls_x509_crt *crt,
+                            mbedtls_x509_crt_ext_cb_t cb,
+                            void *p_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+    unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
+
+    if (*p == end)
+        return (0);
+
+    if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0)
+        return (ret);
+
+    end = crt->v3_ext.p + crt->v3_ext.len;
+    while (*p < end) {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        mbedtls_x509_buf extn_oid = {0, 0, NULL};
+        int is_critical = 0; /* DEFAULT FALSE */
+        int ext_type = 0;
+
+        if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        end_ext_data = *p + len;
+
+        /* Get extension ID */
+        if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
+                                        MBEDTLS_ASN1_OID)) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        extn_oid.tag = MBEDTLS_ASN1_OID;
+        extn_oid.p = *p;
+        *p += extn_oid.len;
+
+        /* Get optional critical */
+        if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+                (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        /* Data should be octet string type */
+        if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
+                                        MBEDTLS_ASN1_OCTET_STRING)) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+        start_ext_octet = *p;
+        end_ext_octet = *p + len;
+
+        if (end_ext_octet != end_ext_data)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+        /*
+         * Detect supported extensions
+         */
+        ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
+
+        if (ret != 0) {
+            /* Give the callback (if any) a chance to handle the extension */
+            if (cb != NULL) {
+                ret = cb(p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet);
+                if (ret != 0 && is_critical)
+                    return (ret);
+                *p = end_ext_octet;
+                continue;
+            }
+
+            /* No parser found, skip extension */
+            *p = end_ext_octet;
+
+#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+            if (is_critical) {
+                /* Data is marked as critical: fail */
+                return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+            }
+#endif
+            continue;
+        }
+
+        /* Forbid repeated extensions */
+        if ((crt->ext_types & ext_type) != 0)
+            return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS);
+
+        crt->ext_types |= ext_type;
+
+        switch (ext_type) {
+            case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
+                /* Parse basic constraints */
+                if ((ret = x509_get_basic_constraints(p, end_ext_octet,
+                                                      &crt->ca_istrue, &crt->max_pathlen)) != 0)
+                    return (ret);
+                break;
+
+            case MBEDTLS_X509_EXT_KEY_USAGE:
+                /* Parse key usage */
+                if ((ret = x509_get_key_usage(p, end_ext_octet,
+                                              &crt->key_usage)) != 0)
+                    return (ret);
+                break;
+
+            case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
+                /* Parse extended key usage */
+                if ((ret = x509_get_ext_key_usage(p, end_ext_octet,
+                                                  &crt->ext_key_usage)) != 0)
+                    return (ret);
+                break;
+
+            case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+                /* Parse subject alt name */
+                if ((ret = x509_get_subject_alt_name(p, end_ext_octet,
+                                                     &crt->subject_alt_names)) != 0)
+                    return (ret);
+                break;
+
+            case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+                /* Parse netscape certificate type */
+                if ((ret = x509_get_ns_cert_type(p, end_ext_octet,
+                                                 &crt->ns_cert_type)) != 0)
+                    return (ret);
+                break;
+
+            case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
+                /* Parse certificate policies type */
+                if ((ret = x509_get_certificate_policies(p, end_ext_octet,
+                                                         &crt->certificate_policies)) != 0) {
+                    /* Give the callback (if any) a chance to handle the extension
+                     * if it contains unsupported policies */
+                    if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
+                            cb(p_ctx, crt, &extn_oid, is_critical,
+                               start_ext_octet, end_ext_octet) == 0)
+                        break;
+
+#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+                    if (is_critical)
+                        return (ret);
+                    else
+#endif
+                        /*
+                         * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we
+                         * cannot interpret or enforce the policy. However, it is up to
+                         * the user to choose how to enforce the policies,
+                         * unless the extension is critical.
+                         */
+                        if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE)
+                            return (ret);
+                }
+                break;
+
+            default:
+                /*
+                 * If this is a non-critical extension, which the oid layer
+                 * supports, but there isn't an x509 parser for it,
+                 * skip the extension.
+                 */
+#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+                if (is_critical)
+                    return (MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE);
+                else
+#endif
+                    *p = end_ext_octet;
+        }
+    }
+
+    if (*p != end)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+
+    return (0);
+}
+
+/*
+ * Parse and fill a single X.509 certificate in DER format
+ */
+static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
+                                   const unsigned char *buf,
+                                   size_t buflen,
+                                   int make_copy,
+                                   mbedtls_x509_crt_ext_cb_t cb,
+                                   void *p_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+    unsigned char *p, *end, *crt_end;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+
+    memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
+    memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
+    memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
+
+    /*
+     * Check for valid input
+     */
+    if (crt == NULL || buf == NULL)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    /* Use the original buffer until we figure out actual length. */
+    p = (unsigned char *) buf;
+    len = buflen;
+    end = p + len;
+
+    /*
+     * Certificate  ::=  SEQUENCE  {
+     *      tbsCertificate       TBSCertificate,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT);
+    }
+
+    end = crt_end = p + len;
+    crt->raw.len = crt_end - buf;
+    if (make_copy != 0) {
+        /* Create and populate a new buffer for the raw field. */
+        crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
+        if (crt->raw.p == NULL)
+            return (MBEDTLS_ERR_X509_ALLOC_FAILED);
+
+        memcpy(crt->raw.p, buf, crt->raw.len);
+        crt->own_buffer = 1;
+
+        p += crt->raw.len - len;
+        end = crt_end = p + len;
+    } else {
+        crt->raw.p = (unsigned char *) buf;
+        crt->own_buffer = 0;
+    }
+
+    /*
+     * TBSCertificate  ::=  SEQUENCE  {
+     */
+    crt->tbs.p = p;
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    end = p + len;
+    crt->tbs.len = end - crt->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     *
+     * CertificateSerialNumber  ::=  INTEGER
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
+            (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 ||
+            (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid,
+                                        &sig_params1)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    if (crt->version < 0 || crt->version > 2) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_UNKNOWN_VERSION);
+    }
+
+    crt->version++;
+
+    if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
+                                        &crt->sig_md, &crt->sig_pk,
+                                        &crt->sig_opts)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    /*
+     * issuer               Name
+     */
+    crt->issuer_raw.p = p;
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    crt->issuer_raw.len = p - crt->issuer_raw.p;
+
+    /*
+     * Validity ::= SEQUENCE {
+     *      notBefore      Time,
+     *      notAfter       Time }
+     *
+     */
+    if ((ret = x509_get_dates(&p, end, &crt->valid_from,
+                              &crt->valid_to)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    /*
+     * subject              Name
+     */
+    crt->subject_raw.p = p;
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    crt->subject_raw.len = p - crt->subject_raw.p;
+
+    /*
+     * SubjectPublicKeyInfo
+     */
+    crt->pk_raw.p = p;
+    if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+    crt->pk_raw.len = p - crt->pk_raw.p;
+
+    /*
+     *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  extensions      [3]  EXPLICIT Extensions OPTIONAL
+     *                       -- If present, version shall be v3
+     */
+    if (crt->version == 2 || crt->version == 3) {
+        ret = x509_get_uid(&p, end, &crt->issuer_id,  1);
+        if (ret != 0) {
+            mbedtls_x509_crt_free(crt);
+            return (ret);
+        }
+    }
+
+    if (crt->version == 2 || crt->version == 3) {
+        ret = x509_get_uid(&p, end, &crt->subject_id,  2);
+        if (ret != 0) {
+            mbedtls_x509_crt_free(crt);
+            return (ret);
+        }
+    }
+
+#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    if (crt->version == 3)
+#endif
+    {
+        ret = x509_get_crt_ext(&p, end, crt, cb, p_ctx);
+        if (ret != 0) {
+            mbedtls_x509_crt_free(crt);
+            return (ret);
+        }
+    }
+
+    if (p != end) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    end = crt_end;
+
+    /*
+     *  }
+     *  -- end of TBSCertificate
+     *
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    if (crt->sig_oid.len != sig_oid2.len ||
+            memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 ||
+            sig_params1.tag != sig_params2.tag ||
+            sig_params1.len != sig_params2.len ||
+            (sig_params1.len != 0 &&
+             memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_SIG_MISMATCH);
+    }
+
+    if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) {
+        mbedtls_x509_crt_free(crt);
+        return (ret);
+    }
+
+    if (p != end) {
+        mbedtls_x509_crt_free(crt);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    return (0);
+}
+
+/*
+ * Parse one X.509 certificate in DER format from a buffer and add them to a
+ * chained list
+ */
+static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain,
+                                               const unsigned char *buf,
+                                               size_t buflen,
+                                               int make_copy,
+                                               mbedtls_x509_crt_ext_cb_t cb,
+                                               void *p_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_x509_crt *crt = chain, *prev = NULL;
+
+    /*
+     * Check for valid input
+     */
+    if (crt == NULL || buf == NULL)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    while (crt->version != 0 && crt->next != NULL) {
+        prev = crt;
+        crt = crt->next;
+    }
+
+    /*
+     * Add new certificate on the end of the chain if needed.
+     */
+    if (crt->version != 0 && crt->next == NULL) {
+        crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+
+        if (crt->next == NULL)
+            return (MBEDTLS_ERR_X509_ALLOC_FAILED);
+
+        prev = crt;
+        mbedtls_x509_crt_init(crt->next);
+        crt = crt->next;
+    }
+
+    ret = x509_crt_parse_der_core(crt, buf, buflen, make_copy, cb, p_ctx);
+    if (ret != 0) {
+        if (prev)
+            prev->next = NULL;
+
+        if (crt != chain)
+            mbedtls_free(crt);
+
+        return (ret);
+    }
+
+    return (0);
+}
+
+int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
+                                      const unsigned char *buf,
+                                      size_t buflen) {
+    return (mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 0, NULL, NULL));
+}
+
+int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
+                                           const unsigned char *buf,
+                                           size_t buflen,
+                                           int make_copy,
+                                           mbedtls_x509_crt_ext_cb_t cb,
+                                           void *p_ctx) {
+    return (mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, make_copy, cb, p_ctx));
+}
+
+int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
+                               const unsigned char *buf,
+                               size_t buflen) {
+    return (mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 1, NULL, NULL));
+}
+
+/*
+ * Parse one or more PEM certificates from a buffer and add them to the chained
+ * list
+ */
+int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain,
+                           const unsigned char *buf,
+                           size_t buflen) {
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int success = 0, first_error = 0, total_failed = 0;
+    int buf_format = MBEDTLS_X509_FORMAT_DER;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if (chain == NULL || buf == NULL)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    /*
+     * Determine buffer content. Buffer contains either one DER certificate or
+     * one or more PEM certificates.
+     */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if (buflen != 0 && buf[buflen - 1] == '\0' &&
+            strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) {
+        buf_format = MBEDTLS_X509_FORMAT_PEM;
+    }
+
+    if (buf_format == MBEDTLS_X509_FORMAT_DER)
+        return mbedtls_x509_crt_parse_der(chain, buf, buflen);
+#else
+    return mbedtls_x509_crt_parse_der(chain, buf, buflen);
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if (buf_format == MBEDTLS_X509_FORMAT_PEM) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        mbedtls_pem_context pem;
+
+        /* 1 rather than 0 since the terminating NULL byte is counted in */
+        while (buflen > 1) {
+            size_t use_len;
+            mbedtls_pem_init(&pem);
+
+            /* If we get there, we know the string is null-terminated */
+            ret = mbedtls_pem_read_buffer(&pem,
+                                          "-----BEGIN CERTIFICATE-----",
+                                          "-----END CERTIFICATE-----",
+                                          buf, NULL, 0, &use_len);
+
+            if (ret == 0) {
+                /*
+                 * Was PEM encoded
+                 */
+                buflen -= use_len;
+                buf += use_len;
+            } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) {
+                return (ret);
+            } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+                mbedtls_pem_free(&pem);
+
+                /*
+                 * PEM header and footer were found
+                 */
+                buflen -= use_len;
+                buf += use_len;
+
+                if (first_error == 0)
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            } else
+                break;
+
+            ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen);
+
+            mbedtls_pem_free(&pem);
+
+            if (ret != 0) {
+                /*
+                 * Quit parsing on a memory error
+                 */
+                if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED)
+                    return (ret);
+
+                if (first_error == 0)
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+
+            success = 1;
+        }
+    }
+
+    if (success)
+        return (total_failed);
+    else if (first_error)
+        return (first_error);
+    else
+        return (MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT);
+#endif /* MBEDTLS_PEM_PARSE_C */
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more certificates and add them to the chained list
+ */
+int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    unsigned char *buf;
+
+    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0)
+        return (ret);
+
+    ret = mbedtls_x509_crt_parse(chain, buf, n);
+
+    mbedtls_platform_zeroize(buf, n);
+    mbedtls_free(buf);
+
+    return (ret);
+}
+
+int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path) {
+    int ret = 0;
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    int w_ret;
+    WCHAR szDir[MAX_PATH];
+    char filename[MAX_PATH];
+    char *p;
+    size_t len = strlen(path);
+
+    WIN32_FIND_DATAW file_data;
+    HANDLE hFind;
+
+    if (len > MAX_PATH - 3)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    memset(szDir, 0, sizeof(szDir));
+    memset(filename, 0, MAX_PATH);
+    memcpy(filename, path, len);
+    filename[len++] = '\\';
+    p = filename + len;
+    filename[len++] = '*';
+
+    w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int)len, szDir,
+                                MAX_PATH - 3);
+    if (w_ret == 0)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    hFind = FindFirstFileW(szDir, &file_data);
+    if (hFind == INVALID_HANDLE_VALUE)
+        return (MBEDTLS_ERR_X509_FILE_IO_ERROR);
+
+    len = MAX_PATH - len;
+    do {
+        memset(p, 0, len);
+
+        if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
+            continue;
+
+        w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName,
+                                    lstrlenW(file_data.cFileName),
+                                    p, (int) len - 1,
+                                    NULL, NULL);
+        if (w_ret == 0) {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        w_ret = mbedtls_x509_crt_parse_file(chain, filename);
+        if (w_ret < 0)
+            ret++;
+        else
+            ret += w_ret;
+    } while (FindNextFileW(hFind, &file_data) != 0);
+
+    if (GetLastError() != ERROR_NO_MORE_FILES)
+        ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+
+cleanup:
+    FindClose(hFind);
+#else /* _WIN32 */
+    int t_ret;
+    int snp_ret;
+    struct stat sb;
+    struct dirent *entry;
+    char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
+    DIR *dir = opendir(path);
+
+    if (dir == NULL)
+        return (MBEDTLS_ERR_X509_FILE_IO_ERROR);
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) {
+        closedir(dir);
+        return (ret);
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+    memset(&sb, 0, sizeof(sb));
+
+    while ((entry = readdir(dir)) != NULL) {
+        snp_ret = mbedtls_snprintf(entry_name, sizeof entry_name,
+                                   "%s/%s", path, entry->d_name);
+
+        if (snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name) {
+            ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+            goto cleanup;
+        } else if (stat(entry_name, &sb) == -1) {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        if (!S_ISREG(sb.st_mode))
+            continue;
+
+        // Ignore parse errors
+        //
+        t_ret = mbedtls_x509_crt_parse_file(chain, entry_name);
+        if (t_ret < 0)
+            ret++;
+        else
+            ret += t_ret;
+    }
+
+cleanup:
+    closedir(dir);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0)
+        ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+#endif /* MBEDTLS_THREADING_C */
+
+#endif /* _WIN32 */
+
+    return (ret);
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * HardwareModuleName ::= SEQUENCE {
+ *                           hwType OBJECT IDENTIFIER,
+ *                           hwSerialNum OCTET STRING }
+ *
+ * NOTE: we currently only parse and use otherName of type HwModuleName,
+ * as defined in RFC 4108.
+ */
+static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
+                               mbedtls_x509_san_other_name *other_name) {
+    int ret = 0;
+    size_t len;
+    unsigned char *p = subject_alt_name->p;
+    const unsigned char *end = p + subject_alt_name->len;
+    mbedtls_x509_buf cur_oid;
+
+    if ((subject_alt_name->tag &
+            (MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
+            (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
+        /*
+         * The given subject alternative name is not of type "othername".
+         */
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+    }
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_OID)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    cur_oid.tag = MBEDTLS_ASN1_OID;
+    cur_oid.p = p;
+    cur_oid.len = len;
+
+    /*
+     * Only HwModuleName is currently supported.
+     */
+    if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
+        return (MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE);
+    }
+
+    if (p + len >= end) {
+        mbedtls_platform_zeroize(other_name, sizeof(*other_name));
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+    p += len;
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
+    other_name->value.hardware_module_name.oid.p = p;
+    other_name->value.hardware_module_name.oid.len = len;
+
+    if (p + len >= end) {
+        mbedtls_platform_zeroize(other_name, sizeof(*other_name));
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+    p += len;
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_OCTET_STRING)) != 0)
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret);
+
+    other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
+    other_name->value.hardware_module_name.val.p = p;
+    other_name->value.hardware_module_name.val.len = len;
+    p += len;
+    if (p != end) {
+        mbedtls_platform_zeroize(other_name,
+                                 sizeof(*other_name));
+        return (MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+    return (0);
+}
+
+static int x509_info_subject_alt_name(char **buf, size_t *size,
+                                      const mbedtls_x509_sequence
+                                      *subject_alt_name,
+                                      const char *prefix) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = subject_alt_name;
+    mbedtls_x509_subject_alternative_name san;
+    int parse_ret;
+
+    while (cur != NULL) {
+        memset(&san, 0, sizeof(san));
+        parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
+        if (parse_ret != 0) {
+            if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
+                ret = mbedtls_snprintf(p, n, "\n%s    <unsupported>", prefix);
+                MBEDTLS_X509_SAFE_SNPRINTF;
+            } else {
+                ret = mbedtls_snprintf(p, n, "\n%s    <malformed>", prefix);
+                MBEDTLS_X509_SAFE_SNPRINTF;
+            }
+            cur = cur->next;
+            continue;
+        }
+
+        switch (san.type) {
+            /*
+             * otherName
+             */
+            case MBEDTLS_X509_SAN_OTHER_NAME: {
+                mbedtls_x509_san_other_name *other_name = &san.san.other_name;
+
+                ret = mbedtls_snprintf(p, n, "\n%s    otherName :", prefix);
+                MBEDTLS_X509_SAFE_SNPRINTF;
+
+                if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
+                                    &other_name->value.hardware_module_name.oid) != 0) {
+                    ret = mbedtls_snprintf(p, n, "\n%s        hardware module name :", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+                    ret = mbedtls_snprintf(p, n, "\n%s            hardware type          : ", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    ret = mbedtls_oid_get_numeric_string(p, n, &other_name->value.hardware_module_name.oid);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    ret = mbedtls_snprintf(p, n, "\n%s            hardware serial number : ", prefix);
+                    MBEDTLS_X509_SAFE_SNPRINTF;
+
+                    if (other_name->value.hardware_module_name.val.len >= n) {
+                        *p = '\0';
+                        return (MBEDTLS_ERR_X509_BUFFER_TOO_SMALL);
+                    }
+
+                    memcpy(p, other_name->value.hardware_module_name.val.p,
+                           other_name->value.hardware_module_name.val.len);
+                    p += other_name->value.hardware_module_name.val.len;
+
+                    n -= other_name->value.hardware_module_name.val.len;
+
+                }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
+            }
+            break;
+
+            /*
+             * dNSName
+             */
+            case MBEDTLS_X509_SAN_DNS_NAME: {
+                ret = mbedtls_snprintf(p, n, "\n%s    dNSName : ", prefix);
+                MBEDTLS_X509_SAFE_SNPRINTF;
+                if (san.san.unstructured_name.len >= n) {
+                    *p = '\0';
+                    return (MBEDTLS_ERR_X509_BUFFER_TOO_SMALL);
+                }
+
+                memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
+                p += san.san.unstructured_name.len;
+                n -= san.san.unstructured_name.len;
+            }
+            break;
+
+            /*
+             * Type not supported, skip item.
+             */
+            default:
+                ret = mbedtls_snprintf(p, n, "\n%s    <unsupported>", prefix);
+                MBEDTLS_X509_SAFE_SNPRINTF;
+                break;
+        }
+
+        cur = cur->next;
+    }
+
+    *p = '\0';
+
+    *size = n;
+    *buf = p;
+
+    return (0);
+}
+
+int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
+                                        mbedtls_x509_subject_alternative_name *san) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    switch (san_buf->tag &
+            (MBEDTLS_ASN1_TAG_CLASS_MASK |
+             MBEDTLS_ASN1_TAG_VALUE_MASK)) {
+        /*
+         * otherName
+         */
+        case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME): {
+            mbedtls_x509_san_other_name other_name;
+
+            ret = x509_get_other_name(san_buf, &other_name);
+            if (ret != 0)
+                return (ret);
+
+            memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+            san->type = MBEDTLS_X509_SAN_OTHER_NAME;
+            memcpy(&san->san.other_name,
+                   &other_name, sizeof(other_name));
+
+        }
+        break;
+
+        /*
+         * dNSName
+         */
+        case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME): {
+            memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+            san->type = MBEDTLS_X509_SAN_DNS_NAME;
+
+            memcpy(&san->san.unstructured_name,
+                   san_buf, sizeof(*san_buf));
+
+        }
+        break;
+
+        /*
+         * Type not supported
+         */
+        default:
+            return (MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE);
+    }
+    return (0);
+}
+
+#define PRINT_ITEM(i)                           \
+    {                                           \
+        ret = mbedtls_snprintf( p, n, "%s" i, sep );    \
+        MBEDTLS_X509_SAFE_SNPRINTF;                        \
+        sep = ", ";                             \
+    }
+
+#define CERT_TYPE(type,name)                    \
+    if( ns_cert_type & (type) )                 \
+        PRINT_ITEM( name );
+
+static int x509_info_cert_type(char **buf, size_t *size,
+                               unsigned char ns_cert_type) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT,         "SSL Client");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER,         "SSL Server");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL,              "Email");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING,     "Object Signing");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED,           "Reserved");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA,             "SSL CA");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA,           "Email CA");
+    CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA,  "Object Signing CA");
+
+    *size = n;
+    *buf = p;
+
+    return (0);
+}
+
+#define KEY_USAGE(code,name)    \
+    if( key_usage & (code) )    \
+        PRINT_ITEM( name );
+
+static int x509_info_key_usage(char **buf, size_t *size,
+                               unsigned int key_usage) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE,    "Digital Signature");
+    KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION,      "Non Repudiation");
+    KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT,     "Key Encipherment");
+    KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT,    "Data Encipherment");
+    KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT,        "Key Agreement");
+    KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN,        "Key Cert Sign");
+    KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN,             "CRL Sign");
+    KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY,        "Encipher Only");
+    KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY,        "Decipher Only");
+
+    *size = n;
+    *buf = p;
+
+    return (0);
+}
+
+static int x509_info_ext_key_usage(char **buf, size_t *size,
+                                   const mbedtls_x509_sequence *extended_key_usage) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const char *desc;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = extended_key_usage;
+    const char *sep = "";
+
+    while (cur != NULL) {
+        if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0)
+            desc = "???";
+
+        ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        sep = ", ";
+
+        cur = cur->next;
+    }
+
+    *size = n;
+    *buf = p;
+
+    return (0);
+}
+
+static int x509_info_cert_policies(char **buf, size_t *size,
+                                   const mbedtls_x509_sequence *certificate_policies) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const char *desc;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = certificate_policies;
+    const char *sep = "";
+
+    while (cur != NULL) {
+        if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0)
+            desc = "???";
+
+        ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        sep = ", ";
+
+        cur = cur->next;
+    }
+
+    *size = n;
+    *buf = p;
+
+    return (0);
+}
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    18
+#define BC              "18"
+int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
+                          const mbedtls_x509_crt *crt) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    if (NULL == crt) {
+        ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n");
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        return ((int)(size - n));
+    }
+
+    ret = mbedtls_snprintf(p, n, "%scert. version     : %d\n",
+                           prefix, crt->version);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_snprintf(p, n, "%sserial number     : ",
+                           prefix);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_serial_gets(p, n, &crt->serial);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%sissuer name       : ", prefix);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets(p, n, &crt->issuer);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%ssubject name      : ", prefix);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets(p, n, &crt->subject);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%sissued  on        : " \
+                           "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                           crt->valid_from.year, crt->valid_from.mon,
+                           crt->valid_from.day,  crt->valid_from.hour,
+                           crt->valid_from.min,  crt->valid_from.sec);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%sexpires on        : " \
+                           "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                           crt->valid_to.year, crt->valid_to.mon,
+                           crt->valid_to.day,  crt->valid_to.hour,
+                           crt->valid_to.min,  crt->valid_to.sec);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%ssigned using      : ", prefix);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
+                                    crt->sig_md, crt->sig_opts);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /* Key size */
+    if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
+                                            mbedtls_pk_get_name(&crt->pk))) != 0) {
+        return (ret);
+    }
+
+    ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
+                           (int) mbedtls_pk_get_bitlen(&crt->pk));
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /*
+     * Optional extensions
+     */
+
+    if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) {
+        ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix,
+                               crt->ca_istrue ? "true" : "false");
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if (crt->max_pathlen > 0) {
+            ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1);
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+    }
+
+    if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+        ret = mbedtls_snprintf(p, n, "\n%ssubject alt name  :", prefix);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if ((ret = x509_info_subject_alt_name(&p, &n,
+                                              &crt->subject_alt_names,
+                                              prefix)) != 0)
+            return (ret);
+    }
+
+    if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
+        ret = mbedtls_snprintf(p, n, "\n%scert. type        : ", prefix);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if ((ret = x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0)
+            return (ret);
+    }
+
+    if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
+        ret = mbedtls_snprintf(p, n, "\n%skey usage         : ", prefix);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if ((ret = x509_info_key_usage(&p, &n, crt->key_usage)) != 0)
+            return (ret);
+    }
+
+    if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) {
+        ret = mbedtls_snprintf(p, n, "\n%sext key usage     : ", prefix);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if ((ret = x509_info_ext_key_usage(&p, &n,
+                                           &crt->ext_key_usage)) != 0)
+            return (ret);
+    }
+
+    if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) {
+        ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if ((ret = x509_info_cert_policies(&p, &n,
+                                           &crt->certificate_policies)) != 0)
+            return (ret);
+    }
+
+    ret = mbedtls_snprintf(p, n, "\n");
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return ((int)(size - n));
+}
+
+struct x509_crt_verify_string {
+    int code;
+    const char *string;
+};
+
+static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
+    { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
+    { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
+    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
+    { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },
+    { MBEDTLS_X509_BADCERT_MISSING,       "Certificate was missing" },
+    { MBEDTLS_X509_BADCERT_SKIP_VERIFY,   "Certificate verification was skipped" },
+    { MBEDTLS_X509_BADCERT_OTHER,         "Other reason (can be used by verify callback)" },
+    { MBEDTLS_X509_BADCERT_FUTURE,        "The certificate validity starts in the future" },
+    { MBEDTLS_X509_BADCRL_FUTURE,         "The CRL is from the future" },
+    { MBEDTLS_X509_BADCERT_KEY_USAGE,     "Usage does not match the keyUsage extension" },
+    { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
+    { MBEDTLS_X509_BADCERT_NS_CERT_TYPE,  "Usage does not match the nsCertType extension" },
+    { MBEDTLS_X509_BADCERT_BAD_MD,        "The certificate is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCERT_BAD_PK,        "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCERT_BAD_KEY,       "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { MBEDTLS_X509_BADCRL_BAD_MD,         "The CRL is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCRL_BAD_PK,         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCRL_BAD_KEY,        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { 0, NULL }
+};
+
+int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
+                                 uint32_t flags) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const struct x509_crt_verify_string *cur;
+    char *p = buf;
+    size_t n = size;
+
+    for (cur = x509_crt_verify_strings; cur->string != NULL ; cur++) {
+        if ((flags & cur->code) == 0)
+            continue;
+
+        ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+        flags ^= cur->code;
+    }
+
+    if (flags != 0) {
+        ret = mbedtls_snprintf(p, n, "%sUnknown reason "
+                               "(this should not happen)\n", prefix);
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return ((int)(size - n));
+}
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
+                                     unsigned int usage) {
+    unsigned int usage_must, usage_may;
+    unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
+                            | MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+    if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0)
+        return (0);
+
+    usage_must = usage & ~may_mask;
+
+    if (((crt->key_usage & ~may_mask) & usage_must) != usage_must)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    usage_may = usage & may_mask;
+
+    if (((crt->key_usage & may_mask) | usage_may) != usage_may)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    return (0);
+}
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
+                                              const char *usage_oid,
+                                              size_t usage_len) {
+    const mbedtls_x509_sequence *cur;
+
+    /* Extension is not mandatory, absent means no restriction */
+    if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0)
+        return (0);
+
+    /*
+     * Look for the requested usage (or wildcard ANY) in our list
+     */
+    for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) {
+        const mbedtls_x509_buf *cur_oid = &cur->buf;
+
+        if (cur_oid->len == usage_len &&
+                memcmp(cur_oid->p, usage_oid, usage_len) == 0) {
+            return (0);
+        }
+
+        if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0)
+            return (0);
+    }
+
+    return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+}
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/*
+ * Return 1 if the certificate is revoked, or 0 otherwise.
+ */
+int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) {
+    const mbedtls_x509_crl_entry *cur = &crl->entry;
+
+    while (cur != NULL && cur->serial.len != 0) {
+        if (crt->serial.len == cur->serial.len &&
+                memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) {
+            return (1);
+        }
+
+        cur = cur->next;
+    }
+
+    return (0);
+}
+
+/*
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation if no CRL for the given CA is present.
+ */
+static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
+                              mbedtls_x509_crl *crl_list,
+                              const mbedtls_x509_crt_profile *profile) {
+    int flags = 0;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+
+    if (ca == NULL)
+        return (flags);
+
+    while (crl_list != NULL) {
+        if (crl_list->version == 0 ||
+                x509_name_cmp(&crl_list->issuer, &ca->subject) != 0) {
+            crl_list = crl_list->next;
+            continue;
+        }
+
+        /*
+         * Check if the CA is configured to sign CRLs
+         */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+        if (mbedtls_x509_crt_check_key_usage(ca,
+                                             MBEDTLS_X509_KU_CRL_SIGN) != 0) {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+#endif
+
+        /*
+         * Check if CRL is correctly signed by the trusted CA
+         */
+        if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0)
+            flags |= MBEDTLS_X509_BADCRL_BAD_MD;
+
+        if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0)
+            flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+
+        md_info = mbedtls_md_info_from_type(crl_list->sig_md);
+        if (mbedtls_md(md_info, crl_list->tbs.p, crl_list->tbs.len, hash) != 0) {
+            /* Note: this can't happen except after an internal error */
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        if (x509_profile_check_key(profile, &ca->pk) != 0)
+            flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+        if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+                                  crl_list->sig_md, hash, mbedtls_md_get_size(md_info),
+                                  crl_list->sig.p, crl_list->sig.len) != 0) {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        /*
+         * Check for validity of CRL (Do not drop out)
+         */
+        if (mbedtls_x509_time_is_past(&crl_list->next_update))
+            flags |= MBEDTLS_X509_BADCRL_EXPIRED;
+
+        if (mbedtls_x509_time_is_future(&crl_list->this_update))
+            flags |= MBEDTLS_X509_BADCRL_FUTURE;
+
+        /*
+         * Check if certificate is revoked
+         */
+        if (mbedtls_x509_crt_is_revoked(crt, crl_list)) {
+            flags |= MBEDTLS_X509_BADCERT_REVOKED;
+            break;
+        }
+
+        crl_list = crl_list->next;
+    }
+
+    return (flags);
+}
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/*
+ * Check the signature of a certificate by its parent
+ */
+static int x509_crt_check_signature(const mbedtls_x509_crt *child,
+                                    mbedtls_x509_crt *parent,
+                                    mbedtls_x509_crt_restart_ctx *rs_ctx) {
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    size_t hash_len;
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+    const mbedtls_md_info_t *md_info;
+    md_info = mbedtls_md_info_from_type(child->sig_md);
+    hash_len = mbedtls_md_get_size(md_info);
+
+    /* Note: hash errors can happen only after an internal error */
+    if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0)
+        return (-1);
+#else
+    psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+    psa_algorithm_t hash_alg = mbedtls_psa_translate_md(child->sig_md);
+
+    if (psa_hash_setup(&hash_operation, hash_alg) != PSA_SUCCESS)
+        return (-1);
+
+    if (psa_hash_update(&hash_operation, child->tbs.p, child->tbs.len)
+            != PSA_SUCCESS) {
+        return (-1);
+    }
+
+    if (psa_hash_finish(&hash_operation, hash, sizeof(hash), &hash_len)
+            != PSA_SUCCESS) {
+        return (-1);
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    /* Skip expensive computation on obvious mismatch */
+    if (! mbedtls_pk_can_do(&parent->pk, child->sig_pk))
+        return (-1);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) {
+        return (mbedtls_pk_verify_restartable(&parent->pk,
+                                              child->sig_md, hash, hash_len,
+                                              child->sig.p, child->sig.len, &rs_ctx->pk));
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+    return (mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
+                                  child->sig_md, hash, hash_len,
+                                  child->sig.p, child->sig.len));
+}
+
 /*
  * Check if 'parent' is a suitable parent (signing CA) for 'child'.
  * Return 0 if yes, -1 if not.
@@ -1811,6 +2356,7 @@ static int x509_crt_check_parent(const mbedtls_x509_crt *child,
  *  1. subject name matches child's issuer
  *  2. if necessary, the CA bit is set and key usage allows signing certs
  *  3. for trusted roots, the signature is correct
+ *     (for intermediates, the signature is checked and the result reported)
  *  4. pathlen constraints are satisfied
  *
  * If there's a suitable candidate which is also time-valid, return the first
@@ -1833,22 +2379,52 @@ static int x509_crt_check_parent(const mbedtls_x509_crt *child,
  * Arguments:
  *  - [in] child: certificate for which we're looking for a parent
  *  - [in] candidates: chained list of potential parents
+ *  - [out] r_parent: parent found (or NULL)
+ *  - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
  *  - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
  *         of the chain, 0 otherwise
  *  - [in] path_cnt: number of intermediates seen so far
  *  - [in] self_cnt: number of self-signed intermediates seen so far
  *         (will never be greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
  *
  * Return value:
- *  - the first suitable parent found (see above regarding time-validity)
- *  - NULL if no suitable parent was found
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
  */
-static mbedtls_x509_crt *x509_crt_find_parent_in(mbedtls_x509_crt *child,
-                                                 mbedtls_x509_crt *candidates,
-                                                 int top,
-                                                 size_t path_cnt,
-                                                 size_t self_cnt) {
-    mbedtls_x509_crt *parent, *badtime_parent = NULL;
+static int x509_crt_find_parent_in(
+    mbedtls_x509_crt *child,
+    mbedtls_x509_crt *candidates,
+    mbedtls_x509_crt **r_parent,
+    int *r_signature_is_good,
+    int top,
+    unsigned path_cnt,
+    unsigned self_cnt,
+    mbedtls_x509_crt_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_x509_crt *parent, *fallback_parent;
+    int signature_is_good = 0, fallback_signature_is_good;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* did we have something in progress? */
+    if (rs_ctx != NULL && rs_ctx->parent != NULL) {
+        /* restore saved state */
+        parent = rs_ctx->parent;
+        fallback_parent = rs_ctx->fallback_parent;
+        fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
+
+        /* clear saved state */
+        rs_ctx->parent = NULL;
+        rs_ctx->fallback_parent = NULL;
+        rs_ctx->fallback_signature_is_good = 0;
+
+        /* resume where we left */
+        goto check_signature;
+    }
+#endif
+
+    fallback_parent = NULL;
+    fallback_signature_is_good = 0;
 
     for (parent = candidates; parent != NULL; parent = parent->next) {
         /* basic parenting skills (name, CA bit, key usage) */
@@ -1862,26 +2438,51 @@ static mbedtls_x509_crt *x509_crt_find_parent_in(mbedtls_x509_crt *child,
         }
 
         /* Signature */
-        if (top && x509_crt_check_signature(child, parent) != 0) {
-            continue;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+check_signature:
+#endif
+        ret = x509_crt_check_signature(child, parent, rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+            /* save state */
+            rs_ctx->parent = parent;
+            rs_ctx->fallback_parent = fallback_parent;
+            rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
+
+            return (ret);
         }
+#else
+        (void) ret;
+#endif
+
+        signature_is_good = ret == 0;
+        if (top && ! signature_is_good)
+            continue;
 
         /* optional time check */
         if (mbedtls_x509_time_is_past(&parent->valid_to) ||
                 mbedtls_x509_time_is_future(&parent->valid_from)) {
-            if (badtime_parent == NULL)
-                badtime_parent = parent;
+            if (fallback_parent == NULL) {
+                fallback_parent = parent;
+                fallback_signature_is_good = signature_is_good;
+            }
 
             continue;
         }
 
+        *r_parent = parent;
+        *r_signature_is_good = signature_is_good;
+
         break;
     }
 
-    if (parent == NULL)
-        parent = badtime_parent;
+    if (parent == NULL) {
+        *r_parent = fallback_parent;
+        *r_signature_is_good = fallback_signature_is_good;
+    }
 
-    return (parent);
+    return (0);
 }
 
 /*
@@ -1893,33 +2494,74 @@ static mbedtls_x509_crt *x509_crt_find_parent_in(mbedtls_x509_crt *child,
  * Arguments:
  *  - [in] child: certificate for which we're looking for a parent, followed
  *         by a chain of possible intermediates
- *  - [in] trust_ca: locally trusted CAs
- *  - [out] 1 if parent was found in trust_ca, 0 if found in provided chain
- *  - [in] path_cnt: number of intermediates seen so far
- *  - [in] self_cnt: number of self-signed intermediates seen so far
+ *  - [in] trust_ca: list of locally trusted certificates
+ *  - [out] parent: parent found (or NULL)
+ *  - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
+ *  - [out] signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
+ *  - [in] self_cnt: number of self-signed certs in the chain so far
  *         (will always be no greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
  *
  * Return value:
- *  - the first suitable parent found (see find_parent_in() for "suitable")
- *  - NULL if no suitable parent was found
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
  */
-static mbedtls_x509_crt *x509_crt_find_parent(mbedtls_x509_crt *child,
-                                              mbedtls_x509_crt *trust_ca,
-                                              int *parent_is_trusted,
-                                              size_t path_cnt,
-                                              size_t self_cnt) {
-    mbedtls_x509_crt *parent;
+static int x509_crt_find_parent(
+    mbedtls_x509_crt *child,
+    mbedtls_x509_crt *trust_ca,
+    mbedtls_x509_crt **parent,
+    int *parent_is_trusted,
+    int *signature_is_good,
+    unsigned path_cnt,
+    unsigned self_cnt,
+    mbedtls_x509_crt_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_x509_crt *search_list;
 
-    /* Look for a parent in trusted CAs */
     *parent_is_trusted = 1;
-    parent = x509_crt_find_parent_in(child, trust_ca, 1, path_cnt, self_cnt);
 
-    if (parent != NULL)
-        return (parent);
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* restore then clear saved state if we have some stored */
+    if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) {
+        *parent_is_trusted = rs_ctx->parent_is_trusted;
+        rs_ctx->parent_is_trusted = -1;
+    }
+#endif
 
-    /* Look for a parent upwards the chain */
-    *parent_is_trusted = 0;
-    return (x509_crt_find_parent_in(child, child->next, 0, path_cnt, self_cnt));
+    while (1) {
+        search_list = *parent_is_trusted ? trust_ca : child->next;
+
+        ret = x509_crt_find_parent_in(child, search_list,
+                                      parent, signature_is_good,
+                                      *parent_is_trusted,
+                                      path_cnt, self_cnt, rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+            /* save state */
+            rs_ctx->parent_is_trusted = *parent_is_trusted;
+            return (ret);
+        }
+#else
+        (void) ret;
+#endif
+
+        /* stop here if found or already in second iteration */
+        if (*parent != NULL || *parent_is_trusted == 0)
+            break;
+
+        /* prepare second iteration */
+        *parent_is_trusted = 0;
+    }
+
+    /* extra precaution against mistakes in the caller */
+    if (*parent == NULL) {
+        *parent_is_trusted = 0;
+        *signature_is_good = 0;
+    }
+
+    return (0);
 }
 
 /*
@@ -1965,11 +2607,24 @@ static int x509_crt_check_ee_locally_trusted(
  * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
  *   -> return that chain with NOT_TRUSTED set on Ciq
  *
+ * Tests for (aspects of) this function should include at least:
+ * - trusted EE
+ * - EE -> trusted root
+ * - EE -> intermediate CA -> trusted root
+ * - if relevant: EE untrusted
+ * - if relevant: EE -> intermediate, untrusted
+ * with the aspect under test checked at each relevant level (EE, int, root).
+ * For some aspects longer chains are required, but usually length 2 is
+ * enough (but length 1 is not in general).
+ *
  * Arguments:
  *  - [in] crt: the cert list EE, C1, ..., Cn
  *  - [in] trust_ca: the trusted list R1, ..., Rp
  *  - [in] ca_crl, profile: as in verify_with_profile()
- *  - [out] ver_chain, chain_len: the built and verified chain
+ *  - [out] ver_chain: the built and verified chain
+ *      Only valid when return value is 0, may contain garbage otherwise!
+ *      Restart note: need not be the same when calling again to resume.
+ *  - [in-out] rs_ctx: context for restarting operations
  *
  * Return value:
  *  - non-zero if the chain could not be fully built and examined
@@ -1980,24 +2635,52 @@ static int x509_crt_verify_chain(
     mbedtls_x509_crt *crt,
     mbedtls_x509_crt *trust_ca,
     mbedtls_x509_crl *ca_crl,
+    mbedtls_x509_crt_ca_cb_t f_ca_cb,
+    void *p_ca_cb,
     const mbedtls_x509_crt_profile *profile,
-    x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE],
-    size_t *chain_len) {
+    mbedtls_x509_crt_verify_chain *ver_chain,
+    mbedtls_x509_crt_restart_ctx *rs_ctx) {
+    /* Don't initialize any of those variables here, so that the compiler can
+     * catch potential issues with jumping ahead when restarting */
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     uint32_t *flags;
+    mbedtls_x509_crt_verify_chain_item *cur;
     mbedtls_x509_crt *child;
     mbedtls_x509_crt *parent;
-    int parent_is_trusted = 0;
-    int child_is_trusted = 0;
-    size_t self_cnt = 0;
+    int parent_is_trusted;
+    int child_is_trusted;
+    int signature_is_good;
+    unsigned self_cnt;
+    mbedtls_x509_crt *cur_trust_ca = NULL;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* resume if we had an operation in progress */
+    if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) {
+        /* restore saved state */
+        *ver_chain = rs_ctx->ver_chain; /* struct copy */
+        self_cnt = rs_ctx->self_cnt;
+
+        /* restore derived state */
+        cur = &ver_chain->items[ver_chain->len - 1];
+        child = cur->crt;
+        flags = &cur->flags;
+
+        goto find_parent;
+    }
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 
     child = crt;
-    *chain_len = 0;
+    self_cnt = 0;
+    parent_is_trusted = 0;
+    child_is_trusted = 0;
 
     while (1) {
         /* Add certificate to the verification chain */
-        ver_chain[*chain_len].crt = child;
-        flags = &ver_chain[*chain_len].flags;
-        ++*chain_len;
+        cur = &ver_chain->items[ver_chain->len];
+        cur->crt = child;
+        cur->flags = 0;
+        ver_chain->len++;
+        flags = &cur->flags;
 
         /* Check time-validity (all certificates) */
         if (mbedtls_x509_time_is_past(&child->valid_to))
@@ -2018,14 +2701,53 @@ static int x509_crt_verify_chain(
             *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
 
         /* Special case: EE certs that are locally trusted */
-        if (*chain_len == 1 &&
+        if (ver_chain->len == 1 &&
                 x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) {
             return (0);
         }
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+find_parent:
+#endif
+
+        /* Obtain list of potential trusted signers from CA callback,
+         * or use statically provided list. */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+        if (f_ca_cb != NULL) {
+            mbedtls_x509_crt_free(ver_chain->trust_ca_cb_result);
+            mbedtls_free(ver_chain->trust_ca_cb_result);
+            ver_chain->trust_ca_cb_result = NULL;
+
+            ret = f_ca_cb(p_ca_cb, child, &ver_chain->trust_ca_cb_result);
+            if (ret != 0)
+                return (MBEDTLS_ERR_X509_FATAL_ERROR);
+
+            cur_trust_ca = ver_chain->trust_ca_cb_result;
+        } else
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+        {
+            ((void) f_ca_cb);
+            ((void) p_ca_cb);
+            cur_trust_ca = trust_ca;
+        }
+
         /* Look for a parent in trusted CAs or up the chain */
-        parent = x509_crt_find_parent(child, trust_ca, &parent_is_trusted,
-                                      *chain_len - 1, self_cnt);
+        ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
+                                   &parent_is_trusted, &signature_is_good,
+                                   ver_chain->len - 1, self_cnt, rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+            /* save state */
+            rs_ctx->in_progress = x509_crt_rs_find_parent;
+            rs_ctx->self_cnt = self_cnt;
+            rs_ctx->ver_chain = *ver_chain; /* struct copy */
+
+            return (ret);
+        }
+#else
+        (void) ret;
+#endif
 
         /* No parent? We're done here */
         if (parent == NULL) {
@@ -2036,7 +2758,7 @@ static int x509_crt_verify_chain(
         /* Count intermediate self-issued (not necessarily self-signed) certs.
          * These can occur with some strategies for key rollover, see [SIRO],
          * and should be excluded from max_pathlen checks. */
-        if (*chain_len != 1 &&
+        if (ver_chain->len != 1 &&
                 x509_name_cmp(&child->issuer, &child->subject) == 0) {
             self_cnt++;
         }
@@ -2044,13 +2766,13 @@ static int x509_crt_verify_chain(
         /* path_cnt is 0 for the first intermediate CA,
          * and if parent is trusted it's not an intermediate CA */
         if (! parent_is_trusted &&
-                *chain_len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) {
+                ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) {
             /* return immediately to avoid overflow the chain array */
             return (MBEDTLS_ERR_X509_FATAL_ERROR);
         }
 
-        /* if parent is trusted, the signature was checked by find_parent() */
-        if (! parent_is_trusted && x509_crt_check_signature(child, parent) != 0)
+        /* signature was checked while searching parent */
+        if (! signature_is_good)
             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
 
         /* check size of signing key */
@@ -2068,6 +2790,7 @@ static int x509_crt_verify_chain(
         child = parent;
         parent = NULL;
         child_is_trusted = parent_is_trusted;
+        signature_is_good = 0;
     }
 }
 
@@ -2090,6 +2813,24 @@ static int x509_crt_check_cn(const mbedtls_x509_buf *name,
     return (-1);
 }
 
+/*
+ * Check for SAN match, see RFC 5280 Section 4.2.1.6
+ */
+static int x509_crt_check_san(const mbedtls_x509_buf *name,
+                              const char *cn, size_t cn_len) {
+    const unsigned char san_type = (unsigned char) name->tag &
+                                   MBEDTLS_ASN1_TAG_VALUE_MASK;
+
+    /* dNSName */
+    if (san_type == MBEDTLS_X509_SAN_DNS_NAME)
+        return (x509_crt_check_cn(name, cn, cn_len));
+
+    /* (We may handle other types here later.) */
+
+    /* Unrecognized type */
+    return (-1);
+}
+
 /*
  * Verify the requested CN - only call this if cn is not NULL!
  */
@@ -2102,7 +2843,7 @@ static void x509_crt_verify_name(const mbedtls_x509_crt *crt,
 
     if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
         for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
-            if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0)
+            if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0)
                 break;
         }
 
@@ -2126,19 +2867,20 @@ static void x509_crt_verify_name(const mbedtls_x509_crt *crt,
  */
 static int x509_crt_merge_flags_with_cb(
     uint32_t *flags,
-    x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE],
-    size_t chain_len,
+    const mbedtls_x509_crt_verify_chain *ver_chain,
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
     void *p_vrfy) {
-    int ret;
-    size_t i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned i;
     uint32_t cur_flags;
+    const mbedtls_x509_crt_verify_chain_item *cur;
 
-    for (i = chain_len; i != 0; --i) {
-        cur_flags = ver_chain[i - 1].flags;
+    for (i = ver_chain->len; i != 0; --i) {
+        cur = &ver_chain->items[i - 1];
+        cur_flags = cur->flags;
 
         if (NULL != f_vrfy)
-            if ((ret = f_vrfy(p_vrfy, ver_chain[i - 1].crt, (int) i - 1, &cur_flags)) != 0)
+            if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i - 1, &cur_flags)) != 0)
                 return (ret);
 
         *flags |= cur_flags;
@@ -2148,20 +2890,7 @@ static int x509_crt_merge_flags_with_cb(
 }
 
 /*
- * Verify the certificate validity
- */
-int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
-                            mbedtls_x509_crt *trust_ca,
-                            mbedtls_x509_crl *ca_crl,
-                            const char *cn, uint32_t *flags,
-                            int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                            void *p_vrfy) {
-    return (mbedtls_x509_crt_verify_with_profile(crt, trust_ca, ca_crl,
-                                                 &mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy));
-}
-
-/*
- * Verify the certificate validity, with profile
+ * Verify the certificate validity, with profile, restartable version
  *
  * This function:
  *  - checks the requested CN (if any)
@@ -2169,23 +2898,32 @@ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
  *    as that isn't done as part of chain building/verification currently
  *  - builds and verifies the chain
  *  - then calls the callback and merges the flags
+ *
+ * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
+ * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
+ * verification routine to search for trusted signers, and CRLs will
+ * be disabled. Otherwise, `trust_ca` will be used as the static list
+ * of trusted signers, and `ca_crl` will be use as the static list
+ * of CRLs.
  */
-int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
-                                         mbedtls_x509_crt *trust_ca,
-                                         mbedtls_x509_crl *ca_crl,
-                                         const mbedtls_x509_crt_profile *profile,
-                                         const char *cn, uint32_t *flags,
-                                         int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                                         void *p_vrfy) {
-    int ret;
+static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt,
+                                             mbedtls_x509_crt *trust_ca,
+                                             mbedtls_x509_crl *ca_crl,
+                                             mbedtls_x509_crt_ca_cb_t f_ca_cb,
+                                             void *p_ca_cb,
+                                             const mbedtls_x509_crt_profile *profile,
+                                             const char *cn, uint32_t *flags,
+                                             int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                                             void *p_vrfy,
+                                             mbedtls_x509_crt_restart_ctx *rs_ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_pk_type_t pk_type;
-    x509_crt_verify_chain_item ver_chain[X509_MAX_VERIFY_CHAIN_SIZE];
-    size_t chain_len;
-    uint32_t *ee_flags = &ver_chain[0].flags;
+    mbedtls_x509_crt_verify_chain ver_chain;
+    uint32_t ee_flags;
 
     *flags = 0;
-    memset(ver_chain, 0, sizeof(ver_chain));
-    chain_len = 0;
+    ee_flags = 0;
+    x509_crt_verify_chain_reset(&ver_chain);
 
     if (profile == NULL) {
         ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
@@ -2194,28 +2932,44 @@ int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
 
     /* check name if requested */
     if (cn != NULL)
-        x509_crt_verify_name(crt, cn, ee_flags);
+        x509_crt_verify_name(crt, cn, &ee_flags);
 
     /* Check the type and size of the key */
     pk_type = mbedtls_pk_get_type(&crt->pk);
 
     if (x509_profile_check_pk_alg(profile, pk_type) != 0)
-        *ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
 
     if (x509_profile_check_key(profile, &crt->pk) != 0)
-        *ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
     /* Check the chain */
-    ret = x509_crt_verify_chain(crt, trust_ca, ca_crl, profile,
-                                ver_chain, &chain_len);
+    ret = x509_crt_verify_chain(crt, trust_ca, ca_crl,
+                                f_ca_cb, p_ca_cb, profile,
+                                &ver_chain, rs_ctx);
+
     if (ret != 0)
         goto exit;
 
+    /* Merge end-entity flags */
+    ver_chain.items[0].flags |= ee_flags;
+
     /* Build final flags, calling callback on the way if any */
-    ret = x509_crt_merge_flags_with_cb(flags,
-                                       ver_chain, chain_len, f_vrfy, p_vrfy);
+    ret = x509_crt_merge_flags_with_cb(flags, &ver_chain, f_vrfy, p_vrfy);
 
 exit:
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    mbedtls_x509_crt_free(ver_chain.trust_ca_cb_result);
+    mbedtls_free(ver_chain.trust_ca_cb_result);
+    ver_chain.trust_ca_cb_result = NULL;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS)
+        mbedtls_x509_crt_restart_free(rs_ctx);
+#endif
+
     /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
      * the SSL module for authmode optional, but non-zero return from the
      * callback means a fatal error so it shouldn't be ignored */
@@ -2223,7 +2977,7 @@ exit:
         ret = MBEDTLS_ERR_X509_FATAL_ERROR;
 
     if (ret != 0) {
-        *flags = (uint32_t) - 1;
+        *flags = (uint32_t) -1;
         return (ret);
     }
 
@@ -2233,6 +2987,73 @@ exit:
     return (0);
 }
 
+
+/*
+ * Verify the certificate validity (default profile, not restartable)
+ */
+int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
+                            mbedtls_x509_crt *trust_ca,
+                            mbedtls_x509_crl *ca_crl,
+                            const char *cn, uint32_t *flags,
+                            int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                            void *p_vrfy) {
+    return (x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
+                                              NULL, NULL,
+                                              &mbedtls_x509_crt_profile_default,
+                                              cn, flags,
+                                              f_vrfy, p_vrfy, NULL));
+}
+
+/*
+ * Verify the certificate validity (user-chosen profile, not restartable)
+ */
+int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
+                                         mbedtls_x509_crt *trust_ca,
+                                         mbedtls_x509_crl *ca_crl,
+                                         const mbedtls_x509_crt_profile *profile,
+                                         const char *cn, uint32_t *flags,
+                                         int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                                         void *p_vrfy) {
+    return (x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
+                                              NULL, NULL,
+                                              profile, cn, flags,
+                                              f_vrfy, p_vrfy, NULL));
+}
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+/*
+ * Verify the certificate validity (user-chosen profile, CA callback,
+ *                                  not restartable).
+ */
+int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
+                                       mbedtls_x509_crt_ca_cb_t f_ca_cb,
+                                       void *p_ca_cb,
+                                       const mbedtls_x509_crt_profile *profile,
+                                       const char *cn, uint32_t *flags,
+                                       int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                                       void *p_vrfy) {
+    return (x509_crt_verify_restartable_ca_cb(crt, NULL, NULL,
+                                              f_ca_cb, p_ca_cb,
+                                              profile, cn, flags,
+                                              f_vrfy, p_vrfy, NULL));
+}
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
+int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
+                                        mbedtls_x509_crt *trust_ca,
+                                        mbedtls_x509_crl *ca_crl,
+                                        const mbedtls_x509_crt_profile *profile,
+                                        const char *cn, uint32_t *flags,
+                                        int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                                        void *p_vrfy,
+                                        mbedtls_x509_crt_restart_ctx *rs_ctx) {
+    return (x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
+                                              NULL, NULL,
+                                              profile, cn, flags,
+                                              f_vrfy, p_vrfy, rs_ctx));
+}
+
+
 /*
  * Initialize a certificate chain
  */
@@ -2295,7 +3116,16 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt) {
             mbedtls_free(seq_prv);
         }
 
-        if (cert_cur->raw.p != NULL) {
+        seq_cur = cert_cur->certificate_policies.next;
+        while (seq_cur != NULL) {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_platform_zeroize(seq_prv,
+                                     sizeof(mbedtls_x509_sequence));
+            mbedtls_free(seq_prv);
+        }
+
+        if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
             mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len);
             mbedtls_free(cert_cur->raw.p);
         }
@@ -2314,4 +3144,34 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt) {
     } while (cert_cur != NULL);
 }
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx) {
+    mbedtls_pk_restart_init(&ctx->pk);
+
+    ctx->parent = NULL;
+    ctx->fallback_parent = NULL;
+    ctx->fallback_signature_is_good = 0;
+
+    ctx->parent_is_trusted = -1;
+
+    ctx->in_progress = x509_crt_rs_none;
+    ctx->self_cnt = 0;
+    x509_crt_verify_chain_reset(&ctx->ver_chain);
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_pk_restart_free(&ctx->pk);
+    mbedtls_x509_crt_restart_init(ctx);
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/common/mbedtls/x509_crt.h b/common/mbedtls/x509_crt.h
index 3217ff0a5..5ef2510f9 100644
--- a/common/mbedtls/x509_crt.h
+++ b/common/mbedtls/x509_crt.h
@@ -4,36 +4,33 @@
  * \brief X.509 certificate parsing and writing
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 #ifndef MBEDTLS_X509_CRT_H
 #define MBEDTLS_X509_CRT_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "config.h"
+#include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "x509.h"
-#include "x509_crl.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/bignum.h"
 
 /**
  * \addtogroup x509_module
@@ -53,6 +50,8 @@ extern "C" {
  * Container for an X.509 certificate. The certificate may be chained.
  */
 typedef struct mbedtls_x509_crt {
+    int own_buffer;                     /**< Indicates if \c raw is owned
+                                         *   by the structure or not.        */
     mbedtls_x509_buf raw;               /**< The raw certificate data (DER). */
     mbedtls_x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
 
@@ -69,12 +68,15 @@ typedef struct mbedtls_x509_crt {
     mbedtls_x509_time valid_from;       /**< Start time of certificate validity. */
     mbedtls_x509_time valid_to;         /**< End time of certificate validity. */
 
+    mbedtls_x509_buf pk_raw;
     mbedtls_pk_context pk;              /**< Container for the public key context. */
 
     mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
     mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
     mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
-    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+
+    mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
 
     int ext_types;              /**< Bit string containing detected and parsed extensions */
     int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@@ -95,11 +97,54 @@ typedef struct mbedtls_x509_crt {
 }
 mbedtls_x509_crt;
 
+/**
+ * From RFC 5280 section 4.2.1.6:
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ */
+typedef struct mbedtls_x509_san_other_name {
+    /**
+     * The type_id is an OID as deifned in RFC 5280.
+     * To check the value of the type id, you should use
+     * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
+     */
+    mbedtls_x509_buf type_id;                   /**< The type id. */
+    union {
+        /**
+         * From RFC 4108 section 5:
+         * HardwareModuleName ::= SEQUENCE {
+         *                         hwType OBJECT IDENTIFIER,
+         *                         hwSerialNum OCTET STRING }
+         */
+        struct {
+            mbedtls_x509_buf oid;               /**< The object identifier. */
+            mbedtls_x509_buf val;               /**< The named value. */
+        }
+        hardware_module_name;
+    }
+    value;
+}
+mbedtls_x509_san_other_name;
+
+/**
+ * A structure for holding the parsed Subject Alternative Name, according to type
+ */
+typedef struct mbedtls_x509_subject_alternative_name {
+    int type;                              /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
+    union {
+        mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
+        mbedtls_x509_buf   unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
+    }
+    san; /**< A union of the supported SAN types */
+}
+mbedtls_x509_subject_alternative_name;
+
 /**
  * Build flag from an algorithm/curve identifier (pk, md, ecp)
  * Since 0 is always XXX_NONE, ignore it.
  */
-#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( id - 1 ) )
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( (id) - 1 ) )
 
 /**
  * Security profile for certificate verification.
@@ -142,6 +187,69 @@ typedef struct mbedtls_x509write_cert {
 }
 mbedtls_x509write_cert;
 
+/**
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain_item;
+
+/**
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE  ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/**
+ * Verification chain as built by \c mbedtls_crt_verify_chain()
+ */
+typedef struct {
+    mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
+    unsigned len;
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    /* This stores the list of potential trusted signers obtained from
+     * the CA callback used for the CRT verification, if configured.
+     * We must track it somewhere because the callback passes its
+     * ownership to the caller. */
+    mbedtls_x509_crt *trust_ca_cb_result;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+} mbedtls_x509_crt_verify_chain;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief       Context for resuming X.509 verify operations
+ */
+typedef struct {
+    /* for check_signature() */
+    mbedtls_pk_restart_ctx pk;
+
+    /* for find_parent_in() */
+    mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
+    mbedtls_x509_crt *fallback_parent;
+    int fallback_signature_is_good;
+
+    /* for find_parent() */
+    int parent_is_trusted; /* -1 if find_parent is not in progress */
+
+    /* for verify_chain() */
+    enum {
+        x509_crt_rs_none,
+        x509_crt_rs_find_parent,
+    } in_progress;  /* none if no operation is in progress */
+    int self_cnt;
+    mbedtls_x509_crt_verify_chain ver_chain;
+
+} mbedtls_x509_crt_restart_ctx;
+
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_x509_crt_restart_ctx;
+
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 /**
  * Default security profile. Should provide a good balance between security
@@ -162,31 +270,172 @@ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
 
 /**
  * \brief          Parse a single DER formatted certificate and add it
- *                 to the chained list.
+ *                 to the end of the provided chained list.
  *
- * \param chain    points to the start of the chain
- * \param buf      buffer holding the certificate DER data
- * \param buflen   size of the buffer
+ * \param chain    The pointer to the start of the CRT chain to attach to.
+ *                 When parsing the first CRT in a chain, this should point
+ *                 to an instance of ::mbedtls_x509_crt initialized through
+ *                 mbedtls_x509_crt_init().
+ * \param buf      The buffer holding the DER encoded certificate.
+ * \param buflen   The size in Bytes of \p buf.
  *
- * \return         0 if successful, or a specific X509 or PEM error code
+ * \note           This function makes an internal copy of the CRT buffer
+ *                 \p buf. In particular, \p buf may be destroyed or reused
+ *                 after this call returns. To avoid duplicating the CRT
+ *                 buffer (at the cost of stricter lifetime constraints),
+ *                 use mbedtls_x509_crt_parse_der_nocopy() instead.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf,
+int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
+                               const unsigned char *buf,
                                size_t buflen);
 
 /**
- * \brief          Parse one or more certificates and add them
- *                 to the chained list. Parses permissively. If some
- *                 certificates can be parsed, the result is the number
- *                 of failed certificates it encountered. If none complete
- *                 correctly, the first error is returned.
+ * \brief          The type of certificate extension callbacks.
  *
- * \param chain    points to the start of the chain
- * \param buf      buffer holding the certificate data in PEM or DER format
- * \param buflen   size of the buffer
- *                 (including the terminating null byte for PEM data)
+ *                 Callbacks of this type are passed to and used by the
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() routine when
+ *                 it encounters either an unsupported extension or a
+ *                 "certificate policies" extension containing any
+ *                 unsupported certificate policies.
+ *                 Future versions of the library may invoke the callback
+ *                 in other cases, if and when the need arises.
+ *
+ * \param p_ctx    An opaque context passed to the callback.
+ * \param crt      The certificate being parsed.
+ * \param oid      The OID of the extension.
+ * \param critical Whether the extension is critical.
+ * \param p        Pointer to the start of the extension value
+ *                 (the content of the OCTET STRING).
+ * \param end      End of extension value.
+ *
+ * \note           The callback must fail and return a negative error code
+ *                 if it can not parse or does not support the extension.
+ *                 When the callback fails to parse a critical extension
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ *                 When the callback fails to parse a non critical extension
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ *                 the extension and continues parsing.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+typedef int (*mbedtls_x509_crt_ext_cb_t)(void *p_ctx,
+                                         mbedtls_x509_crt const *crt,
+                                         mbedtls_x509_buf const *oid,
+                                         int critical,
+                                         const unsigned char *p,
+                                         const unsigned char *end);
+
+/**
+ * \brief            Parse a single DER formatted certificate and add it
+ *                   to the end of the provided chained list.
+ *
+ * \param chain      The pointer to the start of the CRT chain to attach to.
+ *                   When parsing the first CRT in a chain, this should point
+ *                   to an instance of ::mbedtls_x509_crt initialized through
+ *                   mbedtls_x509_crt_init().
+ * \param buf        The buffer holding the DER encoded certificate.
+ * \param buflen     The size in Bytes of \p buf.
+ * \param make_copy  When not zero this function makes an internal copy of the
+ *                   CRT buffer \p buf. In particular, \p buf may be destroyed
+ *                   or reused after this call returns.
+ *                   When zero this function avoids duplicating the CRT buffer
+ *                   by taking temporary ownership thereof until the CRT
+ *                   is destroyed (like mbedtls_x509_crt_parse_der_nocopy())
+ * \param cb         A callback invoked for every unsupported certificate
+ *                   extension.
+ * \param p_ctx      An opaque context passed to the callback.
+ *
+ * \note             This call is functionally equivalent to
+ *                   mbedtls_x509_crt_parse_der(), and/or
+ *                   mbedtls_x509_crt_parse_der_nocopy()
+ *                   but it calls the callback with every unsupported
+ *                   certificate extension and additionally the
+ *                   "certificate policies" extension if it contains any
+ *                   unsupported certificate policies.
+ *                   The callback must return a negative error code if it
+ *                   does not know how to handle such an extension.
+ *                   When the callback fails to parse a critical extension
+ *                   mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ *                   When the callback fails to parse a non critical extension
+ *                   mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ *                   the extension and continues parsing.
+ *                   Future versions of the library may invoke the callback
+ *                   in other cases, if and when the need arises.
+ *
+ * \return           \c 0 if successful.
+ * \return           A negative error code on failure.
+ */
+int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
+                                           const unsigned char *buf,
+                                           size_t buflen,
+                                           int make_copy,
+                                           mbedtls_x509_crt_ext_cb_t cb,
+                                           void *p_ctx);
+
+/**
+ * \brief          Parse a single DER formatted certificate and add it
+ *                 to the end of the provided chained list. This is a
+ *                 variant of mbedtls_x509_crt_parse_der() which takes
+ *                 temporary ownership of the CRT buffer until the CRT
+ *                 is destroyed.
+ *
+ * \param chain    The pointer to the start of the CRT chain to attach to.
+ *                 When parsing the first CRT in a chain, this should point
+ *                 to an instance of ::mbedtls_x509_crt initialized through
+ *                 mbedtls_x509_crt_init().
+ * \param buf      The address of the readable buffer holding the DER encoded
+ *                 certificate to use. On success, this buffer must be
+ *                 retained and not be changed for the liftetime of the
+ *                 CRT chain \p chain, that is, until \p chain is destroyed
+ *                 through a call to mbedtls_x509_crt_free().
+ * \param buflen   The size in Bytes of \p buf.
+ *
+ * \note           This call is functionally equivalent to
+ *                 mbedtls_x509_crt_parse_der(), but it avoids creating a
+ *                 copy of the input buffer at the cost of stronger lifetime
+ *                 constraints. This is useful in constrained environments
+ *                 where duplication of the CRT cannot be tolerated.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
+                                      const unsigned char *buf,
+                                      size_t buflen);
+
+/**
+ * \brief          Parse one DER-encoded or one or more concatenated PEM-encoded
+ *                 certificates and add them to the chained list.
+ *
+ *                 For CRTs in PEM encoding, the function parses permissively:
+ *                 if at least one certificate can be parsed, the function
+ *                 returns the number of certificates for which parsing failed
+ *                 (hence \c 0 if all certificates were parsed successfully).
+ *                 If no certificate could be parsed, the function returns
+ *                 the first (negative) error encountered during parsing.
+ *
+ *                 PEM encoded certificates may be interleaved by other data
+ *                 such as human readable descriptions of their content, as
+ *                 long as the certificates are enclosed in the PEM specific
+ *                 '-----{BEGIN/END} CERTIFICATE-----' delimiters.
+ *
+ * \param chain    The chain to which to add the parsed certificates.
+ * \param buf      The buffer holding the certificate data in PEM or DER format.
+ *                 For certificates in PEM encoding, this may be a concatenation
+ *                 of multiple certificates; for DER encoding, the buffer must
+ *                 comprise exactly one certificate.
+ * \param buflen   The size of \p buf, including the terminating \c NULL byte
+ *                 in case of PEM encoded data.
+ *
+ * \return         \c 0 if all certificates were parsed successfully.
+ * \return         The (positive) number of certificates that couldn't
+ *                 be parsed if parsing was partly successful (see above).
+ * \return         A negative X509 or PEM error code otherwise.
  *
- * \return         0 if all certificates parsed successfully, a positive number
- *                 if partly successful or a specific X509 or PEM error code
  */
 int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen);
 
@@ -220,8 +469,37 @@ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
  *                 if partly successful or a specific X509 or PEM error code
  */
 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
-#endif /* MBEDTLS_FS_IO */
 
+#endif /* MBEDTLS_FS_IO */
+/**
+ * \brief          This function parses an item in the SubjectAlternativeNames
+ *                 extension.
+ *
+ * \param san_buf  The buffer holding the raw data item of the subject
+ *                 alternative name.
+ * \param san      The target structure to populate with the parsed presentation
+ *                 of the subject alternative name encoded in \p san_raw.
+ *
+ * \note           Only "dnsName" and "otherName" of type hardware_module_name
+ *                 as defined in RFC 4180 is supported.
+ *
+ * \note           This function should be called on a single raw data of
+ *                 subject alternative name. For example, after successful
+ *                 certificate parsing, one must iterate on every item in the
+ *                 \p crt->subject_alt_names sequence, and pass it to
+ *                 this function.
+ *
+ * \warning        The target structure contains pointers to the raw data of the
+ *                 parsed certificate, and its lifetime is restricted by the
+ *                 lifetime of the certificate.
+ *
+ * \return         \c 0 on success
+ * \return         #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
+ *                 SAN type.
+ * \return         Another negative value for any other failure.
+ */
+int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
+                                        mbedtls_x509_subject_alternative_name *san);
 /**
  * \brief          Returns an informational string about the
  *                 certificate.
@@ -253,7 +531,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
                                  uint32_t flags);
 
 /**
- * \brief          Verify the certificate signature
+ * \brief          Verify a chain of certificates.
  *
  *                 The verify callback is a user-supplied callback that
  *                 can clear / modify / add flags for a certificate. If set,
@@ -293,22 +571,30 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
  *                 specific peers you know) - in that case, the self-signed
  *                 certificate doesn't need to have the CA bit set.
  *
- * \param crt      a certificate (chain) to be verified
- * \param trust_ca the list of trusted CAs (see note above)
- * \param ca_crl   the list of CRLs for trusted CAs (see note above)
- * \param cn       expected Common Name (can be set to
- *                 NULL if the CN must not be verified)
- * \param flags    result of the verification
- * \param f_vrfy   verification function
- * \param p_vrfy   verification parameter
+ * \param crt      The certificate chain to be verified.
+ * \param trust_ca The list of trusted CAs.
+ * \param ca_crl   The list of CRLs for trusted CAs.
+ * \param cn       The expected Common Name. This will be checked to be
+ *                 present in the certificate's subjectAltNames extension or,
+ *                 if this extension is absent, as a CN component in its
+ *                 Subject name. Currently only DNS names are supported. This
+ *                 may be \c NULL if the CN need not be verified.
+ * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
+ * \param f_vrfy   The verification callback to use. See the documentation
+ *                 of mbedtls_x509_crt_verify() for more information.
+ * \param p_vrfy   The context to be passed to \p f_vrfy.
  *
- * \return         0 (and flags set to 0) if the chain was verified and valid,
- *                 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
- *                 but found to be invalid, in which case *flags will have one
- *                 or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
- *                 flags set, or another error (and flags set to 0xffffffff)
- *                 in case of a fatal error encountered during the
- *                 verification process.
+ * \return         \c 0 if the chain is valid with respect to the
+ *                 passed CN, CAs, CRLs and security profile.
+ * \return         #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
+ *                 certificate chain verification failed. In this case,
+ *                 \c *flags will have one or more
+ *                 \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
+ *                 flags set.
+ * \return         Another negative error code in case of a fatal error
+ *                 encountered during the verification process.
  */
 int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
                             mbedtls_x509_crt *trust_ca,
@@ -318,7 +604,8 @@ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
                             void *p_vrfy);
 
 /**
- * \brief          Verify the certificate signature according to profile
+ * \brief          Verify a chain of certificates with respect to
+ *                 a configurable security profile.
  *
  * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
  *                 security profile.
@@ -327,22 +614,28 @@ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
  *                 for ECDSA) apply to all certificates: trusted root,
  *                 intermediate CAs if any, and end entity certificate.
  *
- * \param crt      a certificate (chain) to be verified
- * \param trust_ca the list of trusted CAs
- * \param ca_crl   the list of CRLs for trusted CAs
- * \param profile  security profile for verification
- * \param cn       expected Common Name (can be set to
- *                 NULL if the CN must not be verified)
- * \param flags    result of the verification
- * \param f_vrfy   verification function
- * \param p_vrfy   verification parameter
+ * \param crt      The certificate chain to be verified.
+ * \param trust_ca The list of trusted CAs.
+ * \param ca_crl   The list of CRLs for trusted CAs.
+ * \param profile  The security profile to use for the verification.
+ * \param cn       The expected Common Name. This may be \c NULL if the
+ *                 CN need not be verified.
+ * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
+ * \param f_vrfy   The verification callback to use. See the documentation
+ *                 of mbedtls_x509_crt_verify() for more information.
+ * \param p_vrfy   The context to be passed to \p f_vrfy.
  *
- * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
- *                 in which case *flags will have one or more
- *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
- *                 set,
- *                 or another error in case of a fatal error encountered
- *                 during the verification process.
+ * \return         \c 0 if the chain is valid with respect to the
+ *                 passed CN, CAs, CRLs and security profile.
+ * \return         #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
+ *                 certificate chain verification failed. In this case,
+ *                 \c *flags will have one or more
+ *                 \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
+ *                 flags set.
+ * \return         Another negative error code in case of a fatal error
+ *                 encountered during the verification process.
  */
 int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
                                          mbedtls_x509_crt *trust_ca,
@@ -352,6 +645,108 @@ int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
                                          int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                                          void *p_vrfy);
 
+/**
+ * \brief          Restartable version of \c mbedtls_crt_verify_with_profile()
+ *
+ * \note           Performs the same job as \c mbedtls_crt_verify_with_profile()
+ *                 but can return early and restart according to the limit
+ *                 set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param crt      The certificate chain to be verified.
+ * \param trust_ca The list of trusted CAs.
+ * \param ca_crl   The list of CRLs for trusted CAs.
+ * \param profile  The security profile to use for the verification.
+ * \param cn       The expected Common Name. This may be \c NULL if the
+ *                 CN need not be verified.
+ * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
+ * \param f_vrfy   The verification callback to use. See the documentation
+ *                 of mbedtls_x509_crt_verify() for more information.
+ * \param p_vrfy   The context to be passed to \p f_vrfy.
+ * \param rs_ctx   The restart context to use. This may be set to \c NULL
+ *                 to disable restartable ECC.
+ *
+ * \return         See \c mbedtls_crt_verify_with_profile(), or
+ * \return         #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                 operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
+                                        mbedtls_x509_crt *trust_ca,
+                                        mbedtls_x509_crl *ca_crl,
+                                        const mbedtls_x509_crt_profile *profile,
+                                        const char *cn, uint32_t *flags,
+                                        int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                                        void *p_vrfy,
+                                        mbedtls_x509_crt_restart_ctx *rs_ctx);
+
+/**
+ * \brief               The type of trusted certificate callbacks.
+ *
+ *                      Callbacks of this type are passed to and used by the CRT
+ *                      verification routine mbedtls_x509_crt_verify_with_ca_cb()
+ *                      when looking for trusted signers of a given certificate.
+ *
+ *                      On success, the callback returns a list of trusted
+ *                      certificates to be considered as potential signers
+ *                      for the input certificate.
+ *
+ * \param p_ctx         An opaque context passed to the callback.
+ * \param child         The certificate for which to search a potential signer.
+ *                      This will point to a readable certificate.
+ * \param candidate_cas The address at which to store the address of the first
+ *                      entry in the generated linked list of candidate signers.
+ *                      This will not be \c NULL.
+ *
+ * \note                The callback must only return a non-zero value on a
+ *                      fatal error. If, in contrast, the search for a potential
+ *                      signer completes without a single candidate, the
+ *                      callback must return \c 0 and set \c *candidate_cas
+ *                      to \c NULL.
+ *
+ * \return              \c 0 on success. In this case, \c *candidate_cas points
+ *                      to a heap-allocated linked list of instances of
+ *                      ::mbedtls_x509_crt, and ownership of this list is passed
+ *                      to the caller.
+ * \return              A negative error code on failure.
+ */
+typedef int (*mbedtls_x509_crt_ca_cb_t)(void *p_ctx,
+                                        mbedtls_x509_crt const *child,
+                                        mbedtls_x509_crt **candidate_cas);
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+/**
+ * \brief          Version of \c mbedtls_x509_crt_verify_with_profile() which
+ *                 uses a callback to acquire the list of trusted CA
+ *                 certificates.
+ *
+ * \param crt      The certificate chain to be verified.
+ * \param f_ca_cb  The callback to be used to query for potential signers
+ *                 of a given child certificate. See the documentation of
+ *                 ::mbedtls_x509_crt_ca_cb_t for more information.
+ * \param p_ca_cb  The opaque context to be passed to \p f_ca_cb.
+ * \param profile  The security profile for the verification.
+ * \param cn       The expected Common Name. This may be \c NULL if the
+ *                 CN need not be verified.
+ * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
+ * \param f_vrfy   The verification callback to use. See the documentation
+ *                 of mbedtls_x509_crt_verify() for more information.
+ * \param p_vrfy   The context to be passed to \p f_vrfy.
+ *
+ * \return         See \c mbedtls_crt_verify_with_profile().
+ */
+int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
+                                       mbedtls_x509_crt_ca_cb_t f_ca_cb,
+                                       void *p_ca_cb,
+                                       const mbedtls_x509_crt_profile *profile,
+                                       const char *cn, uint32_t *flags,
+                                       int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                                       void *p_vrfy);
+
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
 /**
  * \brief          Check usage of certificate against keyUsage extension.
@@ -423,6 +818,18 @@ void mbedtls_x509_crt_init(mbedtls_x509_crt *crt);
  * \param crt      Certificate chain to free
  */
 void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 /* \} name */
diff --git a/common/mbedtls/x509_csr.c b/common/mbedtls/x509_csr.c
new file mode 100644
index 000000000..80ee5cd83
--- /dev/null
+++ b/common/mbedtls/x509_csr.c
@@ -0,0 +1,386 @@
+/*
+ *  X.509 Certificate Signing Request (CSR) parsing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0)  }
+ */
+static int x509_csr_get_version(unsigned char **p,
+                                const unsigned char *end,
+                                int *ver) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
+        if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+            *ver = 0;
+            return (0);
+        }
+
+        return (MBEDTLS_ERR_X509_INVALID_VERSION + ret);
+    }
+
+    return (0);
+}
+
+/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+                               const unsigned char *buf, size_t buflen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+    unsigned char *p, *end;
+    mbedtls_x509_buf sig_params;
+
+    memset(&sig_params, 0, sizeof(mbedtls_x509_buf));
+
+    /*
+     * Check for valid input
+     */
+    if (csr == NULL || buf == NULL || buflen == 0)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    mbedtls_x509_csr_init(csr);
+
+    /*
+     * first copy the raw DER data
+     */
+    p = mbedtls_calloc(1, len = buflen);
+
+    if (p == NULL)
+        return (MBEDTLS_ERR_X509_ALLOC_FAILED);
+
+    memcpy(p, buf, buflen);
+
+    csr->raw.p = p;
+    csr->raw.len = len;
+    end = p + len;
+
+    /*
+     *  CertificationRequest ::= SEQUENCE {
+     *       certificationRequestInfo CertificationRequestInfo,
+     *       signatureAlgorithm AlgorithmIdentifier,
+     *       signature          BIT STRING
+     *  }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT);
+    }
+
+    if (len != (size_t)(end - p)) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    /*
+     *  CertificationRequestInfo ::= SEQUENCE {
+     */
+    csr->cri.p = p;
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    end = p + len;
+    csr->cri.len = end - csr->cri.p;
+
+    /*
+     *  Version  ::=  INTEGER {  v1(0) }
+     */
+    if ((ret = x509_csr_get_version(&p, end, &csr->version)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (ret);
+    }
+
+    if (csr->version != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_UNKNOWN_VERSION);
+    }
+
+    csr->version++;
+
+    /*
+     *  subject               Name
+     */
+    csr->subject_raw.p = p;
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    if ((ret = mbedtls_x509_get_name(&p, p + len, &csr->subject)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (ret);
+    }
+
+    csr->subject_raw.len = p - csr->subject_raw.p;
+
+    /*
+     *  subjectPKInfo SubjectPublicKeyInfo
+     */
+    if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &csr->pk)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (ret);
+    }
+
+    /*
+     *  attributes    [0] Attributes
+     *
+     *  The list of possible attributes is open-ended, though RFC 2985
+     *  (PKCS#9) defines a few in section 5.4. We currently don't support any,
+     *  so we just ignore them. This is a safe thing to do as the worst thing
+     *  that could happen is that we issue a certificate that does not match
+     *  the requester's expectations - this cannot cause a violation of our
+     *  signature policies.
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT + ret);
+    }
+
+    p += len;
+
+    end = csr->raw.p + csr->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signature            BIT STRING
+     */
+    if ((ret = mbedtls_x509_get_alg(&p, end, &csr->sig_oid, &sig_params)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (ret);
+    }
+
+    if ((ret = mbedtls_x509_get_sig_alg(&csr->sig_oid, &sig_params,
+                                        &csr->sig_md, &csr->sig_pk,
+                                        &csr->sig_opts)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG);
+    }
+
+    if ((ret = mbedtls_x509_get_sig(&p, end, &csr->sig)) != 0) {
+        mbedtls_x509_csr_free(csr);
+        return (ret);
+    }
+
+    if (p != end) {
+        mbedtls_x509_csr_free(csr);
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    return (0);
+}
+
+/*
+ * Parse a CSR, allowing for PEM or raw DER encoding
+ */
+int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) {
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t use_len;
+    mbedtls_pem_context pem;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if (csr == NULL || buf == NULL || buflen == 0)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (buf[buflen - 1] == '\0') {
+        mbedtls_pem_init(&pem);
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      "-----BEGIN CERTIFICATE REQUEST-----",
+                                      "-----END CERTIFICATE REQUEST-----",
+                                      buf, NULL, 0, &use_len);
+        if (ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+            ret = mbedtls_pem_read_buffer(&pem,
+                                          "-----BEGIN NEW CERTIFICATE REQUEST-----",
+                                          "-----END NEW CERTIFICATE REQUEST-----",
+                                          buf, NULL, 0, &use_len);
+        }
+
+        if (ret == 0) {
+            /*
+             * Was PEM encoded, parse the result
+             */
+            ret = mbedtls_x509_csr_parse_der(csr, pem.buf, pem.buflen);
+        }
+
+        mbedtls_pem_free(&pem);
+        if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT)
+            return (ret);
+    }
+#endif /* MBEDTLS_PEM_PARSE_C */
+    return (mbedtls_x509_csr_parse_der(csr, buf, buflen));
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load a CSR into the structure
+ */
+int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    unsigned char *buf;
+
+    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0)
+        return (ret);
+
+    ret = mbedtls_x509_csr_parse(csr, buf, n);
+
+    mbedtls_platform_zeroize(buf, n);
+    mbedtls_free(buf);
+
+    return (ret);
+}
+#endif /* MBEDTLS_FS_IO */
+
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CSR.
+ */
+int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
+                          const mbedtls_x509_csr *csr) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf(p, n, "%sCSR version   : %d",
+                           prefix, csr->version);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%ssubject name  : ", prefix);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets(p, n, &csr->subject);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf(p, n, "\n%ssigned using  : ", prefix);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
+                                    csr->sig_opts);
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
+                                            mbedtls_pk_get_name(&csr->pk))) != 0) {
+        return (ret);
+    }
+
+    ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
+                           (int) mbedtls_pk_get_bitlen(&csr->pk));
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return ((int)(size - n));
+}
+
+/*
+ * Initialize a CSR
+ */
+void mbedtls_x509_csr_init(mbedtls_x509_csr *csr) {
+    memset(csr, 0, sizeof(mbedtls_x509_csr));
+}
+
+/*
+ * Unallocate all CSR data
+ */
+void mbedtls_x509_csr_free(mbedtls_x509_csr *csr) {
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+
+    if (csr == NULL)
+        return;
+
+    mbedtls_pk_free(&csr->pk);
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    mbedtls_free(csr->sig_opts);
+#endif
+
+    name_cur = csr->subject.next;
+    while (name_cur != NULL) {
+        name_prv = name_cur;
+        name_cur = name_cur->next;
+        mbedtls_platform_zeroize(name_prv, sizeof(mbedtls_x509_name));
+        mbedtls_free(name_prv);
+    }
+
+    if (csr->raw.p != NULL) {
+        mbedtls_platform_zeroize(csr->raw.p, csr->raw.len);
+        mbedtls_free(csr->raw.p);
+    }
+
+    mbedtls_platform_zeroize(csr, sizeof(mbedtls_x509_csr));
+}
+
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
diff --git a/common/mbedtls/x509_csr.h b/common/mbedtls/x509_csr.h
new file mode 100644
index 000000000..dc0bddaae
--- /dev/null
+++ b/common/mbedtls/x509_csr.h
@@ -0,0 +1,303 @@
+/**
+ * \file x509_csr.h
+ *
+ * \brief X.509 certificate signing request parsing and writing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_X509_CSR_H
+#define MBEDTLS_X509_CSR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
+ * \{
+ */
+
+/**
+ * Certificate Signing Request (CSR) structure.
+ */
+typedef struct mbedtls_x509_csr {
+    mbedtls_x509_buf raw;           /**< The raw CSR data (DER). */
+    mbedtls_x509_buf cri;           /**< The raw CertificateRequestInfo body (DER). */
+
+    int version;            /**< CSR version (1=v1). */
+
+    mbedtls_x509_buf  subject_raw;  /**< The raw subject data (DER). */
+    mbedtls_x509_name subject;      /**< The parsed subject data (named information object). */
+
+    mbedtls_pk_context pk;          /**< Container for the public key context. */
+
+    mbedtls_x509_buf sig_oid;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+}
+mbedtls_x509_csr;
+
+/**
+ * Container for writing a CSR
+ */
+typedef struct mbedtls_x509write_csr {
+    mbedtls_pk_context *key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_md_type_t md_alg;
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_csr;
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+/**
+ * \brief          Load a Certificate Signing Request (CSR) in DER format
+ *
+ * \note           CSR attributes (if any) are currently silently ignored.
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 error code
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+                               const unsigned char *buf, size_t buflen);
+
+/**
+ * \brief          Load a Certificate Signing Request (CSR), DER or PEM format
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse_der()
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load a Certificate Signing Request (CSR)
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse()
+ *
+ * \param csr      CSR context to fill
+ * \param path     filename to read the CSR from
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path);
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 CSR.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param csr      The X509 CSR to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
+                          const mbedtls_x509_csr *csr);
+
+/**
+ * \brief          Initialize a CSR
+ *
+ * \param csr      CSR to initialize
+ */
+void mbedtls_x509_csr_init(mbedtls_x509_csr *csr);
+
+/**
+ * \brief          Unallocate all CSR data
+ *
+ * \param csr      CSR to free
+ */
+void mbedtls_x509_csr_free(mbedtls_x509_csr *csr);
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+/**
+ * \brief           Initialize a CSR context
+ *
+ * \param ctx       CSR context to initialize
+ */
+void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx);
+
+/**
+ * \brief           Set the subject name for a CSR
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CSR context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_csr_set_subject_name(mbedtls_x509write_csr *ctx,
+                                           const char *subject_name);
+
+/**
+ * \brief           Set the key for a CSR (public key will be included,
+ *                  private key used to sign the CSR when writing it)
+ *
+ * \param ctx       CSR context to use
+ * \param key       Asymetric key to include
+ */
+void mbedtls_x509write_csr_set_key(mbedtls_x509write_csr *ctx, mbedtls_pk_context *key);
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CSR context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg);
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CSR context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
+ */
+int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage);
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CSR context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
+                                           unsigned char ns_cert_type);
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CSR
+ *
+ * \param ctx       CSR context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val, size_t val_len);
+
+/**
+ * \brief           Free the contents of a CSR context
+ *
+ * \param ctx       CSR context to free
+ */
+void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx);
+
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng);
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  PEM string
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng);
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_csr.h */
diff --git a/common/mbedtls/x509write_crt.c b/common/mbedtls/x509write_crt.c
new file mode 100644
index 000000000..80797578b
--- /dev/null
+++ b/common/mbedtls/x509write_crt.c
@@ -0,0 +1,512 @@
+/*
+ *  X.509 certificate writing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * References:
+ * - certificates: RFC 5280, updated by RFC 6818
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/sha1.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_x509write_cert));
+
+    mbedtls_mpi_init(&ctx->serial);
+    ctx->version = MBEDTLS_X509_CRT_VERSION_3;
+}
+
+void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx) {
+    mbedtls_mpi_free(&ctx->serial);
+
+    mbedtls_asn1_free_named_data_list(&ctx->subject);
+    mbedtls_asn1_free_named_data_list(&ctx->issuer);
+    mbedtls_asn1_free_named_data_list(&ctx->extensions);
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_x509write_cert));
+}
+
+void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx,
+                                       int version) {
+    ctx->version = version;
+}
+
+void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx,
+                                      mbedtls_md_type_t md_alg) {
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx,
+                                           mbedtls_pk_context *key) {
+    ctx->subject_key = key;
+}
+
+void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx,
+                                          mbedtls_pk_context *key) {
+    ctx->issuer_key = key;
+}
+
+int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx,
+                                           const char *subject_name) {
+    return mbedtls_x509_string_to_names(&ctx->subject, subject_name);
+}
+
+int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx,
+                                          const char *issuer_name) {
+    return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name);
+}
+
+int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
+                                     const mbedtls_mpi *serial) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_mpi_copy(&ctx->serial, serial)) != 0)
+        return (ret);
+
+    return (0);
+}
+
+int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx,
+                                       const char *not_before,
+                                       const char *not_after) {
+    if (strlen(not_before) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
+            strlen(not_after)  != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1) {
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+    }
+    strncpy(ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN);
+    strncpy(ctx->not_after, not_after, MBEDTLS_X509_RFC5280_UTC_TIME_LEN);
+    ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+    ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+
+    return (0);
+}
+
+int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
+                                        const char *oid, size_t oid_len,
+                                        int critical,
+                                        const unsigned char *val, size_t val_len) {
+    return (mbedtls_x509_set_extension(&ctx->extensions, oid, oid_len,
+                                       critical, val, val_len));
+}
+
+int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
+                                                int is_ca, int max_pathlen) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[9];
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset(buf, 0, sizeof(buf));
+
+    if (is_ca && max_pathlen > 127)
+        return (MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+    if (is_ca) {
+        if (max_pathlen >= 0) {
+            MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf,
+                                                             max_pathlen));
+        }
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_bool(&c, buf, 1));
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return (
+               mbedtls_x509write_crt_set_extension(ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
+                                                   MBEDTLS_OID_SIZE(MBEDTLS_OID_BASIC_CONSTRAINTS),
+                                                   is_ca, buf + sizeof(buf) - len, len));
+}
+
+#if defined(MBEDTLS_SHA1_C)
+int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset(buf, 0, sizeof(buf));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_pk_write_pubkey(&c, buf, ctx->subject_key));
+
+    ret = mbedtls_sha1_ret(buf + sizeof(buf) - len, len,
+                           buf + sizeof(buf) - 20);
+    if (ret != 0)
+        return (ret);
+    c = buf + sizeof(buf) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_OCTET_STRING));
+
+    return mbedtls_x509write_crt_set_extension(ctx,
+                                               MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+                                               MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER),
+                                               0, buf + sizeof(buf) - len, len);
+}
+
+int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset(buf, 0, sizeof(buf));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_pk_write_pubkey(&c, buf, ctx->issuer_key));
+
+    ret = mbedtls_sha1_ret(buf + sizeof(buf) - len, len,
+                           buf + sizeof(buf) - 20);
+    if (ret != 0)
+        return (ret);
+    c = buf + sizeof(buf) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(&c, buf,
+                                                MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE));
+
+    return mbedtls_x509write_crt_set_extension(
+               ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+               MBEDTLS_OID_SIZE(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER),
+               0, buf + sizeof(buf) - len, len);
+}
+#endif /* MBEDTLS_SHA1_C */
+
+int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
+                                        unsigned int key_usage) {
+    unsigned char buf[5], ku[2];
+    unsigned char *c;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+                                      MBEDTLS_X509_KU_NON_REPUDIATION   |
+                                      MBEDTLS_X509_KU_KEY_ENCIPHERMENT  |
+                                      MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+                                      MBEDTLS_X509_KU_KEY_AGREEMENT     |
+                                      MBEDTLS_X509_KU_KEY_CERT_SIGN     |
+                                      MBEDTLS_X509_KU_CRL_SIGN          |
+                                      MBEDTLS_X509_KU_ENCIPHER_ONLY     |
+                                      MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+    /* Check that nothing other than the allowed flags is set */
+    if ((key_usage & ~allowed_bits) != 0)
+        return (MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE);
+
+    c = buf + 5;
+    ku[0] = (unsigned char)(key_usage);
+    ku[1] = (unsigned char)(key_usage >> 8);
+    ret = mbedtls_asn1_write_named_bitstring(&c, buf, ku, 9);
+
+    if (ret < 0)
+        return (ret);
+    else if (ret < 3 || ret > 5)
+        return (MBEDTLS_ERR_X509_INVALID_FORMAT);
+
+    ret = mbedtls_x509write_crt_set_extension(ctx, MBEDTLS_OID_KEY_USAGE,
+                                              MBEDTLS_OID_SIZE(MBEDTLS_OID_KEY_USAGE),
+                                              1, c, (size_t)ret);
+    if (ret != 0)
+        return (ret);
+
+    return (0);
+}
+
+int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
+                                           unsigned char ns_cert_type) {
+    unsigned char buf[4];
+    unsigned char *c;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    c = buf + 4;
+
+    ret = mbedtls_asn1_write_named_bitstring(&c, buf, &ns_cert_type, 8);
+    if (ret < 3 || ret > 4)
+        return (ret);
+
+    ret = mbedtls_x509write_crt_set_extension(ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                              MBEDTLS_OID_SIZE(MBEDTLS_OID_NS_CERT_TYPE),
+                                              0, c, (size_t)ret);
+    if (ret != 0)
+        return (ret);
+
+    return (0);
+}
+
+static int x509_write_time(unsigned char **p, unsigned char *start,
+                           const char *t, size_t size) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    /*
+     * write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
+     */
+    if (t[0] == '2' && t[1] == '0' && t[2] < '5') {
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+                                                                (const unsigned char *) t + 2,
+                                                                size - 2));
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+                                                         MBEDTLS_ASN1_UTC_TIME));
+    } else {
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+                                                                (const unsigned char *) t,
+                                                                size));
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+                                                         MBEDTLS_ASN1_GENERALIZED_TIME));
+    }
+
+    return ((int) len);
+}
+
+int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
+                              unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
+    size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed at the end of the target buffer
+     */
+    c = buf + size;
+
+    /* Signature algorithm needed in TBS, and later for actual signature */
+
+    /* There's no direct way of extracting a signature algorithm
+     * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
+    if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA))
+        pk_alg = MBEDTLS_PK_RSA;
+    else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA))
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return (MBEDTLS_ERR_X509_INVALID_ALG);
+
+    if ((ret = mbedtls_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg,
+                                              &sig_oid, &sig_oid_len)) != 0) {
+        return (ret);
+    }
+
+    /*
+     *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+
+    /* Only for v3 */
+    if (ctx->version == MBEDTLS_X509_CRT_VERSION_3) {
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_x509_write_extensions(&c,
+                                                           buf, ctx->extensions));
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_tag(&c, buf,
+                                                    MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE));
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_tag(&c, buf,
+                                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                    MBEDTLS_ASN1_CONSTRUCTED | 3));
+    }
+
+    /*
+     *  SubjectPublicKeyInfo
+     */
+    MBEDTLS_ASN1_CHK_ADD(pub_len,
+                         mbedtls_pk_write_pubkey_der(ctx->subject_key,
+                                                     buf, c - buf));
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_x509_write_names(&c, buf,
+                                                  ctx->subject));
+
+    /*
+     *  Validity ::= SEQUENCE {
+     *       notBefore      Time,
+     *       notAfter       Time }
+     */
+    sub_len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(sub_len,
+                         x509_write_time(&c, buf, ctx->not_after,
+                                         MBEDTLS_X509_RFC5280_UTC_TIME_LEN));
+
+    MBEDTLS_ASN1_CHK_ADD(sub_len,
+                         x509_write_time(&c, buf, ctx->not_before,
+                                         MBEDTLS_X509_RFC5280_UTC_TIME_LEN));
+
+    len += sub_len;
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, sub_len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(&c, buf,
+                                                MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE));
+
+    /*
+     *  Issuer  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_x509_write_names(&c, buf,
+                                                       ctx->issuer));
+
+    /*
+     *  Signature   ::=  AlgorithmIdentifier
+     */
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_algorithm_identifier(&c, buf,
+                                 sig_oid, strlen(sig_oid), 0));
+
+    /*
+     *  Serial   ::=  INTEGER
+     */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&c, buf,
+                                                     &ctx->serial));
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+
+    /* Can be omitted for v1 */
+    if (ctx->version != MBEDTLS_X509_CRT_VERSION_1) {
+        sub_len = 0;
+        MBEDTLS_ASN1_CHK_ADD(sub_len,
+                             mbedtls_asn1_write_int(&c, buf, ctx->version));
+        len += sub_len;
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_len(&c, buf, sub_len));
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_tag(&c, buf,
+                                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                    MBEDTLS_ASN1_CONSTRUCTED | 0));
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE));
+
+    /*
+     * Make signature
+     */
+
+    /* Compute hash of CRT. */
+    if ((ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c,
+                          len, hash)) != 0) {
+        return (ret);
+    }
+
+    if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg,
+                               hash, 0, sig, &sig_len,
+                               f_rng, p_rng)) != 0) {
+        return (ret);
+    }
+
+    /* Move CRT to the front of the buffer to have space
+     * for the signature. */
+    memmove(buf, c, len);
+    c = buf + len;
+
+    /* Add signature at the end of the buffer,
+     * making sure that it doesn't underflow
+     * into the CRT buffer. */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c,
+                         sig_oid, sig_oid_len, sig, sig_len));
+
+    /*
+     * Memory layout after this step:
+     *
+     * buf       c=buf+len                c2            buf+size
+     * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
+     */
+
+    /* Move raw CRT to just before the signature. */
+    c = c2 - len;
+    memmove(c, buf, len);
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return ((int) len);
+}
+
+#define PEM_BEGIN_CRT           "-----BEGIN CERTIFICATE-----\n"
+#define PEM_END_CRT             "-----END CERTIFICATE-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *crt,
+                              unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen;
+
+    if ((ret = mbedtls_x509write_crt_der(crt, buf, size,
+                                         f_rng, p_rng)) < 0) {
+        return (ret);
+    }
+
+    if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, PEM_END_CRT,
+                                        buf + size - ret, ret,
+                                        buf, size, &olen)) != 0) {
+        return (ret);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
diff --git a/common/mbedtls/x509write_csr.c b/common/mbedtls/x509write_csr.c
new file mode 100644
index 000000000..0be337393
--- /dev/null
+++ b/common/mbedtls/x509write_csr.c
@@ -0,0 +1,323 @@
+/*
+ *  X.509 Certificate Signing Request writing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * References:
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_x509write_csr));
+}
+
+void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx) {
+    mbedtls_asn1_free_named_data_list(&ctx->subject);
+    mbedtls_asn1_free_named_data_list(&ctx->extensions);
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_x509write_csr));
+}
+
+void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg) {
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_csr_set_key(mbedtls_x509write_csr *ctx, mbedtls_pk_context *key) {
+    ctx->key = key;
+}
+
+int mbedtls_x509write_csr_set_subject_name(mbedtls_x509write_csr *ctx,
+                                           const char *subject_name) {
+    return mbedtls_x509_string_to_names(&ctx->subject, subject_name);
+}
+
+int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val, size_t val_len) {
+    return mbedtls_x509_set_extension(&ctx->extensions, oid, oid_len,
+                                      0, val, val_len);
+}
+
+int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage) {
+    unsigned char buf[4];
+    unsigned char *c;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    c = buf + 4;
+
+    ret = mbedtls_asn1_write_named_bitstring(&c, buf, &key_usage, 8);
+    if (ret < 3 || ret > 4)
+        return (ret);
+
+    ret = mbedtls_x509write_csr_set_extension(ctx, MBEDTLS_OID_KEY_USAGE,
+                                              MBEDTLS_OID_SIZE(MBEDTLS_OID_KEY_USAGE),
+                                              c, (size_t)ret);
+    if (ret != 0)
+        return (ret);
+
+    return (0);
+}
+
+int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
+                                           unsigned char ns_cert_type) {
+    unsigned char buf[4];
+    unsigned char *c;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    c = buf + 4;
+
+    ret = mbedtls_asn1_write_named_bitstring(&c, buf, &ns_cert_type, 8);
+    if (ret < 3 || ret > 4)
+        return (ret);
+
+    ret = mbedtls_x509write_csr_set_extension(ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                              MBEDTLS_OID_SIZE(MBEDTLS_OID_NS_CERT_TYPE),
+                                              c, (size_t)ret);
+    if (ret != 0)
+        return (ret);
+
+    return (0);
+}
+
+static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
+                                      unsigned char *buf,
+                                      size_t size,
+                                      unsigned char *sig,
+                                      int (*f_rng)(void *, unsigned char *, size_t),
+                                      void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+    size_t hash_len;
+    psa_algorithm_t hash_alg = mbedtls_psa_translate_md(ctx->md_alg);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    /* Write the CSR backwards starting from the end of buf */
+    c = buf + size;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_x509_write_extensions(&c, buf,
+                                                            ctx->extensions));
+
+    if (len) {
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_tag(
+                                 &c, buf,
+                                 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_tag(
+                                 &c, buf,
+                                 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET));
+
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_oid(
+                                 &c, buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+                                 MBEDTLS_OID_SIZE(MBEDTLS_OID_PKCS9_CSR_EXT_REQ)));
+
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+        MBEDTLS_ASN1_CHK_ADD(len,
+                             mbedtls_asn1_write_tag(
+                                 &c, buf,
+                                 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(
+                             &c, buf,
+                             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC));
+
+    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_pk_write_pubkey_der(ctx->key,
+                                                              buf, c - buf));
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_x509_write_names(&c, buf,
+                                                       ctx->subject));
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 0));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(
+                             &c, buf,
+                             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+    /*
+     * Sign the written CSR data into the sig buffer
+     * Note: hash errors can happen only after an internal error
+     */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (psa_hash_setup(&hash_operation, hash_alg) != PSA_SUCCESS)
+        return (MBEDTLS_ERR_X509_FATAL_ERROR);
+
+    if (psa_hash_update(&hash_operation, c, len) != PSA_SUCCESS)
+        return (MBEDTLS_ERR_X509_FATAL_ERROR);
+
+    if (psa_hash_finish(&hash_operation, hash, sizeof(hash), &hash_len)
+            != PSA_SUCCESS) {
+        return (MBEDTLS_ERR_X509_FATAL_ERROR);
+    }
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+    ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c, len, hash);
+    if (ret != 0)
+        return (ret);
+#endif
+    if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
+                               f_rng, p_rng)) != 0) {
+        return (ret);
+    }
+
+    if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA))
+        pk_alg = MBEDTLS_PK_RSA;
+    else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA))
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return (MBEDTLS_ERR_X509_INVALID_ALG);
+
+    if ((ret = mbedtls_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg,
+                                              &sig_oid, &sig_oid_len)) != 0) {
+        return (ret);
+    }
+
+    /*
+     * Move the written CSR data to the start of buf to create space for
+     * writing the signature into buf.
+     */
+    memmove(buf, c, len);
+
+    /*
+     * Write sig and its OID into buf backwards from the end of buf.
+     * Note: mbedtls_x509_write_sig will check for c2 - ( buf + len ) < sig_len
+     * and return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if needed.
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len,
+                         mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len,
+                                                sig, sig_len));
+
+    /*
+     * Compact the space between the CSR data and signature by moving the
+     * CSR data to the start of the signature.
+     */
+    c2 -= len;
+    memmove(c2, buf, len);
+
+    /* ASN encode the total size and tag the CSR data with it. */
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c2, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_tag(
+                             &c2, buf,
+                             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+    /* Zero the unused bytes at the start of buf */
+    memset(buf, 0, c2 - buf);
+
+    return ((int) len);
+}
+
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
+                              size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng) {
+    int ret;
+    unsigned char *sig;
+
+    if ((sig = mbedtls_calloc(1, MBEDTLS_PK_SIGNATURE_MAX_SIZE)) == NULL) {
+        return (MBEDTLS_ERR_X509_ALLOC_FAILED);
+    }
+
+    ret = x509write_csr_der_internal(ctx, buf, size, sig, f_rng, p_rng);
+
+    mbedtls_free(sig);
+
+    return (ret);
+}
+
+#define PEM_BEGIN_CSR           "-----BEGIN CERTIFICATE REQUEST-----\n"
+#define PEM_END_CSR             "-----END CERTIFICATE REQUEST-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng) {
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen = 0;
+
+    if ((ret = mbedtls_x509write_csr_der(ctx, buf, size,
+                                         f_rng, p_rng)) < 0) {
+        return (ret);
+    }
+
+    if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CSR, PEM_END_CSR,
+                                        buf + size - ret,
+                                        ret, buf, size, &olen)) != 0) {
+        return (ret);
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
diff --git a/common/mbedtls/xtea.c b/common/mbedtls/xtea.c
new file mode 100644
index 000000000..4ff9c8529
--- /dev/null
+++ b/common/mbedtls/xtea.c
@@ -0,0 +1,261 @@
+/*
+ *  An 32-bit implementation of the XTEA algorithm
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_XTEA_C)
+
+#include "mbedtls/xtea.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_XTEA_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_xtea_init(mbedtls_xtea_context *ctx) {
+    memset(ctx, 0, sizeof(mbedtls_xtea_context));
+}
+
+void mbedtls_xtea_free(mbedtls_xtea_context *ctx) {
+    if (ctx == NULL)
+        return;
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_xtea_context));
+}
+
+/*
+ * XTEA key schedule
+ */
+void mbedtls_xtea_setup(mbedtls_xtea_context *ctx, const unsigned char key[16]) {
+    int i;
+
+    memset(ctx, 0, sizeof(mbedtls_xtea_context));
+
+    for (i = 0; i < 4; i++) {
+        GET_UINT32_BE(ctx->k[i], key, i << 2);
+    }
+}
+
+/*
+ * XTEA encrypt function
+ */
+int mbedtls_xtea_crypt_ecb(mbedtls_xtea_context *ctx, int mode,
+                           const unsigned char input[8], unsigned char output[8]) {
+    uint32_t *k, v0, v1, i;
+
+    k = ctx->k;
+
+    GET_UINT32_BE(v0, input, 0);
+    GET_UINT32_BE(v1, input, 4);
+
+    if (mode == MBEDTLS_XTEA_ENCRYPT) {
+        uint32_t sum = 0, delta = 0x9E3779B9;
+
+        for (i = 0; i < 32; i++) {
+            v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+            sum += delta;
+            v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum >> 11) & 3]);
+        }
+    } else { /* MBEDTLS_XTEA_DECRYPT */
+        uint32_t delta = 0x9E3779B9, sum = delta * 32;
+
+        for (i = 0; i < 32; i++) {
+            v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum >> 11) & 3]);
+            sum -= delta;
+            v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+        }
+    }
+
+    PUT_UINT32_BE(v0, output, 0);
+    PUT_UINT32_BE(v1, output, 4);
+
+    return (0);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * XTEA-CBC buffer encryption/decryption
+ */
+int mbedtls_xtea_crypt_cbc(mbedtls_xtea_context *ctx, int mode, size_t length,
+                           unsigned char iv[8], const unsigned char *input,
+                           unsigned char *output) {
+    int i;
+    unsigned char temp[8];
+
+    if (length % 8)
+        return (MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH);
+
+    if (mode == MBEDTLS_XTEA_DECRYPT) {
+        while (length > 0) {
+            memcpy(temp, input, 8);
+            mbedtls_xtea_crypt_ecb(ctx, mode, input, output);
+
+            for (i = 0; i < 8; i++)
+                output[i] = (unsigned char)(output[i] ^ iv[i]);
+
+            memcpy(iv, temp, 8);
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    } else {
+        while (length > 0) {
+            for (i = 0; i < 8; i++)
+                output[i] = (unsigned char)(input[i] ^ iv[i]);
+
+            mbedtls_xtea_crypt_ecb(ctx, mode, output, output);
+            memcpy(iv, output, 8);
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return (0);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* !MBEDTLS_XTEA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * XTEA tests vectors (non-official)
+ */
+
+static const unsigned char xtea_test_key[6][16] = {
+    {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+        0x0c, 0x0d, 0x0e, 0x0f
+    },
+    {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+        0x0c, 0x0d, 0x0e, 0x0f
+    },
+    {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+        0x0c, 0x0d, 0x0e, 0x0f
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    }
+};
+
+static const unsigned char xtea_test_pt[6][8] = {
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x5a, 0x5b, 0x6e, 0x27, 0x89, 0x48, 0xd7, 0x7f },
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x70, 0xe1, 0x22, 0x5d, 0x6e, 0x4e, 0x76, 0x55 }
+};
+
+static const unsigned char xtea_test_ct[6][8] = {
+    { 0x49, 0x7d, 0xf3, 0xd0, 0x72, 0x61, 0x2c, 0xb5 },
+    { 0xe7, 0x8f, 0x2d, 0x13, 0x74, 0x43, 0x41, 0xd8 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0xa0, 0x39, 0x05, 0x89, 0xf8, 0xb8, 0xef, 0xa5 },
+    { 0xed, 0x23, 0x37, 0x5a, 0x82, 0x1a, 0x8c, 0x2d },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_xtea_self_test(int verbose) {
+    int i, ret = 0;
+    unsigned char buf[8];
+    mbedtls_xtea_context ctx;
+
+    mbedtls_xtea_init(&ctx);
+    for (i = 0; i < 6; i++) {
+        if (verbose != 0)
+            mbedtls_printf("  XTEA test #%d: ", i + 1);
+
+        memcpy(buf, xtea_test_pt[i], 8);
+
+        mbedtls_xtea_setup(&ctx, xtea_test_key[i]);
+        mbedtls_xtea_crypt_ecb(&ctx, MBEDTLS_XTEA_ENCRYPT, buf, buf);
+
+        if (memcmp(buf, xtea_test_ct[i], 8) != 0) {
+            if (verbose != 0)
+                mbedtls_printf("failed\n");
+
+            ret = 1;
+            goto exit;
+        }
+
+        if (verbose != 0)
+            mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0)
+        mbedtls_printf("\n");
+
+exit:
+    mbedtls_xtea_free(&ctx);
+
+    return (ret);
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_XTEA_C */
diff --git a/common/mbedtls/xtea.h b/common/mbedtls/xtea.h
new file mode 100644
index 000000000..0b7714e4f
--- /dev/null
+++ b/common/mbedtls/xtea.h
@@ -0,0 +1,136 @@
+/**
+ * \file xtea.h
+ *
+ * \brief XTEA block cipher (32-bit)
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+#ifndef MBEDTLS_XTEA_H
+#define MBEDTLS_XTEA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_XTEA_ENCRYPT     1
+#define MBEDTLS_XTEA_DECRYPT     0
+
+#define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029  /**< XTEA hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_XTEA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          XTEA context structure
+ */
+typedef struct mbedtls_xtea_context {
+    uint32_t k[4];       /*!< key */
+}
+mbedtls_xtea_context;
+
+#else  /* MBEDTLS_XTEA_ALT */
+#include "xtea_alt.h"
+#endif /* MBEDTLS_XTEA_ALT */
+
+/**
+ * \brief          Initialize XTEA context
+ *
+ * \param ctx      XTEA context to be initialized
+ */
+void mbedtls_xtea_init(mbedtls_xtea_context *ctx);
+
+/**
+ * \brief          Clear XTEA context
+ *
+ * \param ctx      XTEA context to be cleared
+ */
+void mbedtls_xtea_free(mbedtls_xtea_context *ctx);
+
+/**
+ * \brief          XTEA key schedule
+ *
+ * \param ctx      XTEA context to be initialized
+ * \param key      the secret key
+ */
+void mbedtls_xtea_setup(mbedtls_xtea_context *ctx, const unsigned char key[16]);
+
+/**
+ * \brief          XTEA cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param input    8-byte input block
+ * \param output   8-byte output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_xtea_crypt_ecb(mbedtls_xtea_context *ctx,
+                           int mode,
+                           const unsigned char input[8],
+                           unsigned char output[8]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          XTEA CBC cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param length   the length of input, multiple of 8
+ * \param iv       initialization vector for CBC mode
+ * \param input    input block
+ * \param output   output block
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH if the length % 8 != 0
+ */
+int mbedtls_xtea_crypt_cbc(mbedtls_xtea_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[8],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_xtea_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* xtea.h */