Update version number to 2.6.1

Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the Signature Algorithm extension when renegotiating. (By nature, this bug affected only the server) The tests check for the fallback hash (SHA1) in the server log to detect that the Signature Algorithm extension hasn't been parsed at least in one of the handshakes. A more direct way of testing is not possible with the current test framework, since the Signature Algorithm extension is parsed in the first handshake and any corresponding debug message is present in the logs.
2025-08-08 20:31:11 +00:00 · 2017-10-06 16:07:10 +01:00 · 2017-10-06 15:42:54 +01:00 · 2017-10-06 15:42:54 +01:00
749 changed files with 25655 additions and 93028 deletions
--- a/.github/issue_template.md
+++ b/.github/issue_template.md
@ -8,7 +8,7 @@ Note: This is just a template, so feel free to use/remove the unnecessary things
 ## Bug
 **OS**  
-Mbed OS|linux|windows|
+mbed-OS|linux|windows|
 **mbed TLS build:**  
 Version: x.x.x or git commit id  
@ -38,4 +38,4 @@ Version:
 ## Question
-**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb), and preferably file an issue in the [Mbed TLS support forum](https://forums.mbed.com/c/mbed-tls)**  
+**Please first check for answers in the [mbed TLS knowledge Base](https://tls.mbed.org/kb), and preferebly file an issue in the [mbed TLS support forum](https://tls.mbed.org/discussions)**  
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,5 +1,8 @@
 Notes:
-* Pull requests cannot be accepted until the PR follows the [contributing guidelines](../CONTRIBUTING.md). In particular, each commit must have at least one `Signed-off-by:` line from the committer to certify that the contribution is made under the terms of the [Developer Certificate of Origin](../dco.txt).
+* Pull requests cannot be accepted until:
 -  The submitter has [accepted the online agreement here with a click through](https://developer.mbed.org/contributor_agreement/) 
   or for companies or those that do not wish to create an mbed account, a slightly different agreement can be found [here](https://www.mbed.com/en/about-mbed/contributor-license-agreements/)
 - The PR follows the [mbed TLS coding standards](https://tls.mbed.org/kb/development/mbedtls-coding-standards)
 * This is just a template, so feel free to use/remove the unnecessary things
 ## Description
 A few sentences describing the overall goals of the pull request's commits.
--- a/.gitignore
+++ b/.gitignore
@ -1,20 +1,8 @@
 # Random seed file created by test scripts and sample programs
 seedfile
 # CMake build artifacts:
 CMakeCache.txt
 CMakeFiles
 CTestTestfile.cmake
 cmake_install.cmake
 Testing
 # CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those:
 *.dir/
 # MSVC files generated by CMake:
 /*.sln
 /*.vcxproj
 /*.filters
 # Test coverage build artifacts:
 Coverage
 *.gcno
 *.gcda
@ -22,23 +10,16 @@ Coverage
 # generated by scripts/memory.sh
 massif-*
 # MSVC files generated by CMake:
 /*.sln
 /*.vcxproj
 /*.filters
 # MSVC build artifacts:
 *.exe
 *.pdb
 *.ilk
 *.lib
-# Python build artifacts:
+# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those:
-*.pyc
+*.dir/
 # Generated documentation:
 /apidoc
 # Editor navigation files:
 /GPATH
 /GRTAGS
 /GSYMS
 /GTAGS
 /TAGS
 /cscope*.out
 /tags
--- a/.globalrc
+++ b/.globalrc
@ -1,3 +0,0 @@
 default:\
    :langmap=c\:.c.h.function:\
--- a/.pylintrc
+++ b/.pylintrc
@ -1,72 +0,0 @@
 [BASIC]
 # We're ok with short funtion argument names.
 # [invalid-name]
 argument-rgx=[a-z_][a-z0-9_]*$
 # Allow filter and map.
 # [bad-builtin]
 bad-functions=input
 # We prefer docstrings, but we don't require them on all functions.
 # Require them only on long functions (for some value of long).
 # [missing-docstring]
 docstring-min-length=10
 # Allow longer methods than the default.
 # [invalid-name]
 method-rgx=[a-z_][a-z0-9_]{2,35}$
 # Allow module names containing a dash (but no underscore or uppercase letter).
 # They are whole programs, not meant to be included by another module.
 # [invalid-name]
 module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+)|[a-z][-0-9a-z]+)$
 # Some functions don't need docstrings.
 # [missing-docstring]
 no-docstring-rgx=(run_)main$
 # We're ok with short local or global variable names.
 # [invalid-name]
 variable-rgx=[a-z_][a-z0-9_]*$
 [DESIGN]
 # Allow more than the default 7 attributes.
 # [too-many-instance-attributes]
 max-attributes=15
 [FORMAT]
 # Allow longer modules than the default recommended maximum.
 # [too-many-lines]
 max-module-lines=2000
 [MESSAGES CONTROL]
 # * locally-disabled, locally-enabled: If we disable or enable a message
 #   locally, it's by design. There's no need to clutter the Pylint output
 #   with this information.
 # * logging-format-interpolation: Pylint warns about things like
 #   ``log.info('...'.format(...))``. It insists on ``log.info('...', ...)``.
 #   This is of minor utility (mainly a performance gain when there are
 #   many messages that use formatting and are below the log level).
 #   Some versions of Pylint (including 1.8, which is the version on
 #   Ubuntu 18.04) only recognize old-style format strings using '%',
 #   and complain about something like ``log.info('{}', foo)`` with
 #   logging-too-many-args (Pylint supports new-style formatting if
 #   declared globally with logging_format_style under [LOGGING] but
 #   this requires Pylint >=2.2).
 # * no-else-return: Allow the perfectly reasonable idiom
 #    if condition1:
 #        return value1
 #    else:
 #        return value2
 # * unnecessary-pass: If we take the trouble of adding a line with "pass",
 #   it's because we think the code is clearer that way.
 disable=locally-disabled,locally-enabled,logging-format-interpolation,no-else-return,unnecessary-pass
 [REPORTS]
 # Don't diplay statistics. Just the facts.
 reports=no
 [VARIABLES]
 # Allow unused variables if their name starts with an underscore.
 # [unused-argument]
 dummy-variables-rgx=_.*
--- a/.travis.yml
+++ b/.travis.yml
@ -1,64 +1,39 @@
 language: c
-compiler: gcc
+compiler:
 - clang
 - gcc
 sudo: false
 cache: ccache
-
+script:
-jobs:
+- tests/scripts/recursion.pl library/*.c
-  include:
+- tests/scripts/check-generated-files.sh
-    - name: basic checks and reference configurations
+- tests/scripts/check-doxy-blocks.pl
-      addons:
+- tests/scripts/check-names.sh
-        apt:
+- tests/scripts/doxygen.sh
-          packages:
+- cmake -D CMAKE_BUILD_TYPE:String="Check" .
-          - gnutls-bin
+- make
-          - doxygen
+- make test
-          - graphviz
+- programs/test/selftest
-          - gcc-arm-none-eabi
+- OSSL_NO_DTLS=1 tests/compat.sh
-          - libnewlib-arm-none-eabi
+- tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl'
-      language: python # Needed to get pip for Python 3
+- tests/scripts/test-ref-configs.pl
-      python: 3.5 # version from Ubuntu 16.04
+- tests/scripts/curves.pl
-      install:
+- tests/scripts/key-exchanges.pl
        - pip install pylint==2.4.4
      script:
        - tests/scripts/all.sh -k 'check_*'
        - tests/scripts/all.sh -k test_default_out_of_box
        - tests/scripts/test-ref-configs.pl
        - tests/scripts/all.sh -k build_arm_none_eabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
    - name: full configuration
      script:
        - tests/scripts/all.sh -k test_full_cmake_gcc_asan
    - name: check compilation guards
      script:
        - tests/scripts/all.sh -k 'test_depends_*' 'build_key_exchanges'
    - name: macOS
      os: osx
      compiler: clang
      script:
        - tests/scripts/all.sh -k test_default_out_of_box
    - name: Windows
      os: windows
      script:
        - scripts/windows_msbuild.bat v141 # Visual Studio 2017
 after_failure:
 - tests/scripts/travis-log-failure.sh
 env:
  global:
-    - SEED=1
+    secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k="
    - secure: "FrI5d2s+ckckC17T66c8jm2jV6i2DkBPU5nyWzwbedjmEBeocREfQLd/x8yKpPzLDz7ghOvr+/GQvsPPn0dVkGlNzm3Q+hGHc/ujnASuUtGrcuMM+0ALnJ3k4rFr9xEvjJeWb4SmhJO5UCAZYvTItW4k7+bj9L+R6lt3TzQbXzg="
 addons:
  apt:
    packages:
-    - gnutls-bin
+    - doxygen
    - graphviz
  coverity_scan:
    project:
      name: "ARMmbed/mbedtls"
-    notification_email: support-mbedtls@arm.com
+    notification_email: p.j.bakker@polarssl.org
    build_command_prepend:
    build_command: make
    branch_pattern: coverity_scan
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,27 +1,18 @@
 cmake_minimum_required(VERSION 2.6)
-if(TEST_CPP)
+project("mbed TLS" C)
    project("mbed TLS" C CXX)
 else()
    project("mbed TLS" C)
 endif()
 option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
 option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
-option(ENABLE_PROGRAMS "Build mbed TLS programs." OFF)
+option(ENABLE_PROGRAMS "Build mbed TLS programs." ON)
 option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
 string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
 string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}")
 string(REGEX MATCH "IAR" CMAKE_COMPILER_IS_IAR "${CMAKE_C_COMPILER_ID}")
 string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${CMAKE_C_COMPILER_ID}")
 # the test suites currently have compile errors with MSVC
-if(CMAKE_COMPILER_IS_MSVC)
+if(MSVC)
    option(ENABLE_TESTING "Build mbed TLS tests." OFF)
 else()
-    option(ENABLE_TESTING "Build mbed TLS tests." OFF)
+    option(ENABLE_TESTING "Build mbed TLS tests." ON)
 endif()
 # Warning string - created as a list for compatibility with CMake 2.8
@ -36,29 +27,11 @@ set(NULL_ENTROPY_WARNING "${WARNING_BORDER}"
                         "${NULL_ENTROPY_WARN_L3}"
                         "${WARNING_BORDER}")
 set(CTR_DRBG_128_BIT_KEY_WARN_L1 "****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
 set(CTR_DRBG_128_BIT_KEY_WARN_L2 "****  Using 128-bit keys for CTR_DRBG limits the security of generated\n")
 set(CTR_DRBG_128_BIT_KEY_WARN_L3 "****  keys and operations that use random values generated to 128-bit security\n")
 set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
                         "${CTR_DRBG_128_BIT_KEY_WARN_L1}"
                         "${CTR_DRBG_128_BIT_KEY_WARN_L2}"
                         "${CTR_DRBG_128_BIT_KEY_WARN_L3}"
                         "${WARNING_BORDER}")
 find_package(PythonInterp)
 find_package(Perl)
 if(PERL_FOUND)
    # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
    execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
                        RESULT_VARIABLE result)
    if(${result} EQUAL 0)
        message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
    endif()
    # If NULL Entropy is configured, display an appropriate warning
-    execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
+    execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
                        RESULT_VARIABLE result)
    if(${result} EQUAL 0)
        message(WARNING ${NULL_ENTROPY_WARNING})
@ -83,43 +56,9 @@ set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
    CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
    FORCE)
 # Create a symbolic link from ${base_name} in the binary directory
 # to the corresponding path in the source directory.
 function(link_to_source base_name)
    # Get OS dependent path to use in `execute_process`
    if (CMAKE_HOST_WIN32)
        #mklink is an internal command of cmd.exe it can only work with \
        string(REPLACE "/" "\\" link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
        string(REPLACE "/" "\\" target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
    else()
        set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
        set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
    endif()
    if (NOT EXISTS ${link})
        if (CMAKE_HOST_UNIX)
            set(command ln -s ${target} ${link})
        else()
            if (IS_DIRECTORY ${target})
                set(command cmd.exe /c mklink /j ${link} ${target})
            else()
                set(command cmd.exe /c mklink /h ${link} ${target})
            endif()
        endif()
        execute_process(COMMAND ${command}
            RESULT_VARIABLE result
            ERROR_VARIABLE output)
        if (NOT ${result} EQUAL 0)
            message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
        endif()
    endif()
 endfunction(link_to_source)
 string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
-if(CMAKE_COMPILER_IS_GNU)
+if(CMAKE_COMPILER_IS_GNUCC)
    # some warnings we want are not available with old GCC versions
    # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
    execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
@ -138,37 +77,30 @@ if(CMAKE_COMPILER_IS_GNU)
    set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
    set(CMAKE_C_FLAGS_CHECK       "-Werror -Os")
    set(CMAKE_C_FLAGS_CHECKFULL   "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
-endif(CMAKE_COMPILER_IS_GNU)
+endif(CMAKE_COMPILER_IS_GNUCC)
 if(CMAKE_COMPILER_IS_CLANG)
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow")
    set(CMAKE_C_FLAGS_RELEASE     "-O2")
    set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
    set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")
-    set(CMAKE_C_FLAGS_ASAN        "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
+    set(CMAKE_C_FLAGS_ASAN        "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O3")
-    set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+    set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
    set(CMAKE_C_FLAGS_MEMSAN      "-Werror -fsanitize=memory -O3")
    set(CMAKE_C_FLAGS_MEMSANDBG   "-Werror -fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
    set(CMAKE_C_FLAGS_CHECK       "-Werror -Os")
 endif(CMAKE_COMPILER_IS_CLANG)
-if(CMAKE_COMPILER_IS_IAR)
+if(MSVC)
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts --warnings_are_errors -Ohz")
 endif(CMAKE_COMPILER_IS_IAR)
 if(CMAKE_COMPILER_IS_MSVC)
    # Compile with UTF-8 encoding (REMOVE THIS COMMIT ONCE A FIX IS DEPLOYED UPSTREAM)
    add_compile_options(/utf-8)
    # Strictest warnings, and treat as errors
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3")
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
-endif(CMAKE_COMPILER_IS_MSVC)
+endif(MSVC)
 if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
-    if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
+    if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
        set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
-    endif(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
+    endif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
 endif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
 if(LIB_INSTALL_DIR)
@ -194,8 +126,8 @@ if(ENABLE_PROGRAMS)
 endif()
 ADD_CUSTOM_TARGET(apidoc
-    COMMAND doxygen mbedtls.doxyfile
+    COMMAND doxygen doxygen/mbedtls.doxyfile
-    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
+    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
 if(ENABLE_TESTING)
    enable_testing()
@ -231,13 +163,4 @@ if(ENABLE_TESTING)
            COMMAND mv DartConfiguration.tcl.bak DartConfiguration.tcl
        )
    endif(UNIX)
    # Make scripts needed for testing available in an out-of-source build.
    if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
        link_to_source(scripts)
        # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to
        # keep things simple with the sed commands in the memcheck target.
        configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl
                    ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
    endif()
 endif()
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,82 +0,0 @@
 Contributing
 ============
 We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions:
 - As with any open source project, contributions will be reviewed by the project team and community and may need some modifications to be accepted.
 - The contribution should not break API or ABI, unless there is a real justification for that. If there is an API change, the contribution, if accepted, will be merged only when there will be a major release.
 Coding Standards
 ----------------
 - We would ask that contributions conform to [our coding standards](https://tls.mbed.org/kb/development/mbedtls-coding-standards), and that contributions are fully tested before submission, as mentioned in the [Tests](#tests) and [Continuous Integration](#continuous-integration-tests) sections.
 - The code should be written in a clean and readable style.
 - The code should be written in a portable generic way, that will benefit the whole community, and not only your own needs.
 - The code should be secure, and will be reviewed from a security point of view as well.
 Making a Contribution
 ---------------------
 1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls) around a feature idea or a bug.
 1. Fork the [Mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the ["development" branch](https://github.com/ARMmbed/mbedtls/tree/development) as a basis.
 1. Write a test which shows that the bug was fixed or that the feature works as expected.
 1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. We will include your name in the ChangeLog :)
 1. For quick merging, the contribution should be short, and concentrated on a single feature or topic. The larger the contribution is, the longer it would take to review it and merge it.
 1. All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible.
 1. Ensure that each commit has at least one `Signed-off-by:` line from the committer. If anyone else contributes to the commit, they should also add their own `Signed-off-by:` line. By adding this line, contributor(s) certify that the contribution is made under the terms of the [Developer Certificate of Origin](dco.txt). The contribution licensing is described in the [License section of the README](README.md#License).
 API/ABI Compatibility
 ---------------------
 The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches.
 To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change.
 Where changes to an existing interface are necessary, functions in the public interface which need to be changed, are marked as 'deprecated'. This is done with the preprocessor symbols `MBEDTLS_DEPRECATED_WARNING` and `MBEDTLS_DEPRECATED_REMOVED`. Then, a new function with a new name but similar if not identical behaviour to the original function containing the necessary changes should be created alongside the existing deprecated function.
 When a build is made with the deprecation preprocessor symbols defined, a compiler warning will be generated to warn a user that the function will be removed at some point in the future, notifying users that they should change from the older deprecated function to the newer function at their own convenience.
 Therefore, no changes are permitted to the definition of functions in the public interface which will change the API. Instead the interface can only be changed by its extension. As described above, if a function needs to be changed, a new function needs to be created alongside it, with a new name, and whatever change is necessary, such as a new parameter or the addition of a return value.
 Periodically, the library will remove deprecated functions from the library which will be a breaking change in the API, but such changes will be made only in a planned, structured way that gives sufficient notice to users of the library.
 Long Term Support Branches
 --------------------------
 Mbed TLS maintains several LTS (Long Term Support) branches, which are maintained continuously for a given period. The LTS branches are provided to allow users of the library to have a maintained, stable version of the library which contains only security fixes and fixes for other defects, without encountering additional features or API extensions which may introduce issues or change the code size or RAM usage, which can be significant considerations on some platforms. To allow users to take advantage of the LTS branches, these branches maintain backwards compatibility for both the public API and ABI.
 When backporting to these branches please observe the following rules:
 1. Any change to the library which changes the API or ABI cannot be backported.
 1. All bug fixes that correct a defect that is also present in an LTS branch must be backported to that LTS branch. If a bug fix introduces a change to the API such as a new function, the fix should be reworked to avoid the API change. API changes without very strong justification are unlikely to be accepted.
 1. If a contribution is a new feature or enhancement, no backporting is required. Exceptions to this may be additional test cases or quality improvements such as changes to build or test scripts.
 It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development) by contributors.
 Currently maintained LTS branches are:
 1. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7)
 1. [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16)
 Tests
 -----
 As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
 Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_mpi.c`). These files are generated from a `function file` (e.g. `suites/test_suite_mpi.function`) and a `data file` (e.g. `suites/test_suite_mpi.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
 [A Knowledge Base article describing how to add additional tests is available on the Mbed TLS website](https://tls.mbed.org/kb/development/test_suites).
 A test script `tests/scripts/basic-build-test.sh` is available to show test coverage of the library. New code contributions should provide a similar level of code coverage to that which already exists for the library.
 Sample applications, if needed, should be modified as well.
 Continuous Integration Tests
 ----------------------------
 Once a PR has been made, the Continuous Integration (CI) tests are triggered and run. You should follow the result of the CI tests, and fix failures.
 It is advised to enable the [githooks scripts](https://github.com/ARMmbed/mbedtls/tree/development/tests/git-scripts) prior to pushing your changes, for catching some of the issues as early as possible.
 Documentation
 -------------
 Mbed TLS is well documented, but if you think documentation is needed, speak out!
 1. All interfaces should be documented through Doxygen. New APIs should introduce Doxygen documentation.
 1. Complex parts in the code should include comments.
 1. If needed, a Readme file is advised.
 1. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
 1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog.d/00README.md) entry should be added for this contribution.
--- a/1361
+++ b/1361
--- a/ChangeLog.d/00README.md
+++ b/ChangeLog.d/00README.md
@ -1,88 +0,0 @@
 # Pending changelog entry directory
 This directory contains changelog entries that have not yet been merged
 to the changelog file ([`../ChangeLog`](../ChangeLog)).
 ## What requires a changelog entry?
 Write a changelog entry if there is a user-visible change. This includes:
 * Bug fixes in the library or in sample programs: fixing a security hole,
  fixing broken behavior, fixing the build in some configuration or on some
  platform, etc.
 * New features in the library, new sample programs, or new platform support.
 * Changes in existing behavior. These should be rare. Changes in features
  that are documented as experimental may or may not be announced, depending
  on the extent of the change and how widely we expect the feature to be used.
 We generally don't include changelog entries for:
 * Documentation improvements.
 * Performance improvements, unless they are particularly significant.
 * Changes to parts of the code base that users don't interact with directly,
  such as test code and test data.
 Until Mbed TLS 2.16.8, we required changelog entries in more cases.
 Looking at older changelog entries is good practice for how to write a
 changelog entry, but not for deciding whether to write one.
 ## Changelog entry file format
 A changelog entry file must have the extension `*.txt` and must have the
 following format:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Security
   * Change description.
   * Another change description.
 Features
   * Yet another change description. This is a long change description that
     spans multiple lines.
   * Yet again another change description.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The permitted changelog entry categories are as follows:
 <!-- Keep this synchronized with STANDARD_CATEGORIES in assemble_changelog.py! -->
    API changes
    Default behavior changes
    Requirement changes
    New deprecations
    Removals
    Features
    Security
    Bugfix
    Changes
 Use “Changes” for anything that doesn't fit in the other categories.
 ## How to write a changelog entry
 Each entry starts with three spaces, an asterisk and a space. Continuation
 lines start with 5 spaces. Lines wrap at 79 characters.
 Write full English sentences with proper capitalization and punctuation. Use
 the present tense. Use the imperative where applicable. For example: “Fix a
 bug in mbedtls_xxx() ….”
 Include GitHub issue numbers where relevant. Use the format “#1234” for an
 Mbed TLS issue. Add other external references such as CVE numbers where
 applicable.
 Credit bug reporters where applicable.
 **Explain why, not how**. Remember that the audience is the users of the
 library, not its developers. In particular, for a bug fix, explain the
 consequences of the bug, not how the bug was fixed. For a new feature, explain
 why one might be interested in the feature. For an API change or a deprecation,
 explain how to update existing applications.
 See [existing entries](../ChangeLog) for examples.
 ## How `ChangeLog` is updated
 Run [`../scripts/assemble_changelog.py`](../scripts/assemble_changelog.py)
 from a Git working copy
 to move the entries from files in `ChangeLog.d` to the main `ChangeLog` file.
--- a/ChangeLog.d/add-missing-parenthesis.txt
+++ b/ChangeLog.d/add-missing-parenthesis.txt
@ -1,3 +0,0 @@
 Bugfix
   * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
     defined. Fixes #4217.
--- a/ChangeLog.d/aescrypt2.txt
+++ b/ChangeLog.d/aescrypt2.txt
@ -1,3 +0,0 @@
 Changes
   * Remove the AES sample application programs/aes/aescrypt2 which shows
     bad cryptographic practice. Fix #1906.
--- a/ChangeLog.d/bugfix_PR3616.txt
+++ b/ChangeLog.d/bugfix_PR3616.txt
@ -1,5 +0,0 @@
 Bugfix
   * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
     lead to the seed file corruption in case if the path to the seed file is
     equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
     Krasnoshchok in #3616.
--- a/ChangeLog.d/dhm_min_bitlen.txt
+++ b/ChangeLog.d/dhm_min_bitlen.txt
@ -1,4 +0,0 @@
 Bugfix
   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
     minimum size was rounded down to the nearest multiple of 8.
--- a/ChangeLog.d/dtls_sample_use_read_timeout.txt
+++ b/ChangeLog.d/dtls_sample_use_read_timeout.txt
@ -1,2 +0,0 @@
 Changes
   * Fix the setting of the read timeout in the DTLS sample programs.
--- a/ChangeLog.d/fix-pk-parse-key-error-code.txt
+++ b/ChangeLog.d/fix-pk-parse-key-error-code.txt
@ -1,2 +0,0 @@
 Bugfix
   * Fix an incorrect error code when parsing a PKCS#8 private key.
--- a/ChangeLog.d/mpi_read_negative_zero.txt
+++ b/ChangeLog.d/mpi_read_negative_zero.txt
@ -1,3 +0,0 @@
 Bugfix
   * mbedtls_mpi_read_string on "-0" produced an MPI object that was not treated
     as equal to 0 in all cases. Fix it to produce the same object as "0".
--- a/7
+++ b/7
@ -1,5 +1,2 @@
-Unless specifically indicated otherwise in a file, Mbed TLS files are provided
+Unless specifically indicated otherwise in a file, files are licensed
-under the Apache License 2.0, or the GNU General Public License v2.0 or later
+under the Apache 2.0 license, as can be found in: apache-2.0.txt
 (SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later).
 A copy of these licenses can be found in apache-2.0.txt and gpl-2.0.txt
--- a/46
+++ b/46
@ -23,13 +23,13 @@ tests: lib
 ifndef WINDOWS
 install: no_test
 	mkdir -p $(DESTDIR)/include/mbedtls
-	cp -rp include/mbedtls $(DESTDIR)/include
+	cp -r include/mbedtls $(DESTDIR)/include
-
+	
 	mkdir -p $(DESTDIR)/lib
 	cp -RP library/libmbedtls.*    $(DESTDIR)/lib
 	cp -RP library/libmbedx509.*   $(DESTDIR)/lib
 	cp -RP library/libmbedcrypto.* $(DESTDIR)/lib
-
+	
 	mkdir -p $(DESTDIR)/bin
 	for p in programs/*/* ; do              \
 	    if [ -x $$p ] && [ ! -d $$p ] ;     \
@ -44,7 +44,7 @@ uninstall:
 	rm -f $(DESTDIR)/lib/libmbedtls.*
 	rm -f $(DESTDIR)/lib/libmbedx509.*
 	rm -f $(DESTDIR)/lib/libmbedcrypto.*
-
+	
 	for p in programs/*/* ; do              \
 	    if [ -x $$p ] && [ ! -d $$p ] ;     \
 	    then                                \
@ -61,21 +61,9 @@ NULL_ENTROPY_WARN_L3=****  AND IS *NOT* SUITABLE FOR PRODUCTION USE     ****\n
 NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
 WARNING_BORDER_LONG      =**********************************************************************************\n
 CTR_DRBG_128_BIT_KEY_WARN_L1=****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!                      ****\n
 CTR_DRBG_128_BIT_KEY_WARN_L2=****  Using 128-bit keys for CTR_DRBG limits the security of generated         ****\n
 CTR_DRBG_128_BIT_KEY_WARN_L3=****  keys and operations that use random values generated to 128-bit security ****\n
 CTR_DRBG_128_BIT_KEY_WARNING=\n$(WARNING_BORDER_LONG)$(CTR_DRBG_128_BIT_KEY_WARN_L1)$(CTR_DRBG_128_BIT_KEY_WARN_L2)$(CTR_DRBG_128_BIT_KEY_WARN_L3)$(WARNING_BORDER_LONG)
 # Post build steps
 post_build:
 ifndef WINDOWS
 	# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
 	-scripts/config.pl get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
 	    echo '$(CTR_DRBG_128_BIT_KEY_WARNING)'
 	# If NULL Entropy is configured, display an appropriate warning
 	-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
 	    echo '$(NULL_ENTROPY_WARNING)'
@ -106,33 +94,17 @@ covtest:
 lcov:
 	rm -rf Coverage
 	lcov --capture --initial --directory library -o files.info
-	lcov --rc lcov_branch_coverage=1 --capture --directory library -o tests.info
+	lcov --capture --directory library -o tests.info
-	lcov --rc lcov_branch_coverage=1 --add-tracefile files.info --add-tracefile tests.info -o all.info
+	lcov --add-tracefile files.info --add-tracefile tests.info -o all.info
-	lcov --rc lcov_branch_coverage=1 --remove all.info -o final.info '*.h'
+	lcov --remove all.info -o final.info '*.h'
 	gendesc tests/Descriptions.txt -o descriptions
-	genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --branch-coverage -o Coverage final.info
+	genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage final.info
 	rm -f files.info tests.info all.info final.info descriptions
 apidoc:
 	mkdir -p apidoc
-	cd doxygen && doxygen mbedtls.doxyfile
+	doxygen doxygen/mbedtls.doxyfile
 apidoc_clean:
 	rm -rf apidoc
 endif
 ## Editor navigation files
 C_SOURCE_FILES = $(wildcard include/*/*.h library/*.[hc] programs/*/*.[hc] tests/suites/*.function)
 # Exuberant-ctags invocation. Other ctags implementations may require different options.
 CTAGS = ctags --langmap=c:+.h.function --line-directives=no -o
 tags: $(C_SOURCE_FILES)
 	$(CTAGS) $@ $(C_SOURCE_FILES)
 TAGS: $(C_SOURCE_FILES)
 	etags --no-line-directive -o $@ $(C_SOURCE_FILES)
 global: GPATH GRTAGS GSYMS GTAGS
 GPATH GRTAGS GSYMS GTAGS: $(C_SOURCE_FILES)
 	ls $(C_SOURCE_FILES) | gtags -f - --gtagsconf .globalrc
 cscope: cscope.in.out cscope.po.out cscope.out
 cscope.in.out cscope.po.out cscope.out: $(C_SOURCE_FILES)
 	cscope -bq -u -Iinclude -Ilibrary $(patsubst %,-I%,$(wildcard 3rdparty/*/include)) -Itests/include $(C_SOURCE_FILES)
 .PHONY: cscope global
--- a/README.md
+++ b/README.md
@ -1,35 +1,62 @@
-README for Mbed TLS
+README for mbed TLS
 ===================
 Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems.
 Configuration
 -------------
-Mbed TLS should build out of the box on most systems. Some platform specific options are available in the fully documented configuration file `include/mbedtls/config.h`, which is also the place where features can be selected. This file can be edited manually, or in a more programmatic way using the Perl script `scripts/config.pl` (use `--help` for usage instructions).
+mbed TLS should build out of the box on most systems. Some platform specific options are available in the fully documented configuration file `include/mbedtls/config.h`, which is also the place where features can be selected. This file can be edited manually, or in a more programmatic way using the Perl script `scripts/config.pl` (use `--help` for usage instructions).
 Compiler options can be set using conventional environment variables such as `CC` and `CFLAGS` when using the Make and CMake build system (see below).
 Compiling
 ---------
-There are currently three active build systems used within Mbed TLS releases:
+There are currently four active build systems used within mbed TLS releases:
-   GNU Make
+-   yotta
 -   Make
 -   CMake
-   Microsoft Visual Studio (Microsoft Visual Studio 2010 or later)
+-   Microsoft Visual Studio (Visual Studio 6 and Visual Studio 2010)
-The main systems used for development are CMake and GNU Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically.
+The main systems used for development are CMake and Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically.
 Yotta, as a build system, is slightly different from the other build systems:
 -   it provides a minimalistic configuration file by default
 -   depending on the yotta target, features of mbed OS may be used in examples and tests
 The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto, and libmbedx509 depends on libmbedcrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`. Also, when loading shared libraries using dlopen(), you'll need to load libmbedcrypto first, then libmbedx509, before you can load libmbedtls.
 ### Yotta
 [yotta](http://yottabuild.org) is a package manager and build system developed by mbed, and is the build system of mbed OS 16.03. To install it on your platform, please follow the yotta [installation instructions](http://docs.yottabuild.org/#installing).
 Once yotta is installed, you can use it to download the latest version of mbed TLS from the yotta registry with:
    yotta install mbedtls
 and build it with:
    yotta build
 If, on the other hand, you already have a copy of mbed TLS from a source other than the yotta registry, for example from cloning our GitHub repository, or from downloading a tarball of the standalone edition, then you'll first need to generate the yotta module by running:
    yotta/create-module.sh
 This should be executed from the root mbed TLS project directory. This will create the yotta module in the `yotta/module` directory within it. You can then change to that directory and build as usual:
    cd yotta/module
    yotta build
 In any case, you'll probably want to set the yotta target before building unless it has already been set globally. For more information on using yotta, please consult the [yotta documentation](http://docs.yottabuild.org/).
 For more details on the yotta/mbed OS edition of mbed TLS, including example programs, please consult the [Readme at the root of the yotta module](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/README.md).
 ### Make
-We require GNU Make. To build the library and the sample programs, GNU Make and a C compiler are sufficient. Some of the more advanced build targets require some Unix/Linux tools.
+We intentionally only use the minimum of `Make` functionality, as a lot of `Make` features are not supported on all different implementations of Make or on different platforms. As such, the Makefiles sometimes require some manual changes or export statements in order to work for your platform.
-We intentionally only use a minimum of functionality in the makefiles in order to keep them as simple and independent of different toolchains as possible, to allow users to more easily move between different platforms. Users who need more features are recommended to use CMake.
+In order to build from the source code using Make, just enter at the command line:
 In order to build from the source code using GNU Make, just enter at the command line:
    make
@ -37,7 +64,7 @@ In order to run the tests, enter:
    make check
-The tests need Python to be built and Perl to be run. If you don't have one of them installed, you can skip building the tests with:
+The tests need Perl to be built and run. If you don't have Perl installed, you can skip building the tests with:
    make no_test
@ -47,29 +74,26 @@ You'll still be able to run a much smaller set of tests with:
 In order to build for a Windows platform, you should use `WINDOWS_BUILD=1` if the target is Windows but the build environment is Unix-like (for instance when cross-compiling, or compiling from an MSYS shell), and `WINDOWS=1` if the build environment is a Windows shell (for instance using mingw32-make) (in that case some targets will not be available).
-Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; compiler warning options may be overridden separately using `WARNING_CFLAGS`. Some directory-specific options (for example, `-I` directives) are still preserved.
+Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; if you do so, essential parts such as `-I` will still be preserved. Warning options may be overridden separately using `WARNING_CFLAGS`.
-Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line.
+Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
-Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
+In case you find that you need to do something else as well, please let us know what, so we can add it to the [mbed TLS knowledge base](https://tls.mbed.org/kb).
 In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS Knowledge Base](https://tls.mbed.org/kb).
 ### CMake
-In order to build the source using CMake in a separate directory (recommended), just enter at the command line:
+In order to build the source using CMake, just enter at the command line:
-    mkdir /path/to/build_dir && cd /path/to/build_dir
+    cmake .
    cmake /path/to/mbedtls_source
    make
 In order to run the tests, enter:
    make test
-The test suites need Python to be built and Perl to be executed. If you don't have one of these installed, you'll want to disable the test suites with:
+The test suites need Perl to be built. If you don't have Perl installed, you'll want to disable the test suites with:
-    cmake -DENABLE_TESTING=Off /path/to/mbedtls_source
+    cmake -DENABLE_TESTING=Off .
 If you disabled the test suites, but kept the programs enabled, you can still run a much smaller set of tests with:
@ -77,75 +101,47 @@ If you disabled the test suites, but kept the programs enabled, you can still ru
 To configure CMake for building shared libraries, use:
-    cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On /path/to/mbedtls_source
+    cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
 There are many different build modes available within the CMake buildsystem. Most of them are available for gcc and clang, though some are compiler-specific:
-   `Release`. This generates the default code without any unnecessary information in the binary files.
+-   Release. This generates the default code without any unnecessary information in the binary files.
-   `Debug`. This generates debug information and disables optimization of the code.
+-   Debug. This generates debug information and disables optimization of the code.
-   `Coverage`. This generates code coverage information in addition to debug information.
+-   Coverage. This generates code coverage information in addition to debug information.
-   `ASan`. This instruments the code with AddressSanitizer to check for memory errors. (This includes LeakSanitizer, with recent version of gcc and clang.) (With recent version of clang, this mode also instruments the code with UndefinedSanitizer to check for undefined behaviour.)
+-   ASan. This instruments the code with AddressSanitizer to check for memory errors. (This includes LeakSanitizer, with recent version of gcc and clang.) (With recent version of clang, this mode also instruments the code with UndefinedSanitizer to check for undefined behaviour.)
-   `ASanDbg`. Same as ASan but slower, with debug information and better stack traces.
+-   ASanDbg. Same as ASan but slower, with debug information and better stack traces.
-   `MemSan`. This instruments the code with MemorySanitizer to check for uninitialised memory reads. Experimental, needs recent clang on Linux/x86\_64.
+-   MemSan. This instruments the code with MemorySanitizer to check for uninitialised memory reads. Experimental, needs recent clang on Linux/x86\_64.
-   `MemSanDbg`. Same as MemSan but slower, with debug information, better stack traces and origin tracking.
+-   MemSanDbg. Same as MemSan but slower, with debug information, better stack traces and origin tracking.
-   `Check`. This activates the compiler warnings that depend on optimization and treats all warnings as errors.
+-   Check. This activates the compiler warnings that depend on optimization and treats all warnings as errors.
 Switching build modes in CMake is simple. For debug mode, enter at the command line:
-    cmake -D CMAKE_BUILD_TYPE=Debug /path/to/mbedtls_source
+    cmake -D CMAKE_BUILD_TYPE=Debug .
 To list other available CMake options, use:
    cmake -LH
-Note that, with CMake, you can't adjust the compiler or its flags after the
+Note that, with CMake, if you want to change the compiler or its options after you already ran CMake, you need to clear its cache first, e.g. (using GNU find):
 initial invocation of cmake. This means that `CC=your_cc make` and `make
 CC=your_cc` will *not* work (similarly with `CFLAGS` and other variables).
 These variables need to be adjusted when invoking cmake for the first time,
 for example:
    CC=your_cc cmake /path/to/mbedtls_source
 If you already invoked cmake and want to change those settings, you need to
 remove the build directory and create it again.
 Note that it is possible to build in-place; this will however overwrite the
 provided Makefiles (see `scripts/tmp_ignore_makefiles.sh` if you want to
 prevent `git status` from showing them as modified). In order to do so, from
 the Mbed TLS source directory, use:
    cmake .
    make
 If you want to change `CC` or `CFLAGS` afterwards, you will need to remove the
 CMake cache. This can be done with the following command using GNU find:
    find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} +
-
+    CC=gcc CFLAGS='-fstack-protector-strong -Wa,--noexecstack' cmake .
 You can now make the desired change:
    CC=your_cc cmake .
    make
 Regarding variables, also note that if you set CFLAGS when invoking cmake,
 your value of CFLAGS doesn't override the content provided by cmake (depending
 on the build mode as seen above), it's merely prepended to it.
 ### Microsoft Visual Studio
 The build files for Microsoft Visual Studio are generated for Visual Studio 2010.
-The solution file `mbedTLS.sln` contains all the basic projects needed to build the library and all the programs. The files in tests are not generated and compiled, as these need Python and perl environments as well. However, the selftest program in `programs/test/` is still available.
+The solution file `mbedTLS.sln` contains all the basic projects needed to build the library and all the programs. The files in tests are not generated and compiled, as these need a perl environment as well. However, the selftest program in `programs/test/` is still available.
 Example programs
 ----------------
-We've included example programs for a lot of different features and uses in [`programs/`](programs/README.md). Most programs only focus on a single feature or usage scenario, so keep that in mind when copying parts of the code.
+We've included example programs for a lot of different features and uses in `programs/`. Most programs only focus on a single feature or usage scenario, so keep that in mind when copying parts of the code.
 Tests
 -----
-Mbed TLS includes an elaborate test suite in `tests/` that initially requires Python to generate the tests files (e.g. `test\_suite\_mpi.c`). These files are generated from a `function file` (e.g. `suites/test\_suite\_mpi.function`) and a `data file` (e.g. `suites/test\_suite\_mpi.data`). The `function file` contains the test functions. The `data file` contains the test cases, specified as parameters that will be passed to the test function.
+mbed TLS includes an elaborate test suite in `tests/` that initially requires Perl to generate the tests files (e.g. `test\_suite\_mpi.c`). These files are generated from a `function file` (e.g. `suites/test\_suite\_mpi.function`) and a `data file` (e.g. `suites/test\_suite\_mpi.data`). The `function file` contains the test functions. The `data file` contains the test cases, specified as parameters that will be passed to the test function.
 For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, additional test scripts are available:
@ -160,21 +156,30 @@ Configurations
 We provide some non-standard configurations focused on specific use cases in the `configs/` directory. You can read more about those in `configs/README.txt`
-Porting Mbed TLS
+Porting mbed TLS
 ----------------
-Mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following Knowledge Base articles useful:
+mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following knowledge base articles useful:
-   [Porting Mbed TLS to a new environment or OS](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS)
+-   [Porting mbed TLS to a new environment or OS](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS)
-   [What external dependencies does Mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on)
+-   [What external dependencies does mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on)
-   [How do I configure Mbed TLS](https://tls.mbed.org/kb/compiling-and-building/how-do-i-configure-mbedtls)
+-   [How do I configure mbed TLS](https://tls.mbed.org/kb/compiling-and-building/how-do-i-configure-mbedtls)
 License
 -------
 Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. A copy of these licenses can be found in [apache-2.0.txt](./apache-2.0.txt) and [gpl-2.0.txt](./gpl-2.0.txt). Contributors must accept that their contributions are made under both the Apache-2.0 AND GPL-2.0-or-later licenses.
 Contributing
 ------------
-We gratefully accept bug reports and contributions from the community. Please see the [contributing guidelines](CONTRIBUTING.md) for details on how to do this.
+We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions:
 -   All contributions, whether large or small require a Contributor's License Agreement (CLA) to be accepted. This is because source code can possibly fall under copyright law and we need your consent to share in the ownership of the copyright.
 -   We would ask that contributions conform to [our coding standards](https://tls.mbed.org/kb/development/mbedtls-coding-standards), and that contributions should be fully tested before submission.
 -   As with any open source project, contributions will be reviewed by the project team and community and may need some modifications to be accepted.
 To accept the Contributor’s Licence Agreement (CLA), individual contributors can do this by creating an mbed account and [accepting the online agreement here with a click through](https://developer.mbed.org/contributor_agreement/). Alternatively, for contributions from corporations, or those that do not wish to create an mbed account, a slightly different agreement can be found [here](https://www.mbed.com/en/about-mbed/contributor-license-agreements/). This agreement should be signed and returned to ARM as described in the instructions given.
 ### Making a Contribution
 1.  [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug.
 2.  Fork the [mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the "development" branch as a basis.
 3.  Write a test which shows that the bug was fixed or that the feature works as expected.
 4.  Send a pull request and bug us until it gets merged and published. Contributions may need some modifications, so work with us to get your change accepted. We will include your name in the ChangeLog :)
--- a/circle.yml
+++ b/circle.yml
@ -0,0 +1,44 @@
 # Purpose:
 # - To test and prove that a new commit in  the mbed TLS repository builds
 # and integrates with mbed-os properly.
 #           AND
 # - To test and prove that the current development head of mbed TLS builds
 # and integrates with the current mbed-os master branch.
 #
 # The script fetches all the prerequisites and builds the mbed TLS 'tls-client'
 # example. This script is triggered by every commit and once each night and the
 # exact behaviour depends on how it was triggered:
 # - If it is a nightly build then it builds the mbed TLS development head with
 #   mbed-os master.
 # - If it was triggered by the commit, then it builds the example with mbed TLS
 #   at that commit and mbed-os at the commit pointed by mbed-os.lib in the
 #   example repository.
 test:
    override:
        - cd ../mbed-os-example-tls/tls-client/ && mbed compile -m K64F -t GCC_ARM -c
 dependencies:
    pre:
        # Install gcc-arm
        - cd .. && wget "https://launchpad.net/gcc-arm-embedded/4.9/4.9-2015-q3-update/+download/gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2"
        - cd .. && tar -xvjf gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2
        - ln -s ../gcc-arm-none-eabi-4_9-2015q3/bin/* ../bin/
        # Install mbed-cli
        - cd ../ && git clone https://github.com/ARMmbed/mbed-cli.git
        - cd ../mbed-cli && sudo -H pip install -e .
        # Get the sample application
        - cd ../ && git clone git@github.com:ARMmbed/mbed-os-example-tls.git
        # Get mbed-os
        - cd ../mbed-os-example-tls/tls-client && mbed deploy
        # Update mbed-os to master only if it is a nightly build
        - >
            if [ -n "${RUN_NIGHTLY_BUILD}" ]; then
                cd ../mbed-os-example-tls/tls-client/mbed-os/ && mbed update master;
            fi
        # Import mbedtls current revision
        - ln -s ../../../../../../../mbedtls/ ../mbed-os-example-tls/tls-client/mbed-os/features/mbedtls/importer/TARGET_IGNORE/mbedtls
        - cd ../mbed-os-example-tls/tls-client/mbed-os/features/mbedtls/importer/ && make
    override:
        # Install the missing python packages
        - cd ../mbed-os-example-tls/tls-client/mbed-os/ && sudo -H pip install -r requirements.txt
--- a/configs/README.txt
+++ b/configs/README.txt
@ -8,7 +8,7 @@ These files are complete replacements for the default config.h. To use one of
 them, you can pick one of the following methods:
 1. Replace the default file include/mbedtls/config.h with the chosen one.
-   (Depending on your compiler, you may need to adjust the line with
+   (Depending on your compiler, you may need to ajust the line with
   #include "mbedtls/check_config.h" then.)
 2. Define MBEDTLS_CONFIG_FILE and adjust the include path accordingly.
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@ -1,17 +1,8 @@
 /**
 * \file config-ccm-psk-tls1_2.h
 *
 * \brief Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
 */
 /*
- *  Copyright The Mbed TLS Contributors
+ *  Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +16,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
 * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
@ -106,7 +78,7 @@
 * both ends of the connection!  (See comments in "mbedtls/ssl.h".)
 * The optimal size here depends on the typical size of records.
 */
-#define MBEDTLS_SSL_MAX_CONTENT_LEN             1024
+#define MBEDTLS_SSL_MAX_CONTENT_LEN             512
 #include "mbedtls/check_config.h"
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@ -1,17 +1,8 @@
 /**
 * \file config-mini-tls1_1.h
 *
 * \brief Minimal configuration for TLS 1.1 (RFC 4346)
 */
 /*
- *  Copyright The Mbed TLS Contributors
+ *  Minimal configuration for TLS 1.1 (RFC 4346)
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +16,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
 * Minimal configuration for TLS 1.1 (RFC 4346), implementing only the
--- a/configs/config-no-entropy.h
+++ b/configs/config-no-entropy.h
@ -1,17 +1,8 @@
 /**
- * \file config-no-entropy.h
+ *  Minimal configuration of features that do not require an entropy source
 *
- * \brief Minimal configuration of features that do not require an entropy source
+ *  Copyright (C) 2016, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +16,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
 * Minimal configuration of features that do not require an entropy source
@ -107,7 +79,6 @@
 #define MBEDTLS_X509_USE_C
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_CRL_PARSE_C
 //#define MBEDTLS_CMAC_C
 /* Miscellaneous options */
 #define MBEDTLS_AES_ROM_TABLES
--- a/configs/config-picocoin.h
+++ b/configs/config-picocoin.h
@ -0,0 +1,71 @@
 /*
 *  Reduced configuration used by Picocoin.
 *
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
 /*
 * Reduced configuration used by Picocoin.
 *
 * See README.txt for usage instructions.
 *
 * Distinguishing features:
 * - no SSL/TLS;
 * - no X.509;
 * - ECDSA/PK and some other chosen crypto bits.
 */
 #ifndef MBEDTLS_CONFIG_H
 #define MBEDTLS_CONFIG_H
 /* System support */
 #define MBEDTLS_HAVE_ASM
 #define MBEDTLS_HAVE_TIME
 /* mbed TLS feature support */
 #define MBEDTLS_CIPHER_MODE_CBC
 #define MBEDTLS_CIPHER_PADDING_PKCS7
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_ECDSA_DETERMINISTIC
 #define MBEDTLS_PK_PARSE_EC_EXTENDED
 #define MBEDTLS_ERROR_STRERROR_DUMMY
 #define MBEDTLS_FS_IO
 /* mbed TLS modules */
 #define MBEDTLS_AESNI_C
 #define MBEDTLS_AES_C
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_BASE64_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_ECDSA_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_MD_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PADLOCK_C
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_PARSE_C
 #define MBEDTLS_PK_WRITE_C
 #define MBEDTLS_RIPEMD160_C
 #define MBEDTLS_SHA1_C
 #define MBEDTLS_SHA256_C
 #include "mbedtls/check_config.h"
 #endif /* MBEDTLS_CONFIG_H */
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@ -1,17 +1,8 @@
 /**
 * \file config-suite-b.h
 *
 * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
 */
 /*
- *  Copyright The Mbed TLS Contributors
+ *  Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +16,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
 * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@ -1,17 +1,8 @@
 /**
 * \file config-thread.h
 *
 * \brief Minimal configuration for using TLS as part of Thread
 */
 /*
- *  Copyright The Mbed TLS Contributors
+ *  Minimal configuration for using TLS as part of Thread
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +16,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
--- a/dco.txt
+++ b/dco.txt
@ -1,37 +0,0 @@
 Developer Certificate of Origin
 Version 1.1
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 1 Letterman Drive
 Suite D4700
 San Francisco, CA, 94129
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 Developer's Certificate of Origin 1.1
 By making a contribution to this project, I certify that:
 (a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or
 (b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or
 (c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.
 (d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
--- a/doxygen/input/doc_encdec.h
+++ b/doxygen/input/doc_encdec.h
@ -1,18 +1,9 @@
 /**
- * \file doc_encdec.h
+ * @file
 * Encryption/decryption module documentation file.
 *
- * \brief Encryption/decryption module documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +17,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
--- a/doxygen/input/doc_hashing.h
+++ b/doxygen/input/doc_hashing.h
@ -1,18 +1,9 @@
 /**
- * \file doc_hashing.h
+ * @file
 * Hashing module documentation file.
 *
- * \brief Hashing module documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +17,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@ -1,18 +1,9 @@
 /**
- * \file doc_mainpage.h
+ * @file
 * Main page documentation file.
 *
- * \brief Main page documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,30 +17,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
- * @mainpage mbed TLS v2.16.10 source code documentation
+ * @mainpage mbed TLS v2.6.1 source code documentation
 *
 * This documentation describes the internal structure of mbed TLS.  It was
 * automatically generated from specially formatted comment blocks in
--- a/doxygen/input/doc_rng.h
+++ b/doxygen/input/doc_rng.h
@ -1,18 +1,9 @@
 /**
- * \file doc_rng.h
+ * @file
 * Random number generator (RNG) module documentation file.
 *
- * \brief Random number generator (RNG) module documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +17,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
--- a/doxygen/input/doc_ssltls.h
+++ b/doxygen/input/doc_ssltls.h
@ -1,18 +1,9 @@
 /**
- * \file doc_ssltls.h
+ * @file
 * SSL/TLS communication module documentation file.
 *
- * \brief SSL/TLS communication module documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +17,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
--- a/doxygen/input/doc_tcpip.h
+++ b/doxygen/input/doc_tcpip.h
@ -1,18 +1,9 @@
 /**
- * \file doc_tcpip.h
+ * @file
 * TCP/IP communication module documentation file.
 *
- * \brief TCP/IP communication module documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +17,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
--- a/doxygen/input/doc_x509.h
+++ b/doxygen/input/doc_x509.h
@ -1,18 +1,9 @@
 /**
- * \file doc_x509.h
+ * @file
 * X.509 module documentation file.
 *
- * \brief X.509 module documentation file.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +17,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /**
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@ -28,7 +28,7 @@ DOXYFILE_ENCODING      = UTF-8
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
-PROJECT_NAME           = "mbed TLS v2.16.10"
+PROJECT_NAME           = "mbed TLS v2.6.1"
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or
@ -54,7 +54,7 @@ PROJECT_LOGO           =
 # If a relative path is entered, it will be relative to the location
 # where doxygen was started. If left blank the current directory will be used.
-OUTPUT_DIRECTORY       = ../apidoc/
+OUTPUT_DIRECTORY       = apidoc/
 # If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
 # 4096 sub-directories (in 2 levels) under the output directory of each output
@ -165,7 +165,7 @@ SHORT_NAMES            = NO
 # comments will behave just like regular Qt-style comments
 # (thus requiring an explicit @brief command for a brief description.)
-JAVADOC_AUTOBRIEF      = NO
+JAVADOC_AUTOBRIEF      = YES
 # If the QT_AUTOBRIEF tag is set to YES then Doxygen will
 # interpret the first line (until the first dot) of a Qt-style
@ -664,7 +664,7 @@ WARN_LOGFILE           =
 # directories like "/usr/src/myproject". Separate the files or directories
 # with spaces.
-INPUT                  = ../include input
+INPUT                  = .
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
@ -696,13 +696,13 @@ RECURSIVE              = YES
 # Note that relative paths are relative to the directory from which doxygen is
 # run.
-EXCLUDE                =
+EXCLUDE                = configs yotta/module
 # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
 # directories that are symbolic links (a Unix file system feature) are excluded
 # from the input.
-EXCLUDE_SYMLINKS       = YES
+EXCLUDE_SYMLINKS       = NO
 # If the value of the INPUT tag contains directories, you can use the
 # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
--- a/gpl-2.0.txt
+++ b/gpl-2.0.txt
@ -1,339 +0,0 @@
                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
                            Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
 License is intended to guarantee your freedom to share and change free
 software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
 the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 this service if you wish), that you receive source code or can get it
 if you want it, that you can change the software or use pieces of it
 in new free programs; and that you know you can do these things.
  To protect your rights, we need to make restrictions that forbid
 anyone to deny you these rights or to ask you to surrender the rights.
 These restrictions translate to certain responsibilities for you if you
 distribute copies of the software, or if you modify it.
  For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must give the recipients all the rights that
 you have.  You must make sure that they, too, receive or can get the
 source code.  And you must show them these terms so they know their
 rights.
  We protect your rights with two steps: (1) copyright the software, and
 (2) offer you this license which gives you legal permission to copy,
 distribute and/or modify the software.
  Also, for each author's protection and ours, we want to make certain
 that everyone understands that there is no warranty for this free
 software.  If the software is modified by someone else and passed on, we
 want its recipients to know that what they have is not the original, so
 that any problems introduced by others will not reflect on the original
 authors' reputations.
  Finally, any free program is threatened constantly by software
 patents.  We wish to avoid the danger that redistributors of a free
 program will individually obtain patent licenses, in effect making the
 program proprietary.  To prevent this, we have made it clear that any
 patent must be licensed for everyone's free use or not licensed at all.
  The precise terms and conditions for copying, distribution and
 modification follow.
                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License applies to any program or other work which contains
 a notice placed by the copyright holder saying it may be distributed
 under the terms of this General Public License.  The "Program", below,
 refers to any such program or work, and a "work based on the Program"
 means either the Program or any derivative work under copyright law:
 that is to say, a work containing the Program or a portion of it,
 either verbatim or with modifications and/or translated into another
 language.  (Hereinafter, translation is included without limitation in
 the term "modification".)  Each licensee is addressed as "you".
 Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.  The act of
 running the Program is not restricted, and the output from the Program
 is covered only if its contents constitute a work based on the
 Program (independent of having been made by running the Program).
 Whether that is true depends on what the Program does.
  1. You may copy and distribute verbatim copies of the Program's
 source code as you receive it, in any medium, provided that you
 conspicuously and appropriately publish on each copy an appropriate
 copyright notice and disclaimer of warranty; keep intact all the
 notices that refer to this License and to the absence of any warranty;
 and give any other recipients of the Program a copy of this License
 along with the Program.
 You may charge a fee for the physical act of transferring a copy, and
 you may at your option offer warranty protection in exchange for a fee.
  2. You may modify your copy or copies of the Program or any portion
 of it, thus forming a work based on the Program, and copy and
 distribute such modifications or work under the terms of Section 1
 above, provided that you also meet all of these conditions:
    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.
    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.
    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
 themselves, then this License, and its terms, do not apply to those
 sections when you distribute them as separate works.  But when you
 distribute the same sections as part of a whole which is a work based
 on the Program, the distribution of the whole must be on the terms of
 this License, whose permissions for other licensees extend to the
 entire whole, and thus to each and every part regardless of who wrote it.
 Thus, it is not the intent of this section to claim rights or contest
 your rights to work written entirely by you; rather, the intent is to
 exercise the right to control the distribution of derivative or
 collective works based on the Program.
 In addition, mere aggregation of another work not based on the Program
 with the Program (or with a work based on the Program) on a volume of
 a storage or distribution medium does not bring the other work under
 the scope of this License.
  3. You may copy and distribute the Program (or a work based on it,
 under Section 2) in object code or executable form under the terms of
 Sections 1 and 2 above provided that you also do one of the following:
    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,
    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,
    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)
 The source code for a work means the preferred form of the work for
 making modifications to it.  For an executable work, complete source
 code means all the source code for all modules it contains, plus any
 associated interface definition files, plus the scripts used to
 control compilation and installation of the executable.  However, as a
 special exception, the source code distributed need not include
 anything that is normally distributed (in either source or binary
 form) with the major components (compiler, kernel, and so on) of the
 operating system on which the executable runs, unless that component
 itself accompanies the executable.
 If distribution of executable or object code is made by offering
 access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
 void, and will automatically terminate your rights under this License.
 However, parties who have received copies, or rights, from you under
 this License will not have their licenses terminated so long as such
 parties remain in full compliance.
  5. You are not required to accept this License, since you have not
 signed it.  However, nothing else grants you permission to modify or
 distribute the Program or its derivative works.  These actions are
 prohibited by law if you do not accept this License.  Therefore, by
 modifying or distributing the Program (or any work based on the
 Program), you indicate your acceptance of this License to do so, and
 all its terms and conditions for copying, distributing or modifying
 the Program or works based on it.
  6. Each time you redistribute the Program (or any work based on the
 Program), the recipient automatically receives a license from the
 original licensor to copy, distribute or modify the Program subject to
 these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties to
 this License.
  7. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot
 distribute so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you
 may not distribute the Program at all.  For example, if a patent
 license would not permit royalty-free redistribution of the Program by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
 refrain entirely from distribution of the Program.
 If any portion of this section is held invalid or unenforceable under
 any particular circumstance, the balance of the section is intended to
 apply and the section as a whole is intended to apply in other
 circumstances.
 It is not the purpose of this section to induce you to infringe any
 patents or other property right claims or to contest validity of any
 such claims; this section has the sole purpose of protecting the
 integrity of the free software distribution system, which is
 implemented by public license practices.  Many people have made
 generous contributions to the wide range of software distributed
 through that system in reliance on consistent application of that
 system; it is up to the author/donor to decide if he or she is willing
 to distribute software through any other system and a licensee cannot
 impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
 may add an explicit geographical distribution limitation excluding
 those countries, so that distribution is permitted only in or among
 countries not thus excluded.  In such case, this License incorporates
 the limitation as if written in the body of this License.
  9. The Free Software Foundation may publish revised and/or new versions
 of the General Public License from time to time.  Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
 Each version is given a distinguishing version number.  If the Program
 specifies a version number of this License which applies to it and "any
 later version", you have the option of following the terms and conditions
 either of that version or of any later version published by the Free
 Software Foundation.  If the Program does not specify a version number of
 this License, you may choose any version ever published by the Free Software
 Foundation.
  10. If you wish to incorporate parts of the Program into other free
 programs whose distribution conditions are different, write to the author
 to ask for permission.  For software which is copyrighted by the Free
 Software Foundation, write to the Free Software Foundation; we sometimes
 make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
                            NO WARRANTY
  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
 REPAIR OR CORRECTION.
  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 Also add information on how to contact you by electronic and paper mail.
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
    Gnomovision version 69, Copyright (C) year name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, the commands you use may
 be called something other than `show w' and `show c'; they could even be
 mouse-clicks or menu items--whatever suits your program.
 You should also get your employer (if you work as a programmer) or your
 school, if any, to sign a "copyright disclaimer" for the program, if
 necessary.  Here is a sample; alter the names:
  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.
  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@ -9,8 +9,3 @@ if(INSTALL_MBEDTLS_HEADERS)
        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
 endif(INSTALL_MBEDTLS_HEADERS)
 # Make config.h available in an out-of-source build. ssl-opt.sh requires it.
 if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
    link_to_source(mbedtls)
 endif()
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@ -1,34 +1,10 @@
 /**
 * \file aes.h
 *
- * \brief   This file contains AES definitions and functions.
+ * \brief AES block cipher
 *
- *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *          cryptographic algorithm that can be used to protect electronic
+ *  SPDX-License-Identifier: Apache-2.0
 *          data.
 *
 *          The AES algorithm is a symmetric block cipher that can
 *          encrypt and decrypt information. For more information, see
 *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
 *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
 *          techniques -- Encryption algorithms -- Part 2: Asymmetric
 *          ciphers</em>.
 *
 *          The AES-XTS block mode is standardized by NIST SP 800-38E
 *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
 *          and described in detail by IEEE P1619
 *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -42,28 +18,8 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_AES_H
 #define MBEDTLS_AES_H
@ -77,210 +33,88 @@
 #include <stdint.h>
 /* padlock.c and aesni.c rely on these values! */
-#define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
+#define MBEDTLS_AES_ENCRYPT     1
-#define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
+#define MBEDTLS_AES_DECRYPT     0
 /* Error codes in range 0x0020-0x0022 */
 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
 /* Error codes in range 0x0021-0x0025 */
 #define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021  /**< Invalid input data. */
 /* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
 /* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
 #define inline __inline
 #endif
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_AES_ALT)
 // Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
- * \brief The AES context-type definition.
+ * \brief          AES context structure
 *
 * \note           buf is able to hold 32 extra bytes, which can be used:
 *                 - for alignment purposes if VIA padlock is used, and/or
 *                 - to simplify key expansion in the 256-bit case by
 *                 generating an extra round key
 */
-typedef struct mbedtls_aes_context
+typedef struct
 {
-    int nr;                     /*!< The number of rounds. */
+    int nr;                     /*!<  number of rounds  */
-    uint32_t *rk;               /*!< AES round keys. */
+    uint32_t *rk;               /*!<  AES round keys    */
-    uint32_t buf[68];           /*!< Unaligned data buffer. This buffer can
+    uint32_t buf[68];           /*!<  unaligned data    */
                                     hold 32 extra Bytes, which can be used for
                                     one of the following purposes:
                                     <ul><li>Alignment if VIA padlock is
                                             used.</li>
                                     <li>Simplifying key expansion in the 256-bit
                                         case by generating an extra round key.
                                         </li></ul> */
 }
 mbedtls_aes_context;
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
- * \brief The AES XTS context-type definition.
+ * \brief          Initialize AES context
 */
 typedef struct mbedtls_aes_xts_context
 {
    mbedtls_aes_context crypt; /*!< The AES context to use for AES block
                                        encryption or decryption. */
    mbedtls_aes_context tweak; /*!< The AES context used for tweak
                                        computation. */
 } mbedtls_aes_xts_context;
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 #else  /* MBEDTLS_AES_ALT */
 #include "aes_alt.h"
 #endif /* MBEDTLS_AES_ALT */
 /**
 * \brief          This function initializes the specified AES context.
 *
- *                 It must be the first API called before using
+ * \param ctx      AES context to be initialized
 *                 the context.
 *
 * \param ctx      The AES context to initialize. This must not be \c NULL.
 */
 void mbedtls_aes_init( mbedtls_aes_context *ctx );
 /**
- * \brief          This function releases and clears the specified AES context.
+ * \brief          Clear AES context
 *
- * \param ctx      The AES context to clear.
+ * \param ctx      AES context to be cleared
 *                 If this is \c NULL, this function does nothing.
 *                 Otherwise, the context must have been at least initialized.
 */
 void mbedtls_aes_free( mbedtls_aes_context *ctx );
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
- * \brief          This function initializes the specified AES XTS context.
+ * \brief          AES key schedule (encryption)
 *
- *                 It must be the first API called before using
+ * \param ctx      AES context to be initialized
- *                 the context.
+ * \param key      encryption key
 * \param keybits  must be 128, 192 or 256
 *
- * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
+ * \return         0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
 */
 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
 /**
 * \brief          This function releases and clears the specified AES XTS context.
 *
 * \param ctx      The AES XTS context to clear.
 *                 If this is \c NULL, this function does nothing.
 *                 Otherwise, the context must have been at least initialized.
 */
 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 /**
 * \brief          This function sets the encryption key.
 *
 * \param ctx      The AES context to which the key should be bound.
 *                 It must be initialized.
 * \param key      The encryption key.
 *                 This must be a readable buffer of size \p keybits bits.
 * \param keybits  The size of data passed in bits. Valid options are:
 *                 <ul><li>128 bits</li>
 *                 <li>192 bits</li>
 *                 <li>256 bits</li></ul>
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
 */
 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
                    unsigned int keybits );
 /**
- * \brief          This function sets the decryption key.
+ * \brief          AES key schedule (decryption)
 *
- * \param ctx      The AES context to which the key should be bound.
+ * \param ctx      AES context to be initialized
- *                 It must be initialized.
+ * \param key      decryption key
- * \param key      The decryption key.
+ * \param keybits  must be 128, 192 or 256
 *                 This must be a readable buffer of size \p keybits bits.
 * \param keybits  The size of data passed. Valid options are:
 *                 <ul><li>128 bits</li>
 *                 <li>192 bits</li>
 *                 <li>256 bits</li></ul>
 *
- * \return         \c 0 on success.
+ * \return         0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
 * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
 */
 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
                    unsigned int keybits );
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
- * \brief          This function prepares an XTS context for encryption and
+ * \brief          AES-ECB block encryption/decryption
 *                 sets the encryption key.
 *
- * \param ctx      The AES XTS context to which the key should be bound.
+ * \param ctx      AES context
- *                 It must be initialized.
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- * \param key      The encryption key. This is comprised of the XTS key1
+ * \param input    16-byte input block
- *                 concatenated with the XTS key2.
+ * \param output   16-byte output block
 *                 This must be a readable buffer of size \p keybits bits.
 * \param keybits  The size of \p key passed in bits. Valid options are:
 *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
 *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
 *
- * \return         \c 0 on success.
+ * \return         0 if successful
 * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
 */
 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
                                const unsigned char *key,
                                unsigned int keybits );
 /**
 * \brief          This function prepares an XTS context for decryption and
 *                 sets the decryption key.
 *
 * \param ctx      The AES XTS context to which the key should be bound.
 *                 It must be initialized.
 * \param key      The decryption key. This is comprised of the XTS key1
 *                 concatenated with the XTS key2.
 *                 This must be a readable buffer of size \p keybits bits.
 * \param keybits  The size of \p key passed in bits. Valid options are:
 *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
 *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
 */
 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
                                const unsigned char *key,
                                unsigned int keybits );
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 /**
 * \brief          This function performs an AES single-block encryption or
 *                 decryption operation.
 *
 *                 It performs the operation defined in the \p mode parameter
 *                 (encrypt or decrypt), on the input data buffer defined in
 *                 the \p input parameter.
 *
 *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
 *                 mbedtls_aes_setkey_dec() must be called before the first
 *                 call to this API with the same context.
 *
 * \param ctx      The AES context to use for encryption or decryption.
 *                 It must be initialized and bound to a key.
 * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
 *                 #MBEDTLS_AES_DECRYPT.
 * \param input    The buffer holding the input data.
 *                 It must be readable and at least \c 16 Bytes long.
 * \param output   The buffer where the output data will be written.
 *                 It must be writeable and at least \c 16 Bytes long.
 * \return         \c 0 on success.
 */
 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
                    int mode,
@ -289,45 +123,26 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief  This function performs an AES-CBC encryption or decryption operation
+ * \brief          AES-CBC buffer encryption/decryption
- *         on full blocks.
+ *                 Length should be a multiple of the block
 *                 size (16 bytes)
 *
- *         It performs the operation defined in the \p mode
+ * \note           Upon exit, the content of the IV is updated so that you can
- *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *                 call the function same function again on the following
- *         the \p input parameter.
+ *                 block(s) of data and get the same result as if it was
 *                 encrypted in one call. This allows a "streaming" usage.
 *                 If on the other hand you need to retain the contents of the
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- *         It can be called as many times as needed, until all the input
+ * \param ctx      AES context
- *         data is processed. mbedtls_aes_init(), and either
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
+ * \param length   length of the input data
- *         before the first call to this API with the same context.
+ * \param iv       initialization vector (updated after use)
 * \param input    buffer holding the input data
 * \param output   buffer holding the output data
 *
- * \note   This function operates on full blocks, that is, the input size
+ * \return         0 if successful, or MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
 *         must be a multiple of the AES block size of \c 16 Bytes.
 *
 * \note   Upon exit, the content of the IV is updated so that you can
 *         call the same function again on the next
 *         block(s) of data and get the same result as if it was
 *         encrypted in one call. This allows a "streaming" usage.
 *         If you need to retain the contents of the IV, you should
 *         either save it manually or use the cipher module instead.
 *
 *
 * \param ctx      The AES context to use for encryption or decryption.
 *                 It must be initialized and bound to a key.
 * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
 *                 #MBEDTLS_AES_DECRYPT.
 * \param length   The length of the input data in Bytes. This must be a
 *                 multiple of the block size (\c 16 Bytes).
 * \param iv       Initialization vector (updated after use).
 *                 It must be a readable and writeable buffer of \c 16 Bytes.
 * \param input    The buffer holding the input data.
 *                 It must be readable and of size \p length Bytes.
 * \param output   The buffer holding the output data.
 *                 It must be writeable and of size \p length Bytes.
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
 *                 on failure.
 */
 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
                    int mode,
@ -337,89 +152,31 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
                    unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
 * \brief      This function performs an AES-XTS encryption or decryption
 *             operation for an entire XTS data unit.
 *
 *             AES-XTS encrypts or decrypts blocks based on their location as
 *             defined by a data unit number. The data unit number must be
 *             provided by \p data_unit.
 *
 *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
 *             AES blocks. If the data unit is larger than this, this function
 *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
 *
 * \param ctx          The AES XTS context to use for AES XTS operations.
 *                     It must be initialized and bound to a key.
 * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
 *                     #MBEDTLS_AES_DECRYPT.
 * \param length       The length of a data unit in Bytes. This can be any
 *                     length between 16 bytes and 2^24 bytes inclusive
 *                     (between 1 and 2^20 block cipher blocks).
 * \param data_unit    The address of the data unit encoded as an array of 16
 *                     bytes in little-endian format. For disk encryption, this
 *                     is typically the index of the block device sector that
 *                     contains the data.
 * \param input        The buffer holding the input data (which is an entire
 *                     data unit). This function reads \p length Bytes from \p
 *                     input.
 * \param output       The buffer holding the output data (which is an entire
 *                     data unit). This function writes \p length Bytes to \p
 *                     output.
 *
 * \return             \c 0 on success.
 * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
 *                     smaller than an AES block in size (16 Bytes) or if \p
 *                     length is larger than 2^20 blocks (16 MiB).
 */
 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
                           int mode,
                           size_t length,
                           const unsigned char data_unit[16],
                           const unsigned char *input,
                           unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief This function performs an AES-CFB128 encryption or decryption
+ * \brief          AES-CFB128 buffer encryption/decryption.
 *        operation.
 *
- *        It performs the operation defined in the \p mode
+ * Note: Due to the nature of CFB you should use the same key schedule for
- *        parameter (encrypt or decrypt), on the input data buffer
+ * both encryption and decryption. So a context initialized with
- *        defined in the \p input parameter.
+ * mbedtls_aes_setkey_enc() for both MBEDTLS_AES_ENCRYPT and MBEDTLS_AES_DECRYPT.
 *
- *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
+ * \note           Upon exit, the content of the IV is updated so that you can
- *        regardless of whether you are performing an encryption or decryption
+ *                 call the function same function again on the following
- *        operation, that is, regardless of the \p mode parameter. This is
+ *                 block(s) of data and get the same result as if it was
- *        because CFB mode uses the same key schedule for encryption and
+ *                 encrypted in one call. This allows a "streaming" usage.
- *        decryption.
+ *                 If on the other hand you need to retain the contents of the
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- * \note  Upon exit, the content of the IV is updated so that you can
+ * \param ctx      AES context
- *        call the same function again on the next
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- *        block(s) of data and get the same result as if it was
+ * \param length   length of the input data
- *        encrypted in one call. This allows a "streaming" usage.
+ * \param iv_off   offset in IV (updated after use)
- *        If you need to retain the contents of the
+ * \param iv       initialization vector (updated after use)
- *        IV, you must either save it manually or use the cipher
+ * \param input    buffer holding the input data
- *        module instead.
+ * \param output   buffer holding the output data
 *
- *
+ * \return         0 if successful
 * \param ctx      The AES context to use for encryption or decryption.
 *                 It must be initialized and bound to a key.
 * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
 *                 #MBEDTLS_AES_DECRYPT.
 * \param length   The length of the input data in Bytes.
 * \param iv_off   The offset in IV (updated after use).
 *                 It must point to a valid \c size_t.
 * \param iv       The initialization vector (updated after use).
 *                 It must be a readable and writeable buffer of \c 16 Bytes.
 * \param input    The buffer holding the input data.
 *                 It must be readable and of size \p length Bytes.
 * \param output   The buffer holding the output data.
 *                 It must be writeable and of size \p length Bytes.
 *
 * \return         \c 0 on success.
 */
 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
                       int mode,
@ -430,40 +187,28 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
                       unsigned char *output );
 /**
- * \brief This function performs an AES-CFB8 encryption or decryption
+ * \brief          AES-CFB8 buffer encryption/decryption.
 *        operation.
 *
- *        It performs the operation defined in the \p mode
+ * Note: Due to the nature of CFB you should use the same key schedule for
- *        parameter (encrypt/decrypt), on the input data buffer defined
+ * both encryption and decryption. So a context initialized with
- *        in the \p input parameter.
+ * mbedtls_aes_setkey_enc() for both MBEDTLS_AES_ENCRYPT and MBEDTLS_AES_DECRYPT.
 *
- *        Due to the nature of CFB, you must use the same key schedule for
+ * \note           Upon exit, the content of the IV is updated so that you can
- *        both encryption and decryption operations. Therefore, you must
+ *                 call the function same function again on the following
- *        use the context initialized with mbedtls_aes_setkey_enc() for
+ *                 block(s) of data and get the same result as if it was
- *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *                 encrypted in one call. This allows a "streaming" usage.
 *                 If on the other hand you need to retain the contents of the
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- * \note  Upon exit, the content of the IV is updated so that you can
+ * \param ctx      AES context
- *        call the same function again on the next
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- *        block(s) of data and get the same result as if it was
+ * \param length   length of the input data
- *        encrypted in one call. This allows a "streaming" usage.
+ * \param iv       initialization vector (updated after use)
- *        If you need to retain the contents of the
+ * \param input    buffer holding the input data
- *        IV, you should either save it manually or use the cipher
+ * \param output   buffer holding the output data
 *        module instead.
 *
- *
+ * \return         0 if successful
 * \param ctx      The AES context to use for encryption or decryption.
 *                 It must be initialized and bound to a key.
 * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
 *                 #MBEDTLS_AES_DECRYPT
 * \param length   The length of the input data.
 * \param iv       The initialization vector (updated after use).
 *                 It must be a readable and writeable buffer of \c 16 Bytes.
 * \param input    The buffer holding the input data.
 *                 It must be readable and of size \p length Bytes.
 * \param output   The buffer holding the output data.
 *                 It must be writeable and of size \p length Bytes.
 *
 * \return         \c 0 on success.
 */
 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
                    int mode,
@ -473,137 +218,28 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
                    unsigned char *output );
 #endif /*MBEDTLS_CIPHER_MODE_CFB */
 #if defined(MBEDTLS_CIPHER_MODE_OFB)
 /**
 * \brief       This function performs an AES-OFB (Output Feedback Mode)
 *              encryption or decryption operation.
 *
 *              For OFB, you must set up the context with
 *              mbedtls_aes_setkey_enc(), regardless of whether you are
 *              performing an encryption or decryption operation. This is
 *              because OFB mode uses the same key schedule for encryption and
 *              decryption.
 *
 *              The OFB operation is identical for encryption or decryption,
 *              therefore no operation mode needs to be specified.
 *
 * \note        Upon exit, the content of iv, the Initialisation Vector, is
 *              updated so that you can call the same function again on the next
 *              block(s) of data and get the same result as if it was encrypted
 *              in one call. This allows a "streaming" usage, by initialising
 *              iv_off to 0 before the first call, and preserving its value
 *              between calls.
 *
 *              For non-streaming use, the iv should be initialised on each call
 *              to a unique value, and iv_off set to 0 on each call.
 *
 *              If you need to retain the contents of the initialisation vector,
 *              you must either save it manually or use the cipher module
 *              instead.
 *
 * \warning     For the OFB mode, the initialisation vector must be unique
 *              every encryption operation. Reuse of an initialisation vector
 *              will compromise security.
 *
 * \param ctx      The AES context to use for encryption or decryption.
 *                 It must be initialized and bound to a key.
 * \param length   The length of the input data.
 * \param iv_off   The offset in IV (updated after use).
 *                 It must point to a valid \c size_t.
 * \param iv       The initialization vector (updated after use).
 *                 It must be a readable and writeable buffer of \c 16 Bytes.
 * \param input    The buffer holding the input data.
 *                 It must be readable and of size \p length Bytes.
 * \param output   The buffer holding the output data.
 *                 It must be writeable and of size \p length Bytes.
 *
 * \return         \c 0 on success.
 */
 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
                       size_t length,
                       size_t *iv_off,
                       unsigned char iv[16],
                       const unsigned char *input,
                       unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_OFB */
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief      This function performs an AES-CTR encryption or decryption
+ * \brief               AES-CTR buffer encryption/decryption
 *             operation.
 *
- *             This function performs the operation defined in the \p mode
+ * Warning: You have to keep the maximum use of your counter in mind!
 *             parameter (encrypt/decrypt), on the input data buffer
 *             defined in the \p input parameter.
 *
- *             Due to the nature of CTR, you must use the same key schedule
+ * Note: Due to the nature of CTR you should use the same key schedule for
- *             for both encryption and decryption operations. Therefore, you
+ * both encryption and decryption. So a context initialized with
- *             must use the context initialized with mbedtls_aes_setkey_enc()
+ * mbedtls_aes_setkey_enc() for both MBEDTLS_AES_ENCRYPT and MBEDTLS_AES_DECRYPT.
 *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
 *
- * \warning    You must never reuse a nonce value with the same key. Doing so
+ * \param ctx           AES context
- *             would void the encryption for the two messages encrypted with
+ * \param length        The length of the data
- *             the same nonce and key.
+ * \param nc_off        The offset in the current stream_block (for resuming
 *                      within current cipher stream). The offset pointer to
 *                      should be 0 at the start of a stream.
 * \param nonce_counter The 128-bit nonce and counter.
 * \param stream_block  The saved stream-block for resuming. Is overwritten
 *                      by the function.
 * \param input         The input data stream
 * \param output        The output data stream
 *
- *             There are two common strategies for managing nonces with CTR:
+ * \return         0 if successful
 *
 *             1. You can handle everything as a single message processed over
 *             successive calls to this function. In that case, you want to
 *             set \p nonce_counter and \p nc_off to 0 for the first call, and
 *             then preserve the values of \p nonce_counter, \p nc_off and \p
 *             stream_block across calls to this function as they will be
 *             updated by this function.
 *
 *             With this strategy, you must not encrypt more than 2**128
 *             blocks of data with the same key.
 *
 *             2. You can encrypt separate messages by dividing the \p
 *             nonce_counter buffer in two areas: the first one used for a
 *             per-message nonce, handled by yourself, and the second one
 *             updated by this function internally.
 *
 *             For example, you might reserve the first 12 bytes for the
 *             per-message nonce, and the last 4 bytes for internal use. In that
 *             case, before calling this function on a new message you need to
 *             set the first 12 bytes of \p nonce_counter to your chosen nonce
 *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
 *             stream_block to be ignored). That way, you can encrypt at most
 *             2**96 messages of up to 2**32 blocks each with the same key.
 *
 *             The per-message nonce (or information sufficient to reconstruct
 *             it) needs to be communicated with the ciphertext and must be unique.
 *             The recommended way to ensure uniqueness is to use a message
 *             counter. An alternative is to generate random nonces, but this
 *             limits the number of messages that can be securely encrypted:
 *             for example, with 96-bit random nonces, you should not encrypt
 *             more than 2**32 messages with the same key.
 *
 *             Note that for both stategies, sizes are measured in blocks and
 *             that an AES block is 16 bytes.
 *
 * \warning    Upon return, \p stream_block contains sensitive data. Its
 *             content must not be written to insecure storage and should be
 *             securely discarded as soon as it's no longer needed.
 *
 * \param ctx              The AES context to use for encryption or decryption.
 *                         It must be initialized and bound to a key.
 * \param length           The length of the input data.
 * \param nc_off           The offset in the current \p stream_block, for
 *                         resuming within the current cipher stream. The
 *                         offset pointer should be 0 at the start of a stream.
 *                         It must point to a valid \c size_t.
 * \param nonce_counter    The 128-bit nonce and counter.
 *                         It must be a readable-writeable buffer of \c 16 Bytes.
 * \param stream_block     The saved stream block for resuming. This is
 *                         overwritten by the function.
 *                         It must be a readable-writeable buffer of \c 16 Bytes.
 * \param input            The buffer holding the input data.
 *                         It must be readable and of size \p length Bytes.
 * \param output           The buffer holding the output data.
 *                         It must be writeable and of size \p length Bytes.
 *
 * \return                 \c 0 on success.
 */
 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
                       size_t length,
@ -615,30 +251,30 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 /**
- * \brief           Internal AES block encryption function. This is only
+ * \brief           Internal AES block encryption function
- *                  exposed to allow overriding it using
+ *                  (Only exposed to allow overriding it,
- *                  \c MBEDTLS_AES_ENCRYPT_ALT.
+ *                  see MBEDTLS_AES_ENCRYPT_ALT)
 *
- * \param ctx       The AES context to use for encryption.
+ * \param ctx       AES context
- * \param input     The plaintext block.
+ * \param input     Plaintext block
- * \param output    The output (ciphertext) block.
+ * \param output    Output (ciphertext) block
 *
- * \return          \c 0 on success.
+ * \return          0 if successful
 */
 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16] );
 /**
- * \brief           Internal AES block decryption function. This is only
+ * \brief           Internal AES block decryption function
- *                  exposed to allow overriding it using see
+ *                  (Only exposed to allow overriding it,
- *                  \c MBEDTLS_AES_DECRYPT_ALT.
+ *                  see MBEDTLS_AES_DECRYPT_ALT)
 *
- * \param ctx       The AES context to use for decryption.
+ * \param ctx       AES context
- * \param input     The ciphertext block.
+ * \param input     Ciphertext block
- * \param output    The output (plaintext) block.
+ * \param output    Output (plaintext) block
 *
- * \return          \c 0 on success.
+ * \return          0 if successful
 */
 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
@ -654,11 +290,11 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
 * \brief           Deprecated internal AES block encryption function
 *                  without return value.
 *
- * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
+ * \deprecated      Superseded by mbedtls_aes_encrypt_ext() in 2.5.0
 *
- * \param ctx       The AES context to use for encryption.
+ * \param ctx       AES context
- * \param input     Plaintext block.
+ * \param input     Plaintext block
- * \param output    Output (ciphertext) block.
+ * \param output    Output (ciphertext) block
 */
 MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
                                             const unsigned char input[16],
@ -668,11 +304,11 @@ MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
 * \brief           Deprecated internal AES block decryption function
 *                  without return value.
 *
- * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
+ * \deprecated      Superseded by mbedtls_aes_decrypt_ext() in 2.5.0
 *
- * \param ctx       The AES context to use for decryption.
+ * \param ctx       AES context
- * \param input     Ciphertext block.
+ * \param input     Ciphertext block
- * \param output    Output (plaintext) block.
+ * \param output    Output (plaintext) block
 */
 MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
                                             const unsigned char input[16],
@ -681,18 +317,25 @@ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #ifdef __cplusplus
 }
 #endif
 #else  /* MBEDTLS_AES_ALT */
 #include "aes_alt.h"
 #endif /* MBEDTLS_AES_ALT */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if defined(MBEDTLS_SELF_TEST)
 /**
- * \brief          Checkup routine.
+ * \brief          Checkup routine
 *
- * \return         \c 0 on success.
+ * \return         0 if successful, or 1 if the test failed
 * \return         \c 1 on failure.
 */
 int mbedtls_aes_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/aesni.h
+++ b/include/mbedtls/aesni.h
@ -3,18 +3,8 @@
 *
 * \brief AES-NI for hardware AES acceleration on some Intel processors
 *
- * \warning These functions are only for internal use by other library
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *          functions; you must not call them directly.
+ *  SPDX-License-Identifier: Apache-2.0
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -28,36 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_AESNI_H
 #define MBEDTLS_AESNI_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "aes.h"
 #define MBEDTLS_AESNI_AES      0x02000000u
@ -76,10 +41,7 @@ extern "C" {
 #endif
 /**
- * \brief          Internal function to detect the AES-NI feature in CPUs.
+ * \brief          AES-NI features detection routine
 *
 * \note           This function is only for internal use by other library
 *                 functions; you must not call it directly.
 *
 * \param what     The feature to detect
 *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
@ -89,10 +51,7 @@ extern "C" {
 int mbedtls_aesni_has_support( unsigned int what );
 /**
- * \brief          Internal AES-NI AES-ECB block encryption and decryption
+ * \brief          AES-NI AES-ECB block en(de)cryption
 *
 * \note           This function is only for internal use by other library
 *                 functions; you must not call it directly.
 *
 * \param ctx      AES context
 * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@ -102,15 +61,12 @@ int mbedtls_aesni_has_support( unsigned int what );
 * \return         0 on success (cannot fail)
 */
 int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
-                             int mode,
+                     int mode,
-                             const unsigned char input[16],
+                     const unsigned char input[16],
-                             unsigned char output[16] );
+                     unsigned char output[16] );
 /**
- * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ * \brief          GCM multiplication: c = a * b in GF(2^128)
 *
 * \note           This function is only for internal use by other library
 *                 functions; you must not call it directly.
 *
 * \param c        Result
 * \param a        First operand
@ -120,29 +76,21 @@ int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
 *                 elements of GF(2^128) as per the GCM spec.
 */
 void mbedtls_aesni_gcm_mult( unsigned char c[16],
-                             const unsigned char a[16],
+                     const unsigned char a[16],
-                             const unsigned char b[16] );
+                     const unsigned char b[16] );
 /**
- * \brief           Internal round key inversion. This function computes
+ * \brief           Compute decryption round keys from encryption round keys
 *                  decryption round keys from the encryption round keys.
 *
 * \note            This function is only for internal use by other library
 *                  functions; you must not call it directly.
 *
 * \param invkey    Round keys for the equivalent inverse cipher
 * \param fwdkey    Original round keys (for encryption)
 * \param nr        Number of rounds (that is, number of round keys minus one)
 */
 void mbedtls_aesni_inverse_key( unsigned char *invkey,
-                                const unsigned char *fwdkey,
+                        const unsigned char *fwdkey, int nr );
                                int nr );
 /**
- * \brief           Internal key expansion for encryption
+ * \brief           Perform key expansion (for encryption)
 *
 * \note            This function is only for internal use by other library
 *                  functions; you must not call it directly.
 *
 * \param rk        Destination buffer where the round keys are written
 * \param key       Encryption key
@ -151,8 +99,8 @@ void mbedtls_aesni_inverse_key( unsigned char *invkey,
 * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
 */
 int mbedtls_aesni_setkey_enc( unsigned char *rk,
-                              const unsigned char *key,
+                      const unsigned char *key,
-                              size_t bits );
+                      size_t bits );
 #ifdef __cplusplus
 }
--- a/include/mbedtls/arc4.h
+++ b/include/mbedtls/arc4.h
@ -3,18 +3,8 @@
 *
 * \brief The ARCFOUR stream cipher
 *
- * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *            security risk. We recommend considering stronger ciphers instead.
+ *  SPDX-License-Identifier: Apache-2.0
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -28,27 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 *
 */
 #ifndef MBEDTLS_ARC4_H
 #define MBEDTLS_ARC4_H
@ -61,25 +31,18 @@
 #include <stddef.h>
-/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#if !defined(MBEDTLS_ARC4_ALT)
-#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
+// Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_ARC4_ALT)
 // Regular implementation
 //
 /**
- * \brief     ARC4 context structure
+ * \brief          ARC4 context structure
 *
 * \warning   ARC4 is considered a weak cipher and its use constitutes a
 *            security risk. We recommend considering stronger ciphers instead.
 *
 */
-typedef struct mbedtls_arc4_context
+typedef struct
 {
    int x;                      /*!< permutation index */
    int y;                      /*!< permutation index */
@ -87,19 +50,10 @@ typedef struct mbedtls_arc4_context
 }
 mbedtls_arc4_context;
 #else  /* MBEDTLS_ARC4_ALT */
 #include "arc4_alt.h"
 #endif /* MBEDTLS_ARC4_ALT */
 /**
 * \brief          Initialize ARC4 context
 *
 * \param ctx      ARC4 context to be initialized
 *
 * \warning        ARC4 is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 *
 */
 void mbedtls_arc4_init( mbedtls_arc4_context *ctx );
@ -107,11 +61,6 @@ void mbedtls_arc4_init( mbedtls_arc4_context *ctx );
 * \brief          Clear ARC4 context
 *
 * \param ctx      ARC4 context to be cleared
 *
 * \warning        ARC4 is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 *
 */
 void mbedtls_arc4_free( mbedtls_arc4_context *ctx );
@ -121,11 +70,6 @@ void mbedtls_arc4_free( mbedtls_arc4_context *ctx );
 * \param ctx      ARC4 context to be setup
 * \param key      the secret key
 * \param keylen   length of the key, in bytes
 *
 * \warning        ARC4 is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 *
 */
 void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
                 unsigned int keylen );
@ -139,31 +83,29 @@ void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
 * \param output   buffer for the output data
 *
 * \return         0 if successful
 *
 * \warning        ARC4 is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 *
 */
 int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
                unsigned char *output );
-#if defined(MBEDTLS_SELF_TEST)
+#ifdef __cplusplus
 }
 #endif
 #else  /* MBEDTLS_ARC4_ALT */
 #include "arc4_alt.h"
 #endif /* MBEDTLS_ARC4_ALT */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 *
 * \warning        ARC4 is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 *
 */
 int mbedtls_arc4_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/aria.h
+++ b/include/mbedtls/aria.h
@ -1,396 +0,0 @@
 /**
 * \file aria.h
 *
 * \brief ARIA block cipher
 *
 *        The ARIA algorithm is a symmetric block cipher that can encrypt and
 *        decrypt information. It is defined by the Korean Agency for
 *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
 *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
 *        and also described by the IETF in <em>RFC 5794</em>.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ARIA_H
 #define MBEDTLS_ARIA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 #include "platform_util.h"
 #define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
 #define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
 #define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
 #define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maxiumum number of rounds in ARIA. */
 #define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
 #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
 /* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
 */
 #define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A  /**< Feature not available. For example, an unsupported ARIA key size. */
 /* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058  /**< ARIA hardware accelerator failed. */
 #if !defined(MBEDTLS_ARIA_ALT)
 // Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief The ARIA context-type definition.
 */
 typedef struct mbedtls_aria_context
 {
    unsigned char nr;           /*!< The number of rounds (12, 14 or 16) */
    /*! The ARIA round keys. */
    uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
 }
 mbedtls_aria_context;
 #else  /* MBEDTLS_ARIA_ALT */
 #include "aria_alt.h"
 #endif /* MBEDTLS_ARIA_ALT */
 /**
 * \brief          This function initializes the specified ARIA context.
 *
 *                 It must be the first API called before using
 *                 the context.
 *
 * \param ctx      The ARIA context to initialize. This must not be \c NULL.
 */
 void mbedtls_aria_init( mbedtls_aria_context *ctx );
 /**
 * \brief          This function releases and clears the specified ARIA context.
 *
 * \param ctx      The ARIA context to clear. This may be \c NULL, in which
 *                 case this function returns immediately. If it is not \c NULL,
 *                 it must point to an initialized ARIA context.
 */
 void mbedtls_aria_free( mbedtls_aria_context *ctx );
 /**
 * \brief          This function sets the encryption key.
 *
 * \param ctx      The ARIA context to which the key should be bound.
 *                 This must be initialized.
 * \param key      The encryption key. This must be a readable buffer
 *                 of size \p keybits Bits.
 * \param keybits  The size of \p key in Bits. Valid options are:
 *                 <ul><li>128 bits</li>
 *                 <li>192 bits</li>
 *                 <li>256 bits</li></ul>
 *
 * \return         \c 0 on success.
 * \return         A negative error code on failure.
 */
 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
                             const unsigned char *key,
                             unsigned int keybits );
 /**
 * \brief          This function sets the decryption key.
 *
 * \param ctx      The ARIA context to which the key should be bound.
 *                 This must be initialized.
 * \param key      The decryption key. This must be a readable buffer
 *                 of size \p keybits Bits.
 * \param keybits  The size of data passed. Valid options are:
 *                 <ul><li>128 bits</li>
 *                 <li>192 bits</li>
 *                 <li>256 bits</li></ul>
 *
 * \return         \c 0 on success.
 * \return         A negative error code on failure.
 */
 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
                             const unsigned char *key,
                             unsigned int keybits );
 /**
 * \brief          This function performs an ARIA single-block encryption or
 *                 decryption operation.
 *
 *                 It performs encryption or decryption (depending on whether
 *                 the key was set for encryption on decryption) on the input
 *                 data buffer defined in the \p input parameter.
 *
 *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
 *                 mbedtls_aria_setkey_dec() must be called before the first
 *                 call to this API with the same context.
 *
 * \param ctx      The ARIA context to use for encryption or decryption.
 *                 This must be initialized and bound to a key.
 * \param input    The 16-Byte buffer holding the input data.
 * \param output   The 16-Byte buffer holding the output data.
 * \return         \c 0 on success.
 * \return         A negative error code on failure.
 */
 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] );
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
 * \brief  This function performs an ARIA-CBC encryption or decryption operation
 *         on full blocks.
 *
 *         It performs the operation defined in the \p mode
 *         parameter (encrypt/decrypt), on the input data buffer defined in
 *         the \p input parameter.
 *
 *         It can be called as many times as needed, until all the input
 *         data is processed. mbedtls_aria_init(), and either
 *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
 *         before the first call to this API with the same context.
 *
 * \note   This function operates on aligned blocks, that is, the input size
 *         must be a multiple of the ARIA block size of 16 Bytes.
 *
 * \note   Upon exit, the content of the IV is updated so that you can
 *         call the same function again on the next
 *         block(s) of data and get the same result as if it was
 *         encrypted in one call. This allows a "streaming" usage.
 *         If you need to retain the contents of the IV, you should
 *         either save it manually or use the cipher module instead.
 *
 *
 * \param ctx      The ARIA context to use for encryption or decryption.
 *                 This must be initialized and bound to a key.
 * \param mode     The mode of operation. This must be either
 *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
 *                 #MBEDTLS_ARIA_DECRYPT for decryption.
 * \param length   The length of the input data in Bytes. This must be a
 *                 multiple of the block size (16 Bytes).
 * \param iv       Initialization vector (updated after use).
 *                 This must be a readable buffer of size 16 Bytes.
 * \param input    The buffer holding the input data. This must
 *                 be a readable buffer of length \p length Bytes.
 * \param output   The buffer holding the output data. This must
 *                 be a writable buffer of length \p length Bytes.
 *
 * \return         \c 0 on success.
 * \return         A negative error code on failure.
 */
 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
                            int mode,
                            size_t length,
                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
                            const unsigned char *input,
                            unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
 * \brief This function performs an ARIA-CFB128 encryption or decryption
 *        operation.
 *
 *        It performs the operation defined in the \p mode
 *        parameter (encrypt or decrypt), on the input data buffer
 *        defined in the \p input parameter.
 *
 *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
 *        regardless of whether you are performing an encryption or decryption
 *        operation, that is, regardless of the \p mode parameter. This is
 *        because CFB mode uses the same key schedule for encryption and
 *        decryption.
 *
 * \note  Upon exit, the content of the IV is updated so that you can
 *        call the same function again on the next
 *        block(s) of data and get the same result as if it was
 *        encrypted in one call. This allows a "streaming" usage.
 *        If you need to retain the contents of the
 *        IV, you must either save it manually or use the cipher
 *        module instead.
 *
 *
 * \param ctx      The ARIA context to use for encryption or decryption.
 *                 This must be initialized and bound to a key.
 * \param mode     The mode of operation. This must be either
 *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
 *                 #MBEDTLS_ARIA_DECRYPT for decryption.
 * \param length   The length of the input data \p input in Bytes.
 * \param iv_off   The offset in IV (updated after use).
 *                 This must not be larger than 15.
 * \param iv       The initialization vector (updated after use).
 *                 This must be a readable buffer of size 16 Bytes.
 * \param input    The buffer holding the input data. This must
 *                 be a readable buffer of length \p length Bytes.
 * \param output   The buffer holding the output data. This must
 *                 be a writable buffer of length \p length Bytes.
 *
 * \return         \c 0 on success.
 * \return         A negative error code on failure.
 */
 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
                               int mode,
                               size_t length,
                               size_t *iv_off,
                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
                               const unsigned char *input,
                               unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
 * \brief      This function performs an ARIA-CTR encryption or decryption
 *             operation.
 *
 *             This function performs the operation defined in the \p mode
 *             parameter (encrypt/decrypt), on the input data buffer
 *             defined in the \p input parameter.
 *
 *             Due to the nature of CTR, you must use the same key schedule
 *             for both encryption and decryption operations. Therefore, you
 *             must use the context initialized with mbedtls_aria_setkey_enc()
 *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
 *
 * \warning    You must never reuse a nonce value with the same key. Doing so
 *             would void the encryption for the two messages encrypted with
 *             the same nonce and key.
 *
 *             There are two common strategies for managing nonces with CTR:
 *
 *             1. You can handle everything as a single message processed over
 *             successive calls to this function. In that case, you want to
 *             set \p nonce_counter and \p nc_off to 0 for the first call, and
 *             then preserve the values of \p nonce_counter, \p nc_off and \p
 *             stream_block across calls to this function as they will be
 *             updated by this function.
 *
 *             With this strategy, you must not encrypt more than 2**128
 *             blocks of data with the same key.
 *
 *             2. You can encrypt separate messages by dividing the \p
 *             nonce_counter buffer in two areas: the first one used for a
 *             per-message nonce, handled by yourself, and the second one
 *             updated by this function internally.
 *
 *             For example, you might reserve the first 12 bytes for the
 *             per-message nonce, and the last 4 bytes for internal use. In that
 *             case, before calling this function on a new message you need to
 *             set the first 12 bytes of \p nonce_counter to your chosen nonce
 *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
 *             stream_block to be ignored). That way, you can encrypt at most
 *             2**96 messages of up to 2**32 blocks each with the same key.
 *
 *             The per-message nonce (or information sufficient to reconstruct
 *             it) needs to be communicated with the ciphertext and must be unique.
 *             The recommended way to ensure uniqueness is to use a message
 *             counter. An alternative is to generate random nonces, but this
 *             limits the number of messages that can be securely encrypted:
 *             for example, with 96-bit random nonces, you should not encrypt
 *             more than 2**32 messages with the same key.
 *
 *             Note that for both stategies, sizes are measured in blocks and
 *             that an ARIA block is 16 bytes.
 *
 * \warning    Upon return, \p stream_block contains sensitive data. Its
 *             content must not be written to insecure storage and should be
 *             securely discarded as soon as it's no longer needed.
 *
 * \param ctx              The ARIA context to use for encryption or decryption.
 *                         This must be initialized and bound to a key.
 * \param length           The length of the input data \p input in Bytes.
 * \param nc_off           The offset in Bytes in the current \p stream_block,
 *                         for resuming within the current cipher stream. The
 *                         offset pointer should be \c 0 at the start of a
 *                         stream. This must not be larger than \c 15 Bytes.
 * \param nonce_counter    The 128-bit nonce and counter. This must point to
 *                         a read/write buffer of length \c 16 bytes.
 * \param stream_block     The saved stream block for resuming. This must
 *                         point to a read/write buffer of length \c 16 bytes.
 *                         This is overwritten by the function.
 * \param input            The buffer holding the input data. This must
 *                         be a readable buffer of length \p length Bytes.
 * \param output           The buffer holding the output data. This must
 *                         be a writable buffer of length \p length Bytes.
 *
 * \return                 \c 0 on success.
 * \return                 A negative error code on failure.
 */
 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
                            size_t length,
                            size_t *nc_off,
                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
                            const unsigned char *input,
                            unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine.
 *
 * \return         \c 0 on success, or \c 1 on failure.
 */
 int mbedtls_aria_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
 #endif /* aria.h */
--- a/include/mbedtls/asn1.h
+++ b/include/mbedtls/asn1.h
@ -2,16 +2,9 @@
 * \file asn1.h
 *
 * \brief Generic ASN.1 parsing
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ASN1_H
 #define MBEDTLS_ASN1_H
@ -85,7 +59,7 @@
 /**
 * \name DER constants
- * These constants comply with the DER encoded ASN.1 type tags.
+ * These constants comply with DER encoded the ANS1 type tags.
 * DER encoding uses hexadecimal representation.
 * An example DER sequence is:\n
 * - 0x02 -- tag indicating INTEGER
@ -113,21 +87,6 @@
 #define MBEDTLS_ASN1_PRIMITIVE               0x00
 #define MBEDTLS_ASN1_CONSTRUCTED             0x20
 #define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
 /*
 * Bit masks for each of the components of an ASN.1 tag as specified in
 * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
 * paragraph 8.1.2.2:
 *
 * Bit  8     7   6   5          1
 *     +-------+-----+------------+
 *     | Class | P/C | Tag number |
 *     +-------+-----+------------+
 */
 #define MBEDTLS_ASN1_TAG_CLASS_MASK          0xC0
 #define MBEDTLS_ASN1_TAG_PC_MASK             0x20
 #define MBEDTLS_ASN1_TAG_VALUE_MASK          0x1F
 /* \} name */
 /* \} addtogroup asn1_module */
--- a/include/mbedtls/asn1write.h
+++ b/include/mbedtls/asn1write.h
@ -2,16 +2,9 @@
 * \file asn1write.h
 *
 * \brief ASN.1 buffer writing functionality
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,305 +18,198 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "asn1.h"
-#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
+#define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
-    do                                                  \
+                                g += ret; } while( 0 )
    {                                                   \
        if( ( ret = (f) ) < 0 )                         \
            return( ret );                              \
        else                                            \
            (g) += ret;                                 \
    } while( 0 )
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
- * \brief           Write a length field in ASN.1 format.
+ * \brief           Write a length field in ASN.1 format
 *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param len       the length to write
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param len       The length value to write.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
-int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len );
                            size_t len );
 /**
 * \brief           Write an ASN.1 tag in ASN.1 format.
 *
 * \note            This function works backwards in data buffer.
 *
 * \param p         The reference to the current position pointer.
 * \param start     The start of the buffer, for bounds-checking.
 * \param tag       The tag to write.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
 int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
                            unsigned char tag );
 /**
- * \brief           Write raw buffer data.
+ * \brief           Write a ASN.1 tag in ASN.1 format
 *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param tag       the tag to write
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
- * \param start     The start of the buffer, for bounds-checking.
+ */
- * \param buf       The data buffer to write.
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
- * \param size      The length of the data buffer.
+                    unsigned char tag );
 /**
 * \brief           Write raw buffer data
 *                  Note: function works backwards in data buffer
 *
- * \return          The number of bytes written to \p p on success.
+ * \param p         reference to current position pointer
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ * \param start     start of the buffer (for bounds-checking)
 * \param buf       data buffer to write
 * \param size      length of the data buffer
 *
 * \return          the length written or a negative error code
 */
 int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
-                                   const unsigned char *buf, size_t size );
+                           const unsigned char *buf, size_t size );
 #if defined(MBEDTLS_BIGNUM_C)
 /**
- * \brief           Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ * \brief           Write a big number (MBEDTLS_ASN1_INTEGER) in ASN.1 format
- *                  in ASN.1 format.
+ *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param X         the MPI to write
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param X         The MPI to write.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
-int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X );
                            const mbedtls_mpi *X );
 #endif /* MBEDTLS_BIGNUM_C */
 /**
- * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ * \brief           Write a NULL tag (MBEDTLS_ASN1_NULL) with zero data in ASN.1 format
- *                  in ASN.1 format.
+ *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
 int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start );
 /**
- * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ * \brief           Write an OID tag (MBEDTLS_ASN1_OID) and data in ASN.1 format
- *                  in ASN.1 format.
+ *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param oid       the OID to write
 * \param oid_len   length of the OID
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param oid       The OID to write.
 * \param oid_len   The length of the OID.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
 int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
-                            const char *oid, size_t oid_len );
+                    const char *oid, size_t oid_len );
 /**
- * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format
 *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
- *
+ * \param start     start of the buffer (for bounds-checking)
- * \param p         The reference to the current position pointer.
+ * \param oid       the OID of the algorithm
- * \param start     The start of the buffer, for bounds-checking.
+ * \param oid_len   length of the OID
- * \param oid       The OID of the algorithm to write.
+ * \param par_len   length of parameters, which must be already written.
 * \param oid_len   The length of the algorithm's OID.
 * \param par_len   The length of the parameters, which must be already written.
 *                  If 0, NULL parameters are added
 *
- * \return          The number of bytes written to \p p on success.
+ * \return          the length written or a negative error code
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
-int mbedtls_asn1_write_algorithm_identifier( unsigned char **p,
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
-                                             unsigned char *start,
+                                     const char *oid, size_t oid_len,
-                                             const char *oid, size_t oid_len,
+                                     size_t par_len );
                                             size_t par_len );
 /**
- * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ * \brief           Write a boolean tag (MBEDTLS_ASN1_BOOLEAN) and value in ASN.1 format
- *                  in ASN.1 format.
+ *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param boolean   0 or 1
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param boolean   The boolean value to write, either \c 0 or \c 1.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
-int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean );
                             int boolean );
 /**
- * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ * \brief           Write an int tag (MBEDTLS_ASN1_INTEGER) and value in ASN.1 format
- *                  in ASN.1 format.
+ *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param val       the integer value
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param val       The integer value to write.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
 int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
 /**
- * \brief           Write a string in ASN.1 format using a specific
+ * \brief           Write a printable string tag (MBEDTLS_ASN1_PRINTABLE_STRING) and
- *                  string encoding tag.
+ *                  value in ASN.1 format
-
+ *                  Note: function works backwards in data buffer
 * \note            This function works backwards in data buffer.
 *
- * \param p         The reference to the current position pointer.
+ * \param p         reference to current position pointer
- * \param start     The start of the buffer, for bounds-checking.
+ * \param start     start of the buffer (for bounds-checking)
- * \param tag       The string encoding tag to write, e.g.
+ * \param text      the text to write
- *                  #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text_len  length of the text
 * \param text      The string to write.
 * \param text_len  The length of \p text in bytes (which might
 *                  be strictly larger than the number of characters).
 *
- * \return          The number of bytes written to \p p on success.
+ * \return          the length written or a negative error code
 * \return          A negative error code on failure.
 */
-int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
-                                      int tag, const char *text,
+                                 const char *text, size_t text_len );
                                      size_t text_len );
 /**
- * \brief           Write a string in ASN.1 format using the PrintableString
+ * \brief           Write an IA5 string tag (MBEDTLS_ASN1_IA5_STRING) and
- *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *                  value in ASN.1 format
 *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param text      the text to write
 * \param text_len  length of the text
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param text      The string to write.
 * \param text_len  The length of \p text in bytes (which might
 *                  be strictly larger than the number of characters).
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_asn1_write_printable_string( unsigned char **p,
                                         unsigned char *start,
                                         const char *text, size_t text_len );
 /**
 * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
 *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
 *
 * \note            This function works backwards in data buffer.
 *
 * \param p         The reference to the current position pointer.
 * \param start     The start of the buffer, for bounds-checking.
 * \param text      The string to write.
 * \param text_len  The length of \p text in bytes (which might
 *                  be strictly larger than the number of characters).
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
                                    const char *text, size_t text_len );
 /**
 * \brief           Write a string in ASN.1 format using the IA5String
 *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
 *
 * \note            This function works backwards in data buffer.
 *
 * \param p         The reference to the current position pointer.
 * \param start     The start of the buffer, for bounds-checking.
 * \param text      The string to write.
 * \param text_len  The length of \p text in bytes (which might
 *                  be strictly larger than the number of characters).
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
-                                   const char *text, size_t text_len );
+                           const char *text, size_t text_len );
 /**
- * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ * \brief           Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- *                  value in ASN.1 format.
+ *                  value in ASN.1 format
 *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param buf       the bitstring
 * \param bits      the total number of bits in the bitstring
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param buf       The bitstring to write.
 * \param bits      The total number of bits in the bitstring.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
-                                  const unsigned char *buf, size_t bits );
+                          const unsigned char *buf, size_t bits );
 /**
- * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ * \brief           Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- *                  and value in ASN.1 format.
+ *                  value in ASN.1 format
 *                  Note: function works backwards in data buffer
 *
- * \note            This function works backwards in data buffer.
+ * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
 * \param buf       data buffer to write
 * \param size      length of the data buffer
 *
- * \param p         The reference to the current position pointer.
+ * \return          the length written or a negative error code
 * \param start     The start of the buffer, for bounds-checking.
 * \param buf       The buffer holding the data to write.
 * \param size      The length of the data buffer \p buf.
 *
 * \return          The number of bytes written to \p p on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
-                                     const unsigned char *buf, size_t size );
+                             const unsigned char *buf, size_t size );
 /**
 * \brief           Create or find a specific named_data entry for writing in a
@ -331,16 +217,15 @@ int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
 *                  a new entry is added to the head of the list.
 *                  Warning: Destructive behaviour for the val data!
 *
- * \param list      The pointer to the location of the head of the list to seek
+ * \param list      Pointer to the location of the head of the list to seek
- *                  through (will be updated in case of a new entry).
+ *                  through (will be updated in case of a new entry)
- * \param oid       The OID to look for.
+ * \param oid       The OID to look for
- * \param oid_len   The size of the OID.
+ * \param oid_len   Size of the OID
- * \param val       The data to store (can be \c NULL if you want to fill
+ * \param val       Data to store (can be NULL if you want to fill it by hand)
- *                  it by hand).
+ * \param val_len   Minimum length of the data buffer needed
 * \param val_len   The minimum length of the data buffer needed.
 *
- * \return          A pointer to the new / existing entry on success.
+ * \return      NULL if if there was a memory allocation error, or a pointer
- * \return          \c NULL if if there was a memory allocation error.
+ *              to the new / existing entry.
 */
 mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
                                        const char *oid, size_t oid_len,
--- a/include/mbedtls/base64.h
+++ b/include/mbedtls/base64.h
@ -2,16 +2,9 @@
 * \file base64.h
 *
 * \brief RFC 1521 base64 encoding/decoding
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,36 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
@ -106,7 +74,6 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
 int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
                   const unsigned char *src, size_t slen );
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
 *
@ -114,8 +81,6 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
 */
 int mbedtls_base64_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
--- a/include/mbedtls/blowfish.h
+++ b/include/mbedtls/blowfish.h
@ -2,16 +2,9 @@
 * \file blowfish.h
 *
 * \brief Blowfish block cipher
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_BLOWFISH_H
 #define MBEDTLS_BLOWFISH_H
@ -58,8 +32,6 @@
 #include <stddef.h>
 #include <stdint.h>
 #include "platform_util.h"
 #define MBEDTLS_BLOWFISH_ENCRYPT     1
 #define MBEDTLS_BLOWFISH_DECRYPT     0
 #define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
@ -67,87 +39,62 @@
 #define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
 #define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH                -0x0016  /**< Invalid key length. */
-#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0016 )
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH              -0x0018  /**< Invalid data input length. */
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016 /**< Bad input data. */
 #define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
 /* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
 */
 #define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_BLOWFISH_ALT)
 // Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          Blowfish context structure
 */
-typedef struct mbedtls_blowfish_context
+typedef struct
 {
    uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
    uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
 }
 mbedtls_blowfish_context;
 #else  /* MBEDTLS_BLOWFISH_ALT */
 #include "blowfish_alt.h"
 #endif /* MBEDTLS_BLOWFISH_ALT */
 /**
- * \brief          Initialize a Blowfish context.
+ * \brief          Initialize Blowfish context
 *
- * \param ctx      The Blowfish context to be initialized.
+ * \param ctx      Blowfish context to be initialized
 *                 This must not be \c NULL.
 */
 void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx );
 /**
- * \brief          Clear a Blowfish context.
+ * \brief          Clear Blowfish context
 *
- * \param ctx      The Blowfish context to be cleared.
+ * \param ctx      Blowfish context to be cleared
 *                 This may be \c NULL, in which case this function
 *                 returns immediately. If it is not \c NULL, it must
 *                 point to an initialized Blowfish context.
 */
 void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx );
 /**
- * \brief          Perform a Blowfish key schedule operation.
+ * \brief          Blowfish key schedule
 *
- * \param ctx      The Blowfish context to perform the key schedule on.
+ * \param ctx      Blowfish context to be initialized
- * \param key      The encryption key. This must be a readable buffer of
+ * \param key      encryption key
- *                 length \p keybits Bits.
+ * \param keybits  must be between 32 and 448 bits
 * \param keybits  The length of \p key in Bits. This must be between
 *                 \c 32 and \c 448 and a multiple of \c 8.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful, or MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
 * \return         A negative error code on failure.
 */
 int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
                     unsigned int keybits );
 /**
- * \brief          Perform a Blowfish-ECB block encryption/decryption operation.
+ * \brief          Blowfish-ECB block encryption/decryption
 *
- * \param ctx      The Blowfish context to use. This must be initialized
+ * \param ctx      Blowfish context
- *                 and bound to a key.
+ * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param mode     The mode of operation. Possible values are
+ * \param input    8-byte input block
- *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ * \param output   8-byte output block
 *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
 * \param input    The input block. This must be a readable buffer
 *                 of size \c 8 Bytes.
 * \param output   The output block. This must be a writable buffer
 *                 of size \c 8 Bytes.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful
 * \return         A negative error code on failure.
 */
 int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
                        int mode,
@ -156,7 +103,9 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief          Perform a Blowfish-CBC buffer encryption/decryption operation.
+ * \brief          Blowfish-CBC buffer encryption/decryption
 *                 Length should be a multiple of the block
 *                 size (8 bytes)
 *
 * \note           Upon exit, the content of the IV is updated so that you can
 *                 call the function same function again on the following
@ -166,22 +115,15 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- * \param ctx      The Blowfish context to use. This must be initialized
+ * \param ctx      Blowfish context
- *                 and bound to a key.
+ * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param mode     The mode of operation. Possible values are
+ * \param length   length of the input data
- *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ * \param iv       initialization vector (updated after use)
- *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param input    buffer holding the input data
- * \param length   The length of the input data in Bytes. This must be
+ * \param output   buffer holding the output data
 *                 multiple of \c 8.
 * \param iv       The initialization vector. This must be a read/write buffer
 *                 of length \c 8 Bytes. It is updated by this function.
 * \param input    The input data. This must be a readable buffer of length
 *                 \p length Bytes.
 * \param output   The output data. This must be a writable buffer of length
 *                 \p length Bytes.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful, or
- * \return         A negative error code on failure.
+ *                 MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
 */
 int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
                        int mode,
@ -193,7 +135,7 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief          Perform a Blowfish CFB buffer encryption/decryption operation.
+ * \brief          Blowfish CFB buffer encryption/decryption.
 *
 * \note           Upon exit, the content of the IV is updated so that you can
 *                 call the function same function again on the following
@ -203,25 +145,15 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- * \param ctx      The Blowfish context to use. This must be initialized
+ * \param ctx      Blowfish context
- *                 and bound to a key.
+ * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param mode     The mode of operation. Possible values are
+ * \param length   length of the input data
- *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ * \param iv_off   offset in IV (updated after use)
- *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param iv       initialization vector (updated after use)
- * \param length   The length of the input data in Bytes.
+ * \param input    buffer holding the input data
- * \param iv_off   The offset in the initialiation vector.
+ * \param output   buffer holding the output data
 *                 The value pointed to must be smaller than \c 8 Bytes.
 *                 It is updated by this function to support the aforementioned
 *                 streaming usage.
 * \param iv       The initialization vector. This must be a read/write buffer
 *                 of size \c 8 Bytes. It is updated after use.
 * \param input    The input data. This must be a readable buffer of length
 *                 \p length Bytes.
 * \param output   The output data. This must be a writable buffer of length
 *                 \p length Bytes.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful
 * \return         A negative error code on failure.
 */
 int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
                          int mode,
@ -234,67 +166,22 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief      Perform a Blowfish-CTR buffer encryption/decryption operation.
+ * \brief               Blowfish-CTR buffer encryption/decryption
 *
- * \warning    You must never reuse a nonce value with the same key. Doing so
+ * Warning: You have to keep the maximum use of your counter in mind!
 *             would void the encryption for the two messages encrypted with
 *             the same nonce and key.
 *
- *             There are two common strategies for managing nonces with CTR:
+ * \param ctx           Blowfish context
- *
+ * \param length        The length of the data
 *             1. You can handle everything as a single message processed over
 *             successive calls to this function. In that case, you want to
 *             set \p nonce_counter and \p nc_off to 0 for the first call, and
 *             then preserve the values of \p nonce_counter, \p nc_off and \p
 *             stream_block across calls to this function as they will be
 *             updated by this function.
 *
 *             With this strategy, you must not encrypt more than 2**64
 *             blocks of data with the same key.
 *
 *             2. You can encrypt separate messages by dividing the \p
 *             nonce_counter buffer in two areas: the first one used for a
 *             per-message nonce, handled by yourself, and the second one
 *             updated by this function internally.
 *
 *             For example, you might reserve the first 4 bytes for the
 *             per-message nonce, and the last 4 bytes for internal use. In that
 *             case, before calling this function on a new message you need to
 *             set the first 4 bytes of \p nonce_counter to your chosen nonce
 *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
 *             stream_block to be ignored). That way, you can encrypt at most
 *             2**32 messages of up to 2**32 blocks each with the same key.
 *
 *             The per-message nonce (or information sufficient to reconstruct
 *             it) needs to be communicated with the ciphertext and must be unique.
 *             The recommended way to ensure uniqueness is to use a message
 *             counter.
 *
 *             Note that for both stategies, sizes are measured in blocks and
 *             that a Blowfish block is 8 bytes.
 *
 * \warning    Upon return, \p stream_block contains sensitive data. Its
 *             content must not be written to insecure storage and should be
 *             securely discarded as soon as it's no longer needed.
 *
 * \param ctx           The Blowfish context to use. This must be initialized
 *                      and bound to a key.
 * \param length        The length of the input data in Bytes.
 * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer
+ *                      within current cipher stream). The offset pointer to
- *                      should be \c 0 at the start of a stream and must be
+ *                      should be 0 at the start of a stream.
- *                      smaller than \c 8. It is updated by this function.
+ * \param nonce_counter The 64-bit nonce and counter.
- * \param nonce_counter The 64-bit nonce and counter. This must point to a
+ * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      read/write buffer of length \c 8 Bytes.
+ *                      by the function.
- * \param stream_block  The saved stream-block for resuming. This must point to
+ * \param input         The input data stream
- *                      a read/write buffer of length \c 8 Bytes.
+ * \param output        The output data stream
 * \param input         The input data. This must be a readable buffer of
 *                      length \p length Bytes.
 * \param output        The output data. This must be a writable buffer of
 *                      length \p length Bytes.
 *
- * \return              \c 0 if successful.
+ * \return         0 if successful
 * \return              A negative error code on failure.
 */
 int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
                        size_t length,
@ -309,4 +196,8 @@ int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
 }
 #endif
 #else  /* MBEDTLS_BLOWFISH_ALT */
 #include "blowfish_alt.h"
 #endif /* MBEDTLS_BLOWFISH_ALT */
 #endif /* blowfish.h */
--- a/include/mbedtls/bn_mul.h
+++ b/include/mbedtls/bn_mul.h
@ -1,17 +1,10 @@
 /**
 * \file bn_mul.h
 *
- * \brief Multi-precision integer library
+ * \brief  Multi-precision integer library
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
 *      Multiply source vector [s] with b, add result
@ -63,12 +37,6 @@
 #ifndef MBEDTLS_BN_MUL_H
 #define MBEDTLS_BN_MUL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "bignum.h"
 #if defined(MBEDTLS_HAVE_ASM)
@ -80,14 +48,7 @@
 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
 #if defined(__GNUC__) && \
    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
-
+#if defined(__i386__)
 /*
 * Disable use of the i386 assembly code below if option -O0, to disable all
 * compiler optimisations, is passed, detected with __OPTIMIZE__
 * This is done as the number of registers used in the assembly code doesn't
 * work with the -O0 option.
 */
 #if defined(__i386__) && defined(__OPTIMIZE__)
 #define MULADDC_INIT                        \
    asm(                                    \
@ -180,7 +141,7 @@
        "movl   %%esi, %3       \n\t"   \
        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+        : "eax", "ecx", "edx", "esi", "edi"             \
    );
 #else
@ -192,7 +153,7 @@
        "movl   %%esi, %3       \n\t"   \
        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+        : "eax", "ecx", "edx", "esi", "edi"             \
    );
 #endif /* SSE2 */
 #endif /* i386 */
@ -201,19 +162,19 @@
 #define MULADDC_INIT                        \
    asm(                                    \
-        "xorq   %%r8, %%r8\n"
+        "xorq   %%r8, %%r8          \n\t"
 #define MULADDC_CORE                        \
-        "movq   (%%rsi), %%rax\n"           \
+        "movq   (%%rsi), %%rax      \n\t"   \
-        "mulq   %%rbx\n"                    \
+        "mulq   %%rbx               \n\t"   \
-        "addq   $8, %%rsi\n"                \
+        "addq   $8,      %%rsi      \n\t"   \
-        "addq   %%rcx, %%rax\n"             \
+        "addq   %%rcx,   %%rax      \n\t"   \
-        "movq   %%r8, %%rcx\n"              \
+        "movq   %%r8,    %%rcx      \n\t"   \
-        "adcq   $0, %%rdx\n"                \
+        "adcq   $0,      %%rdx      \n\t"   \
-        "nop    \n"                         \
+        "nop                        \n\t"   \
-        "addq   %%rax, (%%rdi)\n"           \
+        "addq   %%rax,   (%%rdi)    \n\t"   \
-        "adcq   %%rdx, %%rcx\n"             \
+        "adcq   %%rdx,   %%rcx      \n\t"   \
-        "addq   $8, %%rdi\n"
+        "addq   $8,      %%rdi      \n\t"
 #define MULADDC_STOP                        \
        : "+c" (c), "+D" (d), "+S" (s)      \
@ -559,7 +520,7 @@
        "swi   r3,   %2         \n\t"   \
        : "=m" (c), "=m" (d), "=m" (s)              \
        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "r3", "r4", "r5", "r6", "r7", "r8",       \
+        : "r3", "r4"  "r5", "r6", "r7", "r8",       \
          "r9", "r10", "r11", "r12", "r13"          \
    );
@ -596,8 +557,9 @@
 #endif /* TriCore */
 /*
- * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * gcc -O0 by default uses r7 for the frame pointer, so it complains about our
- * our use of r7 below, unless -fomit-frame-pointer is passed.
+ * use of r7 below, unless -fomit-frame-pointer is passed. Unfortunately,
 * passing that option is not easy when building with yotta.
 *
 * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
 * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
@ -667,24 +629,6 @@
           "r6", "r7", "r8", "r9", "cc"         \
         );
 #elif (__ARM_ARCH >= 6) && \
    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
 #define MULADDC_INIT                            \
    asm(
 #define MULADDC_CORE                            \
            "ldr    r0, [%0], #4        \n\t"   \
            "ldr    r1, [%1]            \n\t"   \
            "umaal  r1, %2, %3, r0      \n\t"   \
            "str    r1, [%1], #4        \n\t"
 #define MULADDC_STOP                            \
         : "=r" (s),  "=r" (d), "=r" (c)        \
         : "r" (b), "0" (s), "1" (d), "2" (c)   \
         : "r0", "r1", "memory"                 \
         );
 #else
 #define MULADDC_INIT                                    \
@ -782,7 +726,7 @@
        "sw     $10, %2         \n\t"   \
        : "=m" (c), "=m" (d), "=m" (s)                      \
        : "m" (s), "m" (d), "m" (c), "m" (b)                \
-        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15"    \
    );
 #endif /* MIPS */
--- a/include/mbedtls/camellia.h
+++ b/include/mbedtls/camellia.h
@ -2,16 +2,9 @@
 * \file camellia.h
 *
 * \brief Camellia block cipher
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CAMELLIA_H
 #define MBEDTLS_CAMELLIA_H
@ -58,107 +32,77 @@
 #include <stddef.h>
 #include <stdint.h>
 #include "platform_util.h"
 #define MBEDTLS_CAMELLIA_ENCRYPT     1
 #define MBEDTLS_CAMELLIA_DECRYPT     0
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH           -0x0024  /**< Invalid key length. */
-#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0024 )
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH         -0x0026  /**< Invalid data input length. */
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024 /**< Bad input data. */
 #define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
 /* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
 */
 #define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_CAMELLIA_ALT)
 // Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          CAMELLIA context structure
 */
-typedef struct mbedtls_camellia_context
+typedef struct
 {
    int nr;                     /*!<  number of rounds  */
    uint32_t rk[68];            /*!<  CAMELLIA round keys    */
 }
 mbedtls_camellia_context;
 #else  /* MBEDTLS_CAMELLIA_ALT */
 #include "camellia_alt.h"
 #endif /* MBEDTLS_CAMELLIA_ALT */
 /**
- * \brief          Initialize a CAMELLIA context.
+ * \brief          Initialize CAMELLIA context
 *
- * \param ctx      The CAMELLIA context to be initialized.
+ * \param ctx      CAMELLIA context to be initialized
 *                 This must not be \c NULL.
 */
 void mbedtls_camellia_init( mbedtls_camellia_context *ctx );
 /**
- * \brief          Clear a CAMELLIA context.
+ * \brief          Clear CAMELLIA context
 *
- * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
+ * \param ctx      CAMELLIA context to be cleared
 *                 in which case this function returns immediately. If it is not
 *                 \c NULL, it must be initialized.
 */
 void mbedtls_camellia_free( mbedtls_camellia_context *ctx );
 /**
- * \brief          Perform a CAMELLIA key schedule operation for encryption.
+ * \brief          CAMELLIA key schedule (encryption)
 *
- * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param ctx      CAMELLIA context to be initialized
- * \param key      The encryption key to use. This must be a readable buffer
+ * \param key      encryption key
- *                 of size \p keybits Bits.
+ * \param keybits  must be 128, 192 or 256
 * \param keybits  The length of \p key in Bits. This must be either \c 128,
 *                 \c 192 or \c 256.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
 * \return         A negative error code on failure.
 */
-int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
-                                 const unsigned char *key,
+                         unsigned int keybits );
                                 unsigned int keybits );
 /**
- * \brief          Perform a CAMELLIA key schedule operation for decryption.
+ * \brief          CAMELLIA key schedule (decryption)
 *
- * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param ctx      CAMELLIA context to be initialized
- * \param key      The decryption key. This must be a readable buffer
+ * \param key      decryption key
- *                 of size \p keybits Bits.
+ * \param keybits  must be 128, 192 or 256
 * \param keybits  The length of \p key in Bits. This must be either \c 128,
 *                 \c 192 or \c 256.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
 * \return         A negative error code on failure.
 */
-int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
-                                 const unsigned char *key,
+                         unsigned int keybits );
                                 unsigned int keybits );
 /**
- * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
+ * \brief          CAMELLIA-ECB block encryption/decryption
 *
- * \param ctx      The CAMELLIA context to use. This must be initialized
+ * \param ctx      CAMELLIA context
- *                 and bound to a key.
+ * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param mode     The mode of operation. This must be either
+ * \param input    16-byte input block
- *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param output   16-byte output block
 * \param input    The input block. This must be a readable buffer
 *                 of size \c 16 Bytes.
 * \param output   The output block. This must be a writable buffer
 *                 of size \c 16 Bytes.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful
 * \return         A negative error code on failure.
 */
 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
                    int mode,
@ -167,7 +111,9 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
+ * \brief          CAMELLIA-CBC buffer encryption/decryption
 *                 Length should be a multiple of the block
 *                 size (16 bytes)
 *
 * \note           Upon exit, the content of the IV is updated so that you can
 *                 call the function same function again on the following
@ -177,22 +123,15 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- * \param ctx      The CAMELLIA context to use. This must be initialized
+ * \param ctx      CAMELLIA context
- *                 and bound to a key.
+ * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param mode     The mode of operation. This must be either
+ * \param length   length of the input data
- *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param iv       initialization vector (updated after use)
- * \param length   The length in Bytes of the input data \p input.
+ * \param input    buffer holding the input data
- *                 This must be a multiple of \c 16 Bytes.
+ * \param output   buffer holding the output data
 * \param iv       The initialization vector. This must be a read/write buffer
 *                 of length \c 16 Bytes. It is updated to allow streaming
 *                 use as explained above.
 * \param input    The buffer holding the input data. This must point to a
 *                 readable buffer of length \p length Bytes.
 * \param output   The buffer holding the output data. This must point to a
 *                 writable buffer of length \p length Bytes.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful, or
- * \return         A negative error code on failure.
+ *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
 */
 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
                    int mode,
@ -204,14 +143,11 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ * \brief          CAMELLIA-CFB128 buffer encryption/decryption
 *                 operation.
 *
- * \note           Due to the nature of CFB mode, you should use the same
+ * Note: Due to the nature of CFB you should use the same key schedule for
- *                 key for both encryption and decryption. In particular, calls
+ * both encryption and decryption. So a context initialized with
- *                 to this function should be preceded by a key-schedule via
+ * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and CAMELLIE_DECRYPT.
 *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
 *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
 *
 * \note           Upon exit, the content of the IV is updated so that you can
 *                 call the function same function again on the following
@ -221,24 +157,16 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
 *                 IV, you should either save it manually or use the cipher
 *                 module instead.
 *
- * \param ctx      The CAMELLIA context to use. This must be initialized
+ * \param ctx      CAMELLIA context
- *                 and bound to a key.
+ * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param mode     The mode of operation. This must be either
+ * \param length   length of the input data
- *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param iv_off   offset in IV (updated after use)
- * \param length   The length of the input data \p input. Any value is allowed.
+ * \param iv       initialization vector (updated after use)
- * \param iv_off   The current offset in the IV. This must be smaller
+ * \param input    buffer holding the input data
- *                 than \c 16 Bytes. It is updated after this call to allow
+ * \param output   buffer holding the output data
 *                 the aforementioned streaming usage.
 * \param iv       The initialization vector. This must be a read/write buffer
 *                 of length \c 16 Bytes. It is updated after this call to
 *                 allow the aforementioned streaming usage.
 * \param input    The buffer holding the input data. This must be a readable
 *                 buffer of size \p length Bytes.
 * \param output   The buffer to hold the output data. This must be a writable
 *                 buffer of length \p length Bytes.
 *
- * \return         \c 0 if successful.
+ * \return         0 if successful, or
- * \return         A negative error code on failure.
+ *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
 */
 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
                       int mode,
@ -251,78 +179,26 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
+ * \brief               CAMELLIA-CTR buffer encryption/decryption
 *
- * *note       Due to the nature of CTR mode, you should use the same
+ * Warning: You have to keep the maximum use of your counter in mind!
 *             key for both encryption and decryption. In particular, calls
 *             to this function should be preceded by a key-schedule via
 *             mbedtls_camellia_setkey_enc() regardless of whether \p mode
 *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
 *
- * \warning    You must never reuse a nonce value with the same key. Doing so
+ * Note: Due to the nature of CTR you should use the same key schedule for
- *             would void the encryption for the two messages encrypted with
+ * both encryption and decryption. So a context initialized with
- *             the same nonce and key.
+ * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT.
 *
- *             There are two common strategies for managing nonces with CTR:
+ * \param ctx           CAMELLIA context
- *
+ * \param length        The length of the data
- *             1. You can handle everything as a single message processed over
+ * \param nc_off        The offset in the current stream_block (for resuming
 *             successive calls to this function. In that case, you want to
 *             set \p nonce_counter and \p nc_off to 0 for the first call, and
 *             then preserve the values of \p nonce_counter, \p nc_off and \p
 *             stream_block across calls to this function as they will be
 *             updated by this function.
 *
 *             With this strategy, you must not encrypt more than 2**128
 *             blocks of data with the same key.
 *
 *             2. You can encrypt separate messages by dividing the \p
 *             nonce_counter buffer in two areas: the first one used for a
 *             per-message nonce, handled by yourself, and the second one
 *             updated by this function internally.
 *
 *             For example, you might reserve the first \c 12 Bytes for the
 *             per-message nonce, and the last \c 4 Bytes for internal use.
 *             In that case, before calling this function on a new message you
 *             need to set the first \c 12 Bytes of \p nonce_counter to your
 *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
 *             (which will cause \p stream_block to be ignored). That way, you
 *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
 *             each  with the same key.
 *
 *             The per-message nonce (or information sufficient to reconstruct
 *             it) needs to be communicated with the ciphertext and must be
 *             unique. The recommended way to ensure uniqueness is to use a
 *             message counter. An alternative is to generate random nonces,
 *             but this limits the number of messages that can be securely
 *             encrypted: for example, with 96-bit random nonces, you should
 *             not encrypt more than 2**32 messages with the same key.
 *
 *             Note that for both stategies, sizes are measured in blocks and
 *             that a CAMELLIA block is \c 16 Bytes.
 *
 * \warning    Upon return, \p stream_block contains sensitive data. Its
 *             content must not be written to insecure storage and should be
 *             securely discarded as soon as it's no longer needed.
 *
 * \param ctx           The CAMELLIA context to use. This must be initialized
 *                      and bound to a key.
 * \param length        The length of the input data \p input in Bytes.
 *                      Any value is allowed.
 * \param nc_off        The offset in the current \p stream_block (for resuming
 *                      within current cipher stream). The offset pointer to
- *                      should be \c 0 at the start of a stream. It is updated
+ *                      should be 0 at the start of a stream.
- *                      at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter.
- * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      buffer of length \c 16 Bytes.
+ *                      by the function.
- * \param stream_block  The saved stream-block for resuming. This must be a
+ * \param input         The input data stream
- *                      read/write buffer of length \c 16 Bytes.
+ * \param output        The output data stream
 * \param input         The input data stream. This must be a readable buffer of
 *                      size \p length Bytes.
 * \param output        The output data stream. This must be a writable buffer
 *                      of size \p length Bytes.
 *
- * \return              \c 0 if successful.
+ * \return         0 if successful
 * \return              A negative error code on failure.
 */
 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
                       size_t length,
@ -333,7 +209,17 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
                       unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
-#if defined(MBEDTLS_SELF_TEST)
+#ifdef __cplusplus
 }
 #endif
 #else  /* MBEDTLS_CAMELLIA_ALT */
 #include "camellia_alt.h"
 #endif /* MBEDTLS_CAMELLIA_ALT */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          Checkup routine
@ -342,8 +228,6 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
 */
 int mbedtls_camellia_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/ccm.h
+++ b/include/mbedtls/ccm.h
@ -1,41 +1,10 @@
 /**
 * \file ccm.h
 *
- * \brief This file provides an API for the CCM authenticated encryption
+ * \brief Counter with CBC-MAC (CCM) for 128-bit block ciphers
 *        mode for block ciphers.
 *
- * CCM combines Counter mode encryption with CBC-MAC authentication
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * for 128-bit block ciphers.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 * Input to CCM includes the following elements:
 * <ul><li>Payload - data that is both authenticated and encrypted.</li>
 * <li>Associated data (Adata) - data that is authenticated but not
 * encrypted, For example, a header.</li>
 * <li>Nonce - A unique value that is assigned to the payload and the
 * associated data.</li></ul>
 *
 * Definition of CCM:
 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
 * RFC 3610 "Counter with CBC-MAC (CCM)"
 *
 * Related:
 * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
 *
 * Definition of CCM*:
 * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
 * Integer representation is fixed most-significant-octet-first order and
 * the representation of octets is most-significant-bit-first order. This is
 * consistent with RFC 3610.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -49,88 +18,46 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CCM_H
 #define MBEDTLS_CCM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "cipher.h"
-#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
+#define MBEDTLS_ERR_CCM_BAD_INPUT      -0x000D /**< Bad input parameters to function. */
-#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
+#define MBEDTLS_ERR_CCM_AUTH_FAILED    -0x000F /**< Authenticated decryption failed. */
 /* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_CCM_ALT)
 // Regular implementation
 //
 /**
- * \brief    The CCM context-type definition. The CCM context is passed
+ * \brief          CCM context structure
 *           to the APIs called.
 */
-typedef struct mbedtls_ccm_context
+typedef struct {
-{
+    mbedtls_cipher_context_t cipher_ctx;    /*!< cipher context used */
    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
 }
 mbedtls_ccm_context;
 #else  /* MBEDTLS_CCM_ALT */
 #include "ccm_alt.h"
 #endif /* MBEDTLS_CCM_ALT */
 /**
- * \brief           This function initializes the specified CCM context,
+ * \brief           Initialize CCM context (just makes references valid)
- *                  to make references valid, and prepare the context
+ *                  Makes the context ready for mbedtls_ccm_setkey() or
- *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
+ *                  mbedtls_ccm_free().
 *
- * \param ctx       The CCM context to initialize. This must not be \c NULL.
+ * \param ctx       CCM context to initialize
 */
 void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
 /**
- * \brief           This function initializes the CCM context set in the
+ * \brief           CCM initialization (encryption and decryption)
 *                  \p ctx parameter and sets the encryption key.
 *
- * \param ctx       The CCM context to initialize. This must be an initialized
+ * \param ctx       CCM context to be initialized
- *                  context.
+ * \param cipher    cipher to use (a 128-bit block cipher)
- * \param cipher    The 128-bit block cipher to use.
+ * \param key       encryption key
- * \param key       The encryption key. This must not be \c NULL.
+ * \param keybits   key size in bits (must be acceptable by the cipher)
 * \param keybits   The key size in bits. This must be acceptable by the cipher.
 *
- * \return          \c 0 on success.
+ * \return          0 if successful, or a cipher specific error code
 * \return          A CCM or cipher-specific error code on failure.
 */
 int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
                        mbedtls_cipher_id_t cipher,
@ -138,49 +65,36 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
                        unsigned int keybits );
 /**
- * \brief   This function releases and clears the specified CCM context
+ * \brief           Free a CCM context and underlying cipher sub-context
 *          and underlying cipher sub-context.
 *
- * \param ctx       The CCM context to clear. If this is \c NULL, the function
+ * \param ctx       CCM context to free
 *                  has no effect. Otherwise, this must be initialized.
 */
 void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
 /**
- * \brief           This function encrypts a buffer using CCM.
+ * \brief           CCM buffer encryption
 *
- * \note            The tag is written to a separate buffer. To concatenate
+ * \param ctx       CCM context
- *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ * \param length    length of the input data in bytes
- *                  Counter with CBC-MAC (CCM)</em>, use
+ * \param iv        nonce (initialization vector)
- *                  \p tag = \p output + \p length, and make sure that the
+ * \param iv_len    length of IV in bytes
- *                  output buffer is at least \p length + \p tag_len wide.
+ *                  must be 2, 3, 4, 5, 6, 7 or 8
 * \param add       additional data
 * \param add_len   length of additional data in bytes
 *                  must be less than 2^16 - 2^8
 * \param input     buffer holding the input data
 * \param output    buffer for holding the output data
 *                  must be at least 'length' bytes wide
 * \param tag       buffer for holding the tag
 * \param tag_len   length of the tag to generate in bytes
 *                  must be 4, 6, 8, 10, 14 or 16
 *
- * \param ctx       The CCM context to use for encryption. This must be
+ * \note            The tag is written to a separate buffer. To get the tag
- *                  initialized and bound to a key.
+ *                  concatenated with the output as in the CCM spec, use
- * \param length    The length of the input data in Bytes.
+ *                  tag = output + length and make sure the output buffer is
- * \param iv        The initialization vector (nonce). This must be a readable
+ *                  at least length + tag_len wide.
 *                  buffer of at least \p iv_len Bytes.
 * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
 *                  or 13. The length L of the message length field is
 *                  15 - \p iv_len.
 * \param add       The additional data field. If \p add_len is greater than
 *                  zero, \p add must be a readable buffer of at least that
 *                  length.
 * \param add_len   The length of additional data in Bytes.
 *                  This must be less than `2^16 - 2^8`.
 * \param input     The buffer holding the input data. If \p length is greater
 *                  than zero, \p input must be a readable buffer of at least
 *                  that length.
 * \param output    The buffer holding the output data. If \p length is greater
 *                  than zero, \p output must be a writable buffer of at least
 *                  that length.
 * \param tag       The buffer holding the authentication field. This must be a
 *                  writable buffer of at least \p tag_len Bytes.
 * \param tag_len   The length of the authentication field to generate in Bytes:
 *                  4, 6, 8, 10, 12, 14 or 16.
 *
- * \return          \c 0 on success.
+ * \return          0 if successful
 * \return          A CCM or cipher-specific error code on failure.
 */
 int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
                         const unsigned char *iv, size_t iv_len,
@ -189,83 +103,21 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
                         unsigned char *tag, size_t tag_len );
 /**
- * \brief           This function encrypts a buffer using CCM*.
+ * \brief           CCM buffer authenticated decryption
 *
- * \note            The tag is written to a separate buffer. To concatenate
+ * \param ctx       CCM context
- *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ * \param length    length of the input data
- *                  Counter with CBC-MAC (CCM)</em>, use
+ * \param iv        initialization vector
- *                  \p tag = \p output + \p length, and make sure that the
+ * \param iv_len    length of IV
- *                  output buffer is at least \p length + \p tag_len wide.
+ * \param add       additional data
 * \param add_len   length of additional data
 * \param input     buffer holding the input data
 * \param output    buffer for holding the output data
 * \param tag       buffer holding the tag
 * \param tag_len   length of the tag
 *
- * \note            When using this function in a variable tag length context,
+ * \return         0 if successful and authenticated,
- *                  the tag length has to be encoded into the \p iv passed to
+ *                 MBEDTLS_ERR_CCM_AUTH_FAILED if tag does not match
 *                  this function.
 *
 * \param ctx       The CCM context to use for encryption. This must be
 *                  initialized and bound to a key.
 * \param length    The length of the input data in Bytes.
 * \param iv        The initialization vector (nonce). This must be a readable
 *                  buffer of at least \p iv_len Bytes.
 * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
 *                  or 13. The length L of the message length field is
 *                  15 - \p iv_len.
 * \param add       The additional data field. This must be a readable buffer of
 *                  at least \p add_len Bytes.
 * \param add_len   The length of additional data in Bytes.
 *                  This must be less than 2^16 - 2^8.
 * \param input     The buffer holding the input data. If \p length is greater
 *                  than zero, \p input must be a readable buffer of at least
 *                  that length.
 * \param output    The buffer holding the output data. If \p length is greater
 *                  than zero, \p output must be a writable buffer of at least
 *                  that length.
 * \param tag       The buffer holding the authentication field. This must be a
 *                  writable buffer of at least \p tag_len Bytes.
 * \param tag_len   The length of the authentication field to generate in Bytes:
 *                  0, 4, 6, 8, 10, 12, 14 or 16.
 *
 * \warning         Passing \c 0 as \p tag_len means that the message is no
 *                  longer authenticated.
 *
 * \return          \c 0 on success.
 * \return          A CCM or cipher-specific error code on failure.
 */
 int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
                         const unsigned char *iv, size_t iv_len,
                         const unsigned char *add, size_t add_len,
                         const unsigned char *input, unsigned char *output,
                         unsigned char *tag, size_t tag_len );
 /**
 * \brief           This function performs a CCM authenticated decryption of a
 *                  buffer.
 *
 * \param ctx       The CCM context to use for decryption. This must be
 *                  initialized and bound to a key.
 * \param length    The length of the input data in Bytes.
 * \param iv        The initialization vector (nonce). This must be a readable
 *                  buffer of at least \p iv_len Bytes.
 * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
 *                  or 13. The length L of the message length field is
 *                  15 - \p iv_len.
 * \param add       The additional data field. This must be a readable buffer
 *                  of at least that \p add_len Bytes..
 * \param add_len   The length of additional data in Bytes.
 *                  This must be less than 2^16 - 2^8.
 * \param input     The buffer holding the input data. If \p length is greater
 *                  than zero, \p input must be a readable buffer of at least
 *                  that length.
 * \param output    The buffer holding the output data. If \p length is greater
 *                  than zero, \p output must be a writable buffer of at least
 *                  that length.
 * \param tag       The buffer holding the authentication field. This must be a
 *                  readable buffer of at least \p tag_len Bytes.
 * \param tag_len   The length of the authentication field to generate in Bytes:
 *                  4, 6, 8, 10, 12, 14 or 16.
 *
 * \return          \c 0 on success. This indicates that the message is authentic.
 * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
 * \return          A cipher-specific error code on calculation failure.
 */
 int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
                      const unsigned char *iv, size_t iv_len,
@ -273,57 +125,11 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
                      const unsigned char *input, unsigned char *output,
                      const unsigned char *tag, size_t tag_len );
 /**
 * \brief           This function performs a CCM* authenticated decryption of a
 *                  buffer.
 *
 * \note            When using this function in a variable tag length context,
 *                  the tag length has to be decoded from \p iv and passed to
 *                  this function as \p tag_len. (\p tag needs to be adjusted
 *                  accordingly.)
 *
 * \param ctx       The CCM context to use for decryption. This must be
 *                  initialized and bound to a key.
 * \param length    The length of the input data in Bytes.
 * \param iv        The initialization vector (nonce). This must be a readable
 *                  buffer of at least \p iv_len Bytes.
 * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
 *                  or 13. The length L of the message length field is
 *                  15 - \p iv_len.
 * \param add       The additional data field. This must be a readable buffer of
 *                  at least that \p add_len Bytes.
 * \param add_len   The length of additional data in Bytes.
 *                  This must be less than 2^16 - 2^8.
 * \param input     The buffer holding the input data. If \p length is greater
 *                  than zero, \p input must be a readable buffer of at least
 *                  that length.
 * \param output    The buffer holding the output data. If \p length is greater
 *                  than zero, \p output must be a writable buffer of at least
 *                  that length.
 * \param tag       The buffer holding the authentication field. This must be a
 *                  readable buffer of at least \p tag_len Bytes.
 * \param tag_len   The length of the authentication field in Bytes.
 *                  0, 4, 6, 8, 10, 12, 14 or 16.
 *
 * \warning         Passing \c 0 as \p tag_len means that the message is nos
 *                  longer authenticated.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
 * \return          A cipher-specific error code on calculation failure.
 */
 int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
                      const unsigned char *iv, size_t iv_len,
                      const unsigned char *add, size_t add_len,
                      const unsigned char *input, unsigned char *output,
                      const unsigned char *tag, size_t tag_len );
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 /**
- * \brief          The CCM checkup routine.
+ * \brief          Checkup routine
 *
- * \return         \c 0 on success.
+ * \return         0 if successful, or 1 if the test failed
 * \return         \c 1 on failure.
 */
 int mbedtls_ccm_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
--- a/include/mbedtls/certs.h
+++ b/include/mbedtls/certs.h
@ -2,16 +2,9 @@
 * \file certs.h
 *
 * \brief Sample certificates and DHM parameters for testing
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,250 +18,79 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #ifdef __cplusplus
 extern "C" {
 #endif
 /* List of all PEM-encoded CA certificates, terminated by NULL;
 * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded
 * otherwise. */
 extern const char * mbedtls_test_cas[];
 extern const size_t mbedtls_test_cas_len[];
 /* List of all DER-encoded CA certificates, terminated by NULL */
 extern const unsigned char * mbedtls_test_cas_der[];
 extern const size_t mbedtls_test_cas_der_len[];
 #if defined(MBEDTLS_PEM_PARSE_C)
 /* Concatenation of all CA certificates in PEM format if available */
 extern const char   mbedtls_test_cas_pem[];
 extern const size_t mbedtls_test_cas_pem_len;
-#endif /* MBEDTLS_PEM_PARSE_C */
+#endif
 /* List of all CA certificates, terminated by NULL */
 extern const char * mbedtls_test_cas[];
 extern const size_t mbedtls_test_cas_len[];
 /*
- * CA test certificates
+ * Convenience for users who just want a certificate:
 * RSA by default, or ECDSA if RSA is not available
 */
 extern const char mbedtls_test_ca_crt_ec_pem[];
 extern const char mbedtls_test_ca_key_ec_pem[];
 extern const char mbedtls_test_ca_pwd_ec_pem[];
 extern const char mbedtls_test_ca_key_rsa_pem[];
 extern const char mbedtls_test_ca_pwd_rsa_pem[];
 extern const char mbedtls_test_ca_crt_rsa_sha1_pem[];
 extern const char mbedtls_test_ca_crt_rsa_sha256_pem[];
 extern const unsigned char mbedtls_test_ca_crt_ec_der[];
 extern const unsigned char mbedtls_test_ca_key_ec_der[];
 extern const unsigned char mbedtls_test_ca_key_rsa_der[];
 extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[];
 extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[];
 extern const size_t mbedtls_test_ca_crt_ec_pem_len;
 extern const size_t mbedtls_test_ca_key_ec_pem_len;
 extern const size_t mbedtls_test_ca_pwd_ec_pem_len;
 extern const size_t mbedtls_test_ca_key_rsa_pem_len;
 extern const size_t mbedtls_test_ca_pwd_rsa_pem_len;
 extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len;
 extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len;
 extern const size_t mbedtls_test_ca_crt_ec_der_len;
 extern const size_t mbedtls_test_ca_key_ec_der_len;
 extern const size_t mbedtls_test_ca_pwd_ec_der_len;
 extern const size_t mbedtls_test_ca_key_rsa_der_len;
 extern const size_t mbedtls_test_ca_pwd_rsa_der_len;
 extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len;
 extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len;
 /* Config-dependent dispatch between PEM and DER encoding
 * (PEM if enabled, otherwise DER) */
 extern const char mbedtls_test_ca_crt_ec[];
 extern const char mbedtls_test_ca_key_ec[];
 extern const char mbedtls_test_ca_pwd_ec[];
 extern const char mbedtls_test_ca_key_rsa[];
 extern const char mbedtls_test_ca_pwd_rsa[];
 extern const char mbedtls_test_ca_crt_rsa_sha1[];
 extern const char mbedtls_test_ca_crt_rsa_sha256[];
 extern const size_t mbedtls_test_ca_crt_ec_len;
 extern const size_t mbedtls_test_ca_key_ec_len;
 extern const size_t mbedtls_test_ca_pwd_ec_len;
 extern const size_t mbedtls_test_ca_key_rsa_len;
 extern const size_t mbedtls_test_ca_pwd_rsa_len;
 extern const size_t mbedtls_test_ca_crt_rsa_sha1_len;
 extern const size_t mbedtls_test_ca_crt_rsa_sha256_len;
 /* Config-dependent dispatch between SHA-1 and SHA-256
 * (SHA-256 if enabled, otherwise SHA-1) */
 extern const char mbedtls_test_ca_crt_rsa[];
 extern const size_t mbedtls_test_ca_crt_rsa_len;
 /* Config-dependent dispatch between EC and RSA
 * (RSA if enabled, otherwise EC) */
 extern const char * mbedtls_test_ca_crt;
 extern const char * mbedtls_test_ca_key;
 extern const char * mbedtls_test_ca_pwd;
 extern const size_t mbedtls_test_ca_crt_len;
 extern const char * mbedtls_test_ca_key;
 extern const size_t mbedtls_test_ca_key_len;
 extern const char * mbedtls_test_ca_pwd;
 extern const size_t mbedtls_test_ca_pwd_len;
 /*
 * Server test certificates
 */
 extern const char mbedtls_test_srv_crt_ec_pem[];
 extern const char mbedtls_test_srv_key_ec_pem[];
 extern const char mbedtls_test_srv_pwd_ec_pem[];
 extern const char mbedtls_test_srv_key_rsa_pem[];
 extern const char mbedtls_test_srv_pwd_rsa_pem[];
 extern const char mbedtls_test_srv_crt_rsa_sha1_pem[];
 extern const char mbedtls_test_srv_crt_rsa_sha256_pem[];
 extern const unsigned char mbedtls_test_srv_crt_ec_der[];
 extern const unsigned char mbedtls_test_srv_key_ec_der[];
 extern const unsigned char mbedtls_test_srv_key_rsa_der[];
 extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[];
 extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[];
 extern const size_t mbedtls_test_srv_crt_ec_pem_len;
 extern const size_t mbedtls_test_srv_key_ec_pem_len;
 extern const size_t mbedtls_test_srv_pwd_ec_pem_len;
 extern const size_t mbedtls_test_srv_key_rsa_pem_len;
 extern const size_t mbedtls_test_srv_pwd_rsa_pem_len;
 extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len;
 extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len;
 extern const size_t mbedtls_test_srv_crt_ec_der_len;
 extern const size_t mbedtls_test_srv_key_ec_der_len;
 extern const size_t mbedtls_test_srv_pwd_ec_der_len;
 extern const size_t mbedtls_test_srv_key_rsa_der_len;
 extern const size_t mbedtls_test_srv_pwd_rsa_der_len;
 extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len;
 extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len;
 /* Config-dependent dispatch between PEM and DER encoding
 * (PEM if enabled, otherwise DER) */
 extern const char mbedtls_test_srv_crt_ec[];
 extern const char mbedtls_test_srv_key_ec[];
 extern const char mbedtls_test_srv_pwd_ec[];
 extern const char mbedtls_test_srv_key_rsa[];
 extern const char mbedtls_test_srv_pwd_rsa[];
 extern const char mbedtls_test_srv_crt_rsa_sha1[];
 extern const char mbedtls_test_srv_crt_rsa_sha256[];
 extern const size_t mbedtls_test_srv_crt_ec_len;
 extern const size_t mbedtls_test_srv_key_ec_len;
 extern const size_t mbedtls_test_srv_pwd_ec_len;
 extern const size_t mbedtls_test_srv_key_rsa_len;
 extern const size_t mbedtls_test_srv_pwd_rsa_len;
 extern const size_t mbedtls_test_srv_crt_rsa_sha1_len;
 extern const size_t mbedtls_test_srv_crt_rsa_sha256_len;
 /* Config-dependent dispatch between SHA-1 and SHA-256
 * (SHA-256 if enabled, otherwise SHA-1) */
 extern const char mbedtls_test_srv_crt_rsa[];
 extern const size_t mbedtls_test_srv_crt_rsa_len;
 /* Config-dependent dispatch between EC and RSA
 * (RSA if enabled, otherwise EC) */
 extern const char * mbedtls_test_srv_crt;
 extern const char * mbedtls_test_srv_key;
 extern const char * mbedtls_test_srv_pwd;
 extern const size_t mbedtls_test_srv_crt_len;
 extern const char * mbedtls_test_srv_key;
 extern const size_t mbedtls_test_srv_key_len;
 extern const size_t mbedtls_test_srv_pwd_len;
 /*
 * Client test certificates
 */
 extern const char mbedtls_test_cli_crt_ec_pem[];
 extern const char mbedtls_test_cli_key_ec_pem[];
 extern const char mbedtls_test_cli_pwd_ec_pem[];
 extern const char mbedtls_test_cli_key_rsa_pem[];
 extern const char mbedtls_test_cli_pwd_rsa_pem[];
 extern const char mbedtls_test_cli_crt_rsa_pem[];
 extern const unsigned char mbedtls_test_cli_crt_ec_der[];
 extern const unsigned char mbedtls_test_cli_key_ec_der[];
 extern const unsigned char mbedtls_test_cli_key_rsa_der[];
 extern const unsigned char mbedtls_test_cli_crt_rsa_der[];
 extern const size_t mbedtls_test_cli_crt_ec_pem_len;
 extern const size_t mbedtls_test_cli_key_ec_pem_len;
 extern const size_t mbedtls_test_cli_pwd_ec_pem_len;
 extern const size_t mbedtls_test_cli_key_rsa_pem_len;
 extern const size_t mbedtls_test_cli_pwd_rsa_pem_len;
 extern const size_t mbedtls_test_cli_crt_rsa_pem_len;
 extern const size_t mbedtls_test_cli_crt_ec_der_len;
 extern const size_t mbedtls_test_cli_key_ec_der_len;
 extern const size_t mbedtls_test_cli_key_rsa_der_len;
 extern const size_t mbedtls_test_cli_crt_rsa_der_len;
 /* Config-dependent dispatch between PEM and DER encoding
 * (PEM if enabled, otherwise DER) */
 extern const char mbedtls_test_cli_crt_ec[];
 extern const char mbedtls_test_cli_key_ec[];
 extern const char mbedtls_test_cli_pwd_ec[];
 extern const char mbedtls_test_cli_key_rsa[];
 extern const char mbedtls_test_cli_pwd_rsa[];
 extern const char mbedtls_test_cli_crt_rsa[];
 extern const size_t mbedtls_test_cli_crt_ec_len;
 extern const size_t mbedtls_test_cli_key_ec_len;
 extern const size_t mbedtls_test_cli_pwd_ec_len;
 extern const size_t mbedtls_test_cli_key_rsa_len;
 extern const size_t mbedtls_test_cli_pwd_rsa_len;
 extern const size_t mbedtls_test_cli_crt_rsa_len;
 /* Config-dependent dispatch between EC and RSA
 * (RSA if enabled, otherwise EC) */
 extern const char * mbedtls_test_cli_crt;
 extern const char * mbedtls_test_cli_key;
 extern const char * mbedtls_test_cli_pwd;
 extern const size_t mbedtls_test_cli_crt_len;
 extern const char * mbedtls_test_cli_key;
 extern const size_t mbedtls_test_cli_key_len;
-extern const size_t mbedtls_test_cli_pwd_len;
+
 #if defined(MBEDTLS_ECDSA_C)
 extern const char   mbedtls_test_ca_crt_ec[];
 extern const size_t mbedtls_test_ca_crt_ec_len;
 extern const char   mbedtls_test_ca_key_ec[];
 extern const size_t mbedtls_test_ca_key_ec_len;
 extern const char   mbedtls_test_ca_pwd_ec[];
 extern const size_t mbedtls_test_ca_pwd_ec_len;
 extern const char   mbedtls_test_srv_crt_ec[];
 extern const size_t mbedtls_test_srv_crt_ec_len;
 extern const char   mbedtls_test_srv_key_ec[];
 extern const size_t mbedtls_test_srv_key_ec_len;
 extern const char   mbedtls_test_cli_crt_ec[];
 extern const size_t mbedtls_test_cli_crt_ec_len;
 extern const char   mbedtls_test_cli_key_ec[];
 extern const size_t mbedtls_test_cli_key_ec_len;
 #endif
 #if defined(MBEDTLS_RSA_C)
 extern const char   mbedtls_test_ca_crt_rsa[];
 extern const size_t mbedtls_test_ca_crt_rsa_len;
 extern const char   mbedtls_test_ca_key_rsa[];
 extern const size_t mbedtls_test_ca_key_rsa_len;
 extern const char   mbedtls_test_ca_pwd_rsa[];
 extern const size_t mbedtls_test_ca_pwd_rsa_len;
 extern const char   mbedtls_test_srv_crt_rsa[];
 extern const size_t mbedtls_test_srv_crt_rsa_len;
 extern const char   mbedtls_test_srv_key_rsa[];
 extern const size_t mbedtls_test_srv_key_rsa_len;
 extern const char   mbedtls_test_cli_crt_rsa[];
 extern const size_t mbedtls_test_cli_crt_rsa_len;
 extern const char   mbedtls_test_cli_key_rsa[];
 extern const size_t mbedtls_test_cli_key_rsa_len;
 #endif
 #ifdef __cplusplus
 }
--- a/include/mbedtls/chacha20.h
+++ b/include/mbedtls/chacha20.h
@ -1,252 +0,0 @@
 /**
 * \file chacha20.h
 *
 * \brief   This file contains ChaCha20 definitions and functions.
 *
 *          ChaCha20 is a stream cipher that can encrypt and decrypt
 *          information. ChaCha was created by Daniel Bernstein as a variant of
 *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
 *          ChaCha20 is the variant with 20 rounds, that was also standardized
 *          in RFC 7539.
 *
 * \author Daniel King <damaki.gh@gmail.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CHACHA20_H
 #define MBEDTLS_CHACHA20_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stdint.h>
 #include <stddef.h>
 #define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051 /**< Invalid input parameter(s). */
 /* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
 * used. */
 #define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE    -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
 /* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
 */
 #define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED        -0x0055  /**< Chacha20 hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_CHACHA20_ALT)
 typedef struct mbedtls_chacha20_context
 {
    uint32_t state[16];          /*! The state (before round operations). */
    uint8_t  keystream8[64];     /*! Leftover keystream bytes. */
    size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
 }
 mbedtls_chacha20_context;
 #else  /* MBEDTLS_CHACHA20_ALT */
 #include "chacha20_alt.h"
 #endif /* MBEDTLS_CHACHA20_ALT */
 /**
 * \brief           This function initializes the specified ChaCha20 context.
 *
 *                  It must be the first API called before using
 *                  the context.
 *
 *                  It is usually followed by calls to
 *                  \c mbedtls_chacha20_setkey() and
 *                  \c mbedtls_chacha20_starts(), then one or more calls to
 *                  to \c mbedtls_chacha20_update(), and finally to
 *                  \c mbedtls_chacha20_free().
 *
 * \param ctx       The ChaCha20 context to initialize.
 *                  This must not be \c NULL.
 */
 void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
 /**
 * \brief           This function releases and clears the specified
 *                  ChaCha20 context.
 *
 * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
 *                  in which case this function is a no-op. If it is not
 *                  \c NULL, it must point to an initialized context.
 *
 */
 void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
 /**
 * \brief           This function sets the encryption/decryption key.
 *
 * \note            After using this function, you must also call
 *                  \c mbedtls_chacha20_starts() to set a nonce before you
 *                  start encrypting/decrypting data with
 *                  \c mbedtls_chacha_update().
 *
 * \param ctx       The ChaCha20 context to which the key should be bound.
 *                  It must be initialized.
 * \param key       The encryption/decryption key. This must be \c 32 Bytes
 *                  in length.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
 */
 int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
                             const unsigned char key[32] );
 /**
 * \brief           This function sets the nonce and initial counter value.
 *
 * \note            A ChaCha20 context can be re-used with the same key by
 *                  calling this function to change the nonce.
 *
 * \warning         You must never use the same nonce twice with the same key.
 *                  This would void any confidentiality guarantees for the
 *                  messages encrypted with the same nonce and key.
 *
 * \param ctx       The ChaCha20 context to which the nonce should be bound.
 *                  It must be initialized and bound to a key.
 * \param nonce     The nonce. This must be \c 12 Bytes in size.
 * \param counter   The initial counter value. This is usually \c 0.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
 *                  NULL.
 */
 int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
                             const unsigned char nonce[12],
                             uint32_t counter );
 /**
 * \brief           This function encrypts or decrypts data.
 *
 *                  Since ChaCha20 is a stream cipher, the same operation is
 *                  used for encrypting and decrypting data.
 *
 * \note            The \p input and \p output pointers must either be equal or
 *                  point to non-overlapping buffers.
 *
 * \note            \c mbedtls_chacha20_setkey() and
 *                  \c mbedtls_chacha20_starts() must be called at least once
 *                  to setup the context before this function can be called.
 *
 * \note            This function can be called multiple times in a row in
 *                  order to encrypt of decrypt data piecewise with the same
 *                  key and nonce.
 *
 * \param ctx       The ChaCha20 context to use for encryption or decryption.
 *                  It must be initialized and bound to a key and nonce.
 * \param size      The length of the input data in Bytes.
 * \param input     The buffer holding the input data.
 *                  This pointer can be \c NULL if `size == 0`.
 * \param output    The buffer holding the output data.
 *                  This must be able to hold \p size Bytes.
 *                  This pointer can be \c NULL if `size == 0`.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
                             size_t size,
                             const unsigned char *input,
                             unsigned char *output );
 /**
 * \brief           This function encrypts or decrypts data with ChaCha20 and
 *                  the given key and nonce.
 *
 *                  Since ChaCha20 is a stream cipher, the same operation is
 *                  used for encrypting and decrypting data.
 *
 * \warning         You must never use the same (key, nonce) pair more than
 *                  once. This would void any confidentiality guarantees for
 *                  the messages encrypted with the same nonce and key.
 *
 * \note            The \p input and \p output pointers must either be equal or
 *                  point to non-overlapping buffers.
 *
 * \param key       The encryption/decryption key.
 *                  This must be \c 32 Bytes in length.
 * \param nonce     The nonce. This must be \c 12 Bytes in size.
 * \param counter   The initial counter value. This is usually \c 0.
 * \param size      The length of the input data in Bytes.
 * \param input     The buffer holding the input data.
 *                  This pointer can be \c NULL if `size == 0`.
 * \param output    The buffer holding the output data.
 *                  This must be able to hold \p size Bytes.
 *                  This pointer can be \c NULL if `size == 0`.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_chacha20_crypt( const unsigned char key[32],
                            const unsigned char nonce[12],
                            uint32_t counter,
                            size_t size,
                            const unsigned char* input,
                            unsigned char* output );
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief           The ChaCha20 checkup routine.
 *
 * \return          \c 0 on success.
 * \return          \c 1 on failure.
 */
 int mbedtls_chacha20_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
 #endif /* MBEDTLS_CHACHA20_H */
--- a/include/mbedtls/chachapoly.h
+++ b/include/mbedtls/chachapoly.h
@ -1,384 +0,0 @@
 /**
 * \file chachapoly.h
 *
 * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
 *          functions.
 *
 *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
 *          with Associated Data (AEAD) that can be used to encrypt and
 *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
 *          Bernstein and was standardized in RFC 7539.
 *
 * \author Daniel King <damaki.gh@gmail.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CHACHAPOLY_H
 #define MBEDTLS_CHACHAPOLY_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 /* for shared error codes */
 #include "poly1305.h"
 #define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
 #define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 typedef enum
 {
    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
 }
 mbedtls_chachapoly_mode_t;
 #if !defined(MBEDTLS_CHACHAPOLY_ALT)
 #include "chacha20.h"
 typedef struct mbedtls_chachapoly_context
 {
    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */
    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */
    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */
    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */
    int state;                              /**< The current state of the context. */
    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */
 }
 mbedtls_chachapoly_context;
 #else /* !MBEDTLS_CHACHAPOLY_ALT */
 #include "chachapoly_alt.h"
 #endif /* !MBEDTLS_CHACHAPOLY_ALT */
 /**
 * \brief           This function initializes the specified ChaCha20-Poly1305 context.
 *
 *                  It must be the first API called before using
 *                  the context. It must be followed by a call to
 *                  \c mbedtls_chachapoly_setkey() before any operation can be
 *                  done, and to \c mbedtls_chachapoly_free() once all
 *                  operations with that context have been finished.
 *
 *                  In order to encrypt or decrypt full messages at once, for
 *                  each message you should make a single call to
 *                  \c mbedtls_chachapoly_crypt_and_tag() or
 *                  \c mbedtls_chachapoly_auth_decrypt().
 *
 *                  In order to encrypt messages piecewise, for each
 *                  message you should make a call to
 *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
 *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
 *                  \c mbedtls_chachapoly_update(), then one call to
 *                  \c mbedtls_chachapoly_finish().
 *
 * \warning         Decryption with the piecewise API is discouraged! Always
 *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
 *
 *                  If however this is not possible because the data is too
 *                  large to fit in memory, you need to:
 *
 *                  - call \c mbedtls_chachapoly_starts() and (if needed)
 *                  \c mbedtls_chachapoly_update_aad() as above,
 *                  - call \c mbedtls_chachapoly_update() multiple times and
 *                  ensure its output (the plaintext) is NOT used in any other
 *                  way than placing it in temporary storage at this point,
 *                  - call \c mbedtls_chachapoly_finish() to compute the
 *                  authentication tag and compared it in constant time to the
 *                  tag received with the ciphertext.
 *
 *                  If the tags are not equal, you must immediately discard
 *                  all previous outputs of \c mbedtls_chachapoly_update(),
 *                  otherwise you can now safely use the plaintext.
 *
 * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
 */
 void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
 /**
 * \brief           This function releases and clears the specified
 *                  ChaCha20-Poly1305 context.
 *
 * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
 *                  case this function is a no-op.
 */
 void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
 /**
 * \brief           This function sets the ChaCha20-Poly1305
 *                  symmetric encryption key.
 *
 * \param ctx       The ChaCha20-Poly1305 context to which the key should be
 *                  bound. This must be initialized.
 * \param key       The \c 256 Bit (\c 32 Bytes) key.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
                               const unsigned char key[32] );
 /**
 * \brief           This function starts a ChaCha20-Poly1305 encryption or
 *                  decryption operation.
 *
 * \warning         You must never use the same nonce twice with the same key.
 *                  This would void any confidentiality and authenticity
 *                  guarantees for the messages encrypted with the same nonce
 *                  and key.
 *
 * \note            If the context is being used for AAD only (no data to
 *                  encrypt or decrypt) then \p mode can be set to any value.
 *
 * \warning         Decryption with the piecewise API is discouraged, see the
 *                  warning on \c mbedtls_chachapoly_init().
 *
 * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
 *                  and bound to a key.
 * \param nonce     The nonce/IV to use for the message.
 *                  This must be a redable buffer of length \c 12 Bytes.
 * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
 *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
                               const unsigned char nonce[12],
                               mbedtls_chachapoly_mode_t mode );
 /**
 * \brief           This function feeds additional data to be authenticated
 *                  into an ongoing ChaCha20-Poly1305 operation.
 *
 *                  The Additional Authenticated Data (AAD), also called
 *                  Associated Data (AD) is only authenticated but not
 *                  encrypted nor included in the encrypted output. It is
 *                  usually transmitted separately from the ciphertext or
 *                  computed locally by each party.
 *
 * \note            This function is called before data is encrypted/decrypted.
 *                  I.e. call this function to process the AAD before calling
 *                  \c mbedtls_chachapoly_update().
 *
 *                  You may call this function multiple times to process
 *                  an arbitrary amount of AAD. It is permitted to call
 *                  this function 0 times, if no AAD is used.
 *
 *                  This function cannot be called any more if data has
 *                  been processed by \c mbedtls_chachapoly_update(),
 *                  or if the context has been finished.
 *
 * \warning         Decryption with the piecewise API is discouraged, see the
 *                  warning on \c mbedtls_chachapoly_init().
 *
 * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
 *                  and bound to a key.
 * \param aad_len   The length in Bytes of the AAD. The length has no
 *                  restrictions.
 * \param aad       Buffer containing the AAD.
 *                  This pointer can be \c NULL if `aad_len == 0`.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
 *                  if \p ctx or \p aad are NULL.
 * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
 *                  if the operations has not been started or has been
 *                  finished, or if the AAD has been finished.
 */
 int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
                                   const unsigned char *aad,
                                   size_t aad_len );
 /**
 * \brief           Thus function feeds data to be encrypted or decrypted
 *                  into an on-going ChaCha20-Poly1305
 *                  operation.
 *
 *                  The direction (encryption or decryption) depends on the
 *                  mode that was given when calling
 *                  \c mbedtls_chachapoly_starts().
 *
 *                  You may call this function multiple times to process
 *                  an arbitrary amount of data. It is permitted to call
 *                  this function 0 times, if no data is to be encrypted
 *                  or decrypted.
 *
 * \warning         Decryption with the piecewise API is discouraged, see the
 *                  warning on \c mbedtls_chachapoly_init().
 *
 * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
 * \param len       The length (in bytes) of the data to encrypt or decrypt.
 * \param input     The buffer containing the data to encrypt or decrypt.
 *                  This pointer can be \c NULL if `len == 0`.
 * \param output    The buffer to where the encrypted or decrypted data is
 *                  written. This must be able to hold \p len bytes.
 *                  This pointer can be \c NULL if `len == 0`.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
 *                  if the operation has not been started or has been
 *                  finished.
 * \return          Another negative error code on other kinds of failure.
 */
 int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
                               size_t len,
                               const unsigned char *input,
                               unsigned char *output );
 /**
 * \brief           This function finished the ChaCha20-Poly1305 operation and
 *                  generates the MAC (authentication tag).
 *
 * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
 * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
 *
 * \warning         Decryption with the piecewise API is discouraged, see the
 *                  warning on \c mbedtls_chachapoly_init().
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
 *                  if the operation has not been started or has been
 *                  finished.
 * \return          Another negative error code on other kinds of failure.
 */
 int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
                               unsigned char mac[16] );
 /**
 * \brief           This function performs a complete ChaCha20-Poly1305
 *                  authenticated encryption with the previously-set key.
 *
 * \note            Before using this function, you must set the key with
 *                  \c mbedtls_chachapoly_setkey().
 *
 * \warning         You must never use the same nonce twice with the same key.
 *                  This would void any confidentiality and authenticity
 *                  guarantees for the messages encrypted with the same nonce
 *                  and key.
 *
 * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
 *                  This must be initialized.
 * \param length    The length (in bytes) of the data to encrypt or decrypt.
 * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
 * \param aad       The buffer containing the additional authenticated
 *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
 * \param aad_len   The length (in bytes) of the AAD data to process.
 * \param input     The buffer containing the data to encrypt or decrypt.
 *                  This pointer can be \c NULL if `ilen == 0`.
 * \param output    The buffer to where the encrypted or decrypted data
 *                  is written. This pointer can be \c NULL if `ilen == 0`.
 * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
 *                  is written. This must not be \c NULL.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
                                        size_t length,
                                        const unsigned char nonce[12],
                                        const unsigned char *aad,
                                        size_t aad_len,
                                        const unsigned char *input,
                                        unsigned char *output,
                                        unsigned char tag[16] );
 /**
 * \brief           This function performs a complete ChaCha20-Poly1305
 *                  authenticated decryption with the previously-set key.
 *
 * \note            Before using this function, you must set the key with
 *                  \c mbedtls_chachapoly_setkey().
 *
 * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
 * \param length    The length (in Bytes) of the data to decrypt.
 * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
 * \param aad       The buffer containing the additional authenticated data (AAD).
 *                  This pointer can be \c NULL if `aad_len == 0`.
 * \param aad_len   The length (in bytes) of the AAD data to process.
 * \param tag       The buffer holding the authentication tag.
 *                  This must be a readable buffer of length \c 16 Bytes.
 * \param input     The buffer containing the data to decrypt.
 *                  This pointer can be \c NULL if `ilen == 0`.
 * \param output    The buffer to where the decrypted data is written.
 *                  This pointer can be \c NULL if `ilen == 0`.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
 *                  if the data was not authentic.
 * \return          Another negative error code on other kinds of failure.
 */
 int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
                                     size_t length,
                                     const unsigned char nonce[12],
                                     const unsigned char *aad,
                                     size_t aad_len,
                                     const unsigned char tag[16],
                                     const unsigned char *input,
                                     unsigned char *output );
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief           The ChaCha20-Poly1305 checkup routine.
 *
 * \return          \c 0 on success.
 * \return          \c 1 on failure.
 */
 int mbedtls_chachapoly_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
 #endif /* MBEDTLS_CHACHAPOLY_H */
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -2,16 +2,9 @@
 * \file check_config.h
 *
 * \brief Consistency checks for configuration options
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
@ -103,20 +77,11 @@
 #error "MBEDTLS_DHM_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
 #error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_CMAC_C) && \
    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
 #error "MBEDTLS_CMAC_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_NIST_KW_C) && \
    ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) )
 #error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECDH_C defined, but not all prerequisites"
 #endif
@ -133,22 +98,11 @@
 #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_ECP_RESTARTABLE)           && \
    ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
      defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
      defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
      defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
      defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
      defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
      defined(MBEDTLS_ECP_ALT) )
 #error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
 #endif
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
 #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
 #endif
-#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
+#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (   \
    !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) &&                  \
    !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) &&                  \
    !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) &&                  \
@ -159,26 +113,10 @@
    !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
    !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
    !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
-    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) )
    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) &&                 \
    !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
 #error "MBEDTLS_ECP_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_ECP_C) && !(            \
    defined(MBEDTLS_ECP_ALT) ||             \
    defined(MBEDTLS_CTR_DRBG_C) ||          \
    defined(MBEDTLS_HMAC_DRBG_C) ||         \
    defined(MBEDTLS_SHA512_C) ||            \
    defined(MBEDTLS_SHA256_C) ||            \
    defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
 #error "MBEDTLS_ECP_C requires a DRBG or SHA-2 module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
 #endif
 #if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
 #error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
 #endif
 #if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
                                    !defined(MBEDTLS_SHA256_C))
 #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
@ -197,16 +135,6 @@
 #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
 #endif
 #if defined(__has_feature)
 #if __has_feature(memory_sanitizer)
 #define MBEDTLS_HAS_MEMSAN
 #endif
 #endif
 #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) &&  !defined(MBEDTLS_HAS_MEMSAN)
 #error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
 #endif
 #undef MBEDTLS_HAS_MEMSAN
 #if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
    ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
 #error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
@ -258,10 +186,6 @@
 #error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
 #error "MBEDTLS_HKDF_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
 #error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
 #endif
@ -326,14 +250,6 @@
 #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_MEMORY_BACKTRACE) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
 #error "MBEDTLS_MEMORY_BACKTRACE defined, but not all prerequesites"
 #endif
 #if defined(MBEDTLS_MEMORY_DEBUG) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
 #error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequesites"
 #endif
 #if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
 #error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
 #endif
@ -591,23 +507,6 @@
 #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
 #endif
 #if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) ||  \
     defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
    !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                          \
      defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                      \
      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                    \
      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                  \
      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                     \
      defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ||                   \
      defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                          \
      defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                      \
      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ||                      \
      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                    \
      defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
 #error "One or more versions of the TLS protocol are enabled " \
        "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)     && \
    !defined(MBEDTLS_SSL_PROTO_TLS1_1)  && \
    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
@ -731,10 +630,6 @@
 #error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_CERTS_C) && !defined(MBEDTLS_X509_USE_C)
 #error "MBEDTLS_CERTS_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
 #error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
 #endif
@ -767,7 +662,7 @@
 /*
 * Avoid warning from -pedantic. This is a convenient place for this
 * workaround since this is included by every single file before the
- * #if defined(MBEDTLS_xxx_C) that results in empty translation units.
+ * #if defined(MBEDTLS_xxx_C) that results in emtpy translation units.
 */
 typedef int mbedtls_iso_c_forbids_empty_translation_units;
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
--- a/include/mbedtls/cipher_internal.h
+++ b/include/mbedtls/cipher_internal.h
@ -4,16 +4,9 @@
 * \brief Cipher wrappers.
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -27,26 +20,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CIPHER_WRAP_H
 #define MBEDTLS_CIPHER_WRAP_H
@ -89,14 +63,6 @@ struct mbedtls_cipher_base_t
                     unsigned char *output );
 #endif
 #if defined(MBEDTLS_CIPHER_MODE_OFB)
    /** Encrypt using OFB (Full length) */
    int (*ofb_func)( void *ctx, size_t length, size_t *iv_off,
                     unsigned char *iv,
                     const unsigned char *input,
                     unsigned char *output );
 #endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
    /** Encrypt using CTR */
    int (*ctr_func)( void *ctx, size_t length, size_t *nc_off,
@ -104,13 +70,6 @@ struct mbedtls_cipher_base_t
                     const unsigned char *input, unsigned char *output );
 #endif
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
    /** Encrypt or decrypt using XTS. */
    int (*xts_func)( void *ctx, mbedtls_operation_t mode, size_t length,
                     const unsigned char data_unit[16],
                     const unsigned char *input, unsigned char *output );
 #endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
    /** Encrypt using STREAM */
    int (*stream_func)( void *ctx, size_t length,
--- a/include/mbedtls/cmac.h
+++ b/include/mbedtls/cmac.h
@ -1,20 +1,11 @@
 /**
 * \file cmac.h
 *
- * \brief This file contains CMAC definitions and functions.
+ * \brief Cipher-based Message Authentication Code (CMAC) Mode for
 *        Authentication
 *
- * The Cipher-based Message Authentication Code (CMAC) Mode for
+ *  Copyright (C) 2015-2016, ARM Limited, All Rights Reserved
- * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
+ *  SPDX-License-Identifier: Apache-2.0
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -28,170 +19,117 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H
-#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/cipher.h"
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "cipher.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
 /* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A  /**< CMAC hardware accelerator failed. */
 #define MBEDTLS_AES_BLOCK_SIZE          16
 #define MBEDTLS_DES3_BLOCK_SIZE         8
 #if defined(MBEDTLS_AES_C)
-#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /**< The longest block used by CMAC is that of AES. */
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /* longest used by CMAC is AES */
 #else
-#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /**< The longest block used by CMAC is that of 3DES. */
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /* longest used by CMAC is 3DES */
 #endif
 #if !defined(MBEDTLS_CMAC_ALT)
 /**
- * The CMAC context structure.
+ * CMAC context structure - Contains internal state information only
 */
 struct mbedtls_cmac_context_t
 {
-    /** The internal state of the CMAC algorithm.  */
+    /** Internal state of the CMAC algorithm  */
    unsigned char       state[MBEDTLS_CIPHER_BLKSIZE_MAX];
    /** Unprocessed data - either data that was not block aligned and is still
-     *  pending processing, or the final block. */
+     *  pending to be processed, or the final block */
    unsigned char       unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX];
-    /** The length of data pending processing. */
+    /** Length of data pending to be processed */
    size_t              unprocessed_len;
 };
 #else  /* !MBEDTLS_CMAC_ALT */
 #include "cmac_alt.h"
 #endif /* !MBEDTLS_CMAC_ALT */
 /**
- * \brief               This function sets the CMAC key, and prepares to authenticate
+ * \brief               Set the CMAC key and prepare to authenticate the input
- *                      the input data.
+ *                      data.
- *                      Must be called with an initialized cipher context.
+ *                      Should be called with an initialized cipher context.
 *
- * \param ctx           The cipher context used for the CMAC operation, initialized
+ * \param ctx           Cipher context. This should be a cipher context,
- *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
+ *                      initialized to be one of the following types:
- *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
+ *                      MBEDTLS_CIPHER_AES_128_ECB, MBEDTLS_CIPHER_AES_192_ECB,
- *                      or MBEDTLS_CIPHER_DES_EDE3_ECB.
+ *                      MBEDTLS_CIPHER_AES_256_ECB or
- * \param key           The CMAC key.
+ *                      MBEDTLS_CIPHER_DES_EDE3_ECB.
- * \param keybits       The length of the CMAC key in bits.
+ * \param key           CMAC key
- *                      Must be supported by the cipher.
+ * \param keybits       length of the CMAC key in bits
 *                      (must be acceptable by the cipher)
 *
- * \return              \c 0 on success.
+ * \return              0 if successful, or a cipher specific error code
 * \return              A cipher-specific error code on failure.
 */
 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
                                const unsigned char *key, size_t keybits );
 /**
- * \brief               This function feeds an input buffer into an ongoing CMAC
+ * \brief               Generic CMAC process buffer.
- *                      computation.
+ *                      Called between mbedtls_cipher_cmac_starts() or
 *                      mbedtls_cipher_cmac_reset() and
 *                      mbedtls_cipher_cmac_finish().
 *                      May be called repeatedly.
 *
- *                      It is called between mbedtls_cipher_cmac_starts() or
+ * \param ctx           CMAC context
- *                      mbedtls_cipher_cmac_reset(), and mbedtls_cipher_cmac_finish().
+ * \param input         buffer holding the  data
- *                      Can be called repeatedly.
+ * \param ilen          length of the input data
 *
- * \param ctx           The cipher context used for the CMAC operation.
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- * \param input         The buffer holding the input data.
+ *                      verification fails.
 * \param ilen          The length of the input data.
 *
 * \return             \c 0 on success.
 * \return             #MBEDTLS_ERR_MD_BAD_INPUT_DATA
 *                     if parameter verification fails.
 */
 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
                                const unsigned char *input, size_t ilen );
 /**
- * \brief               This function finishes the CMAC operation, and writes
+ * \brief               Output CMAC.
- *                      the result to the output buffer.
+ *                      Called after mbedtls_cipher_cmac_update().
 *                      Usually followed by mbedtls_cipher_cmac_reset(), then
 *                      mbedtls_cipher_cmac_starts(), or mbedtls_cipher_free().
 *
- *                      It is called after mbedtls_cipher_cmac_update().
+ * \param ctx           CMAC context
- *                      It can be followed by mbedtls_cipher_cmac_reset() and
+ * \param output        Generic CMAC checksum result
 *                      mbedtls_cipher_cmac_update(), or mbedtls_cipher_free().
 *
- * \param ctx           The cipher context used for the CMAC operation.
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- * \param output        The output buffer for the CMAC checksum result.
+ *                      verification fails.
 *
 * \return              \c 0 on success.
 * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
 *                      if parameter verification fails.
 */
 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
                                unsigned char *output );
 /**
- * \brief               This function prepares the authentication of another
+ * \brief               Prepare to authenticate a new message with the same key.
- *                      message with the same key as the previous CMAC
+ *                      Called after mbedtls_cipher_cmac_finish() and before
- *                      operation.
+ *                      mbedtls_cipher_cmac_update().
 *
- *                      It is called after mbedtls_cipher_cmac_finish()
+ * \param ctx           CMAC context to be reset
 *                      and before mbedtls_cipher_cmac_update().
 *
- * \param ctx           The cipher context used for the CMAC operation.
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *
+ *                      verification fails.
 * \return              \c 0 on success.
 * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
 *                      if parameter verification fails.
 */
 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
 /**
- * \brief               This function calculates the full generic CMAC
+ * \brief               Output = Generic_CMAC( cmac key, input buffer )
 *                      on the input buffer with the provided key.
 *
- *                      The function allocates the context, performs the
+ * \param cipher_info   message digest info
- *                      calculation, and frees the context.
+ * \param key           CMAC key
 * \param keylen        length of the CMAC key in bits
 * \param input         buffer holding the  data
 * \param ilen          length of the input data
 * \param output        Generic CMAC-result
 *
- *                      The CMAC result is calculated as
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                      output = generic CMAC(cmac key, input buffer).
+ *                      verification fails.
 *
 *
 * \param cipher_info   The cipher information.
 * \param key           The CMAC key.
 * \param keylen        The length of the CMAC key in bits.
 * \param input         The buffer holding the input data.
 * \param ilen          The length of the input data.
 * \param output        The buffer for the generic CMAC result.
 *
 * \return              \c 0 on success.
 * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
 *                      if parameter verification fails.
 */
 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
                         const unsigned char *key, size_t keylen,
@ -200,21 +138,16 @@ int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
 #if defined(MBEDTLS_AES_C)
 /**
- * \brief           This function implements the AES-CMAC-PRF-128 pseudorandom
+ * \brief           AES-CMAC-128-PRF
- *                  function, as defined in
+ *                  Implementation of (AES-CMAC-PRF-128), as defined in RFC 4615
 *                  <em>RFC-4615: The Advanced Encryption Standard-Cipher-based
 *                  Message Authentication Code-Pseudo-Random Function-128
 *                  (AES-CMAC-PRF-128) Algorithm for the Internet Key
 *                  Exchange Protocol (IKE).</em>
 *
- * \param key       The key to use.
+ * \param key       PRF key
- * \param key_len   The key length in Bytes.
+ * \param key_len   PRF key length in bytes
- * \param input     The buffer holding the input data.
+ * \param input     buffer holding the input data
- * \param in_len    The length of the input data in Bytes.
+ * \param in_len    length of the input data in bytes
- * \param output    The buffer holding the generated 16 Bytes of
+ * \param output    buffer holding the generated pseudorandom output (16 bytes)
 *                  pseudorandom output.
 *
- * \return          \c 0 on success.
+ * \return          0 if successful
 */
 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
                              const unsigned char *input, size_t in_len,
@ -223,10 +156,9 @@ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
 #if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
 /**
- * \brief          The CMAC checkup routine.
+ * \brief          Checkup routine
 *
- * \return         \c 0 on success.
+ * \return         0 if successful, or 1 if the test failed
 * \return         \c 1 on failure.
 */
 int mbedtls_cmac_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@ -5,16 +5,9 @@
 *  for the PolarSSL naming conventions.
 *
 * \deprecated Use the new names directly instead
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -28,34 +21,9 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
@ -1409,8 +1377,7 @@
 #define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
 #define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
 #define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
-#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
+#define SSL_BUFFER_LEN MBEDTLS_SSL_BUFFER_LEN
                         ? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
 #define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
 #define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
 #define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
--- a/include/mbedtls/ctr_drbg.h
+++ b/include/mbedtls/ctr_drbg.h
@ -1,51 +1,10 @@
 /**
 * \file ctr_drbg.h
 *
- * \brief    This file contains definitions and functions for the
+ * \brief CTR_DRBG based on AES-256 (NIST SP 800-90)
 *           CTR_DRBG pseudorandom generator.
 *
- * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * in counter mode operation, as defined in <em>NIST SP 800-90A:
+ *  SPDX-License-Identifier: Apache-2.0
 * Recommendation for Random Number Generation Using Deterministic Random
 * Bit Generators</em>.
 *
 * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
 * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
 * as the underlying block cipher, with a derivation function.
 * The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
 * See the documentation of mbedtls_ctr_drbg_seed() for more details.
 *
 * Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
 * here are the security strengths achieved in typical configuration:
 * - 256 bits under the default configuration of the library, with AES-256
 *   and with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
 * - 256 bits if AES-256 is used, #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
 *   to 32 or more, and the DRBG is initialized with an explicit
 *   nonce in the \c custom parameter to mbedtls_ctr_drbg_seed().
 * - 128 bits if AES-256 is used but #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
 *   between 24 and 47 and the DRBG is not initialized with an explicit
 *   nonce (see mbedtls_ctr_drbg_seed()).
 * - 128 bits if AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
 *   and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
 *   always the case unless it is explicitly set to a different value
 *   in config.h).
 *
 * Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to:
 * - \c 48 if the module \c MBEDTLS_SHA512_C is enabled and the symbol
 *   \c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled at compile time.
 *   This is the default configuration of the library.
 * - \c 32 if the module \c MBEDTLS_SHA512_C is disabled at compile time.
 * - \c 32 if \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -59,267 +18,123 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_CTR_DRBG_H
 #define MBEDTLS_CTR_DRBG_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "aes.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "threading.h"
+#include "mbedtls/threading.h"
 #endif
 #define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
-#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036  /**< The requested random buffer length is too big. */
+#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036  /**< Too many random requested in single call. */
-#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038  /**< The input (entropy + additional data) is too large. */
+#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038  /**< Input too large (Entropy + additional). */
-#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read or write error in file. */
+#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read/write error in file. */
-#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
+#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16      /**< Block size used by the cipher                  */
-
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32      /**< Key size used by the cipher                    */
-#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 )
-#define MBEDTLS_CTR_DRBG_KEYSIZE            16
+#define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE )
-/**< The key size in bytes used by the cipher.
+                                            /**< The seed length (counter + AES key)            */
 *
 * Compile-time choice: 16 bytes (128 bits)
 * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
 */
 #else
 #define MBEDTLS_CTR_DRBG_KEYSIZE            32
 /**< The key size in bytes used by the cipher.
 *
 * Compile-time choice: 32 bytes (256 bits)
 * because \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled.
 */
 #endif
 #define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
 #define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
 /**
 * \name SECTION: Module settings
 *
 * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them using the compiler command
+ * Either change them in config.h or define them on the compiler command line.
 * line.
 * \{
 */
 /** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
 *
 * \brief The amount of entropy used per seed by default, in bytes.
 */
 #if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
 #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
-/** This is 48 bytes because the entropy module uses SHA-512
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48      /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
- * (\c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled).
+#else
- */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32      /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
-#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
+#endif
-
+#endif
 #else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
 /** This is 32 bytes because the entropy module uses SHA-256
 * (the SHA512 module is disabled or
 * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
 */
 #if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
 /** \warning To achieve a 256-bit security strength, you must pass a nonce
 *           to mbedtls_ctr_drbg_seed().
 */
 #endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
 #define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
 #endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
 #endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
 #if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
-#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
+#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000   /**< Interval before reseed is performed by default */
 /**< The interval before reseed is performed by default. */
 #endif
 #if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
-#define MBEDTLS_CTR_DRBG_MAX_INPUT          256
+#define MBEDTLS_CTR_DRBG_MAX_INPUT          256     /**< Maximum number of additional input bytes */
 /**< The maximum number of additional input Bytes. */
 #endif
 #if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
-#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024
+#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024    /**< Maximum number of requested bytes per call */
 /**< The maximum number of requested Bytes per call. */
 #endif
 #if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
-#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
+#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384     /**< Maximum size of (re)seed buffer */
 /**< The maximum size of seed or reseed buffer in bytes. */
 #endif
 /* \} name SECTION: Module settings */
-#define MBEDTLS_CTR_DRBG_PR_OFF             0
+#define MBEDTLS_CTR_DRBG_PR_OFF             0       /**< No prediction resistance       */
-/**< Prediction resistance is disabled. */
+#define MBEDTLS_CTR_DRBG_PR_ON              1       /**< Prediction resistance enabled  */
 #define MBEDTLS_CTR_DRBG_PR_ON              1
 /**< Prediction resistance is enabled. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
- * \brief          The CTR_DRBG context structure.
+ * \brief          CTR_DRBG context structure
 */
-typedef struct mbedtls_ctr_drbg_context
+typedef struct
 {
-    unsigned char counter[16];  /*!< The counter (V). */
+    unsigned char counter[16];  /*!<  counter (V)       */
-    int reseed_counter;         /*!< The reseed counter. */
+    int reseed_counter;         /*!<  reseed counter    */
-    int prediction_resistance;  /*!< This determines whether prediction
+    int prediction_resistance;  /*!<  enable prediction resistance (Automatic
-                                     resistance is enabled, that is
+                                      reseed before every random generation)  */
-                                     whether to systematically reseed before
+    size_t entropy_len;         /*!<  amount of entropy grabbed on each
-                                     each random generation. */
+                                      (re)seed          */
-    size_t entropy_len;         /*!< The amount of entropy grabbed on each
+    int reseed_interval;        /*!<  reseed interval   */
                                     seed or reseed operation. */
    int reseed_interval;        /*!< The reseed interval. */
-    mbedtls_aes_context aes_ctx;        /*!< The AES context. */
+    mbedtls_aes_context aes_ctx;        /*!<  AES context       */
    /*
     * Callbacks (Entropy)
     */
    int (*f_entropy)(void *, unsigned char *, size_t);
                                /*!< The entropy callback function. */
-    void *p_entropy;            /*!< The context for the entropy function. */
+    void *p_entropy;            /*!<  context for the entropy function */
 #if defined(MBEDTLS_THREADING_C)
    /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
     * This means that the mutex is initialized during the initial seeding
     * in mbedtls_ctr_drbg_seed() and freed in mbedtls_ctr_drbg_free().
     *
     * Note that this invariant may change without notice. Do not rely on it
     * and do not access the mutex directly in application code.
     */
    mbedtls_threading_mutex_t mutex;
 #endif
 }
 mbedtls_ctr_drbg_context;
 /**
- * \brief               This function initializes the CTR_DRBG context,
+ * \brief               CTR_DRBG context initialization
- *                      and prepares it for mbedtls_ctr_drbg_seed()
+ *                      Makes the context ready for mbedtls_ctr_drbg_seed() or
- *                      or mbedtls_ctr_drbg_free().
+ *                      mbedtls_ctr_drbg_free().
 *
- * \note                The reseed interval is
+ * \param ctx           CTR_DRBG context to be initialized
 *                      #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default.
 *                      You can override it by calling
 *                      mbedtls_ctr_drbg_set_reseed_interval().
 *
 * \param ctx           The CTR_DRBG context to initialize.
 */
 void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
 /**
- * \brief               This function seeds and sets up the CTR_DRBG
+ * \brief               CTR_DRBG initial seeding
- *                      entropy source for future reseeds.
+ *                      Seed and setup entropy source for future reseeds.
 *
- * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * Note: Personalization data can be provided in addition to the more generic
- * to use the entropy module:
+ *       entropy source to make this instantiation as unique as possible.
 * - \p f_entropy is mbedtls_entropy_func();
 * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
 *   with mbedtls_entropy_init() (which registers the platform's default
 *   entropy sources).
 *
- * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
+ * \param ctx           CTR_DRBG context to be seeded
- * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
+ * \param f_entropy     Entropy callback (p_entropy, buffer to fill, buffer
 *                      length)
 * \param p_entropy     Entropy context
 * \param custom        Personalization data (Device specific identifiers)
 *                      (Can be NULL)
 * \param len           Length of personalization data
 *
- * You can provide a personalization string in addition to the
+ * \return              0 if successful, or
- * entropy source, to make this instantiation as unique as possible.
+ *                      MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
 *
 * \note                The _seed_material_ value passed to the derivation
 *                      function in the CTR_DRBG Instantiate Process
 *                      described in NIST SP 800-90A §10.2.1.3.2
 *                      is the concatenation of the string obtained from
 *                      calling \p f_entropy and the \p custom string.
 *                      The origin of the nonce depends on the value of
 *                      the entropy length relative to the security strength.
 *                      - If the entropy length is at least 1.5 times the
 *                        security strength then the nonce is taken from the
 *                        string obtained with \p f_entropy.
 *                      - If the entropy length is less than the security
 *                        strength, then the nonce is taken from \p custom.
 *                        In this case, for compliance with SP 800-90A,
 *                        you must pass a unique value of \p custom at
 *                        each invocation. See SP 800-90A §8.6.7 for more
 *                        details.
 */
 #if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
 /** \warning            When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
 *                      #MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2, to achieve the
 *                      maximum security strength permitted by CTR_DRBG,
 *                      you must pass a value of \p custom that is a nonce:
 *                      this value must never be repeated in subsequent
 *                      runs of the same application or on a different
 *                      device.
 */
 #endif
 #if defined(MBEDTLS_THREADING_C)
 /**
 * \note                When Mbed TLS is built with threading support,
 *                      after this function returns successfully,
 *                      it is safe to call mbedtls_ctr_drbg_random()
 *                      from multiple threads. Other operations, including
 *                      reseeding, are not thread-safe.
 */
 #endif /* MBEDTLS_THREADING_C */
 /**
 * \param ctx           The CTR_DRBG context to seed.
 *                      It must have been initialized with
 *                      mbedtls_ctr_drbg_init().
 *                      After a successful call to mbedtls_ctr_drbg_seed(),
 *                      you may not call mbedtls_ctr_drbg_seed() again on
 *                      the same context unless you call
 *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
 *                      again first.
 *                      After a failed call to mbedtls_ctr_drbg_seed(),
 *                      you must call mbedtls_ctr_drbg_free().
 * \param f_entropy     The entropy callback, taking as arguments the
 *                      \p p_entropy context, the buffer to fill, and the
 *                      length of the buffer.
 *                      \p f_entropy is always called with a buffer size
 *                      equal to the entropy length.
 * \param p_entropy     The entropy context to pass to \p f_entropy.
 * \param custom        The personalization string.
 *                      This can be \c NULL, in which case the personalization
 *                      string is empty regardless of the value of \p len.
 * \param len           The length of the personalization string.
 *                      This must be at most
 *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
 *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
 *
 * \return              \c 0 on success.
 * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
 */
 int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
                   int (*f_entropy)(void *, unsigned char *, size_t),
@ -328,250 +143,141 @@ int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
                   size_t len );
 /**
- * \brief               This function resets CTR_DRBG context to the state immediately
+ * \brief               Clear CTR_CRBG context data
 *                      after initial call of mbedtls_ctr_drbg_init().
 *
- * \param ctx           The CTR_DRBG context to clear.
+ * \param ctx           CTR_DRBG context to clear
 */
 void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx );
 /**
- * \brief               This function turns prediction resistance on or off.
+ * \brief               Enable / disable prediction resistance (Default: Off)
 *                      The default value is off.
 *
- * \note                If enabled, entropy is gathered at the beginning of
+ * Note: If enabled, entropy is used for ctx->entropy_len before each call!
- *                      every call to mbedtls_ctr_drbg_random_with_add()
+ *       Only use this if you have ample supply of good entropy!
 *                      or mbedtls_ctr_drbg_random().
 *                      Only use this if your entropy source has sufficient
 *                      throughput.
 *
- * \param ctx           The CTR_DRBG context.
+ * \param ctx           CTR_DRBG context
- * \param resistance    #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
+ * \param resistance    MBEDTLS_CTR_DRBG_PR_ON or MBEDTLS_CTR_DRBG_PR_OFF
 */
 void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
                                         int resistance );
 /**
- * \brief               This function sets the amount of entropy grabbed on each
+ * \brief               Set the amount of entropy grabbed on each (re)seed
- *                      seed or reseed.
+ *                      (Default: MBEDTLS_CTR_DRBG_ENTROPY_LEN)
 *
- * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ * \param ctx           CTR_DRBG context
- *
+ * \param len           Amount of entropy to grab
 * \note                The security strength of CTR_DRBG is bounded by the
 *                      entropy length. Thus:
 *                      - When using AES-256
 *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
 *                        which is the default),
 *                        \p len must be at least 32 (in bytes)
 *                        to achieve a 256-bit strength.
 *                      - When using AES-128
 *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
 *                        \p len must be at least 16 (in bytes)
 *                        to achieve a 128-bit strength.
 *
 * \param ctx           The CTR_DRBG context.
 * \param len           The amount of entropy to grab, in bytes.
 *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
 */
 void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
                               size_t len );
 /**
- * \brief               This function sets the reseed interval.
+ * \brief               Set the reseed interval
 *                      (Default: MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
 *
- * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
+ * \param ctx           CTR_DRBG context
- * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
+ * \param interval      Reseed interval
 * is called again.
 *
 * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
 *
 * \param ctx           The CTR_DRBG context.
 * \param interval      The reseed interval.
 */
 void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
                                   int interval );
 /**
- * \brief               This function reseeds the CTR_DRBG context, that is
+ * \brief               CTR_DRBG reseeding (extracts data from entropy source)
 *                      extracts data from the entropy source.
 *
- * \note                This function is not thread-safe. It is not safe
+ * \param ctx           CTR_DRBG context
- *                      to call this function if another thread might be
+ * \param additional    Additional data to add to state (Can be NULL)
- *                      concurrently obtaining random numbers from the same
+ * \param len           Length of additional data
 *                      context or updating or reseeding the same context.
 *
- * \param ctx           The CTR_DRBG context.
+ * \return              0 if successful, or
- * \param additional    Additional data to add to the state. Can be \c NULL.
+ *                      MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
 * \param len           The length of the additional data.
 *                      This must be less than
 *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
 *                      where \c entropy_len is the entropy length
 *                      configured for the context.
 *
 * \return              \c 0 on success.
 * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
 */
 int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
                     const unsigned char *additional, size_t len );
 /**
- * \brief              This function updates the state of the CTR_DRBG context.
+ * \brief               CTR_DRBG update state
 *
- * \note               This function is not thread-safe. It is not safe
+ * \param ctx           CTR_DRBG context
- *                     to call this function if another thread might be
+ * \param additional    Additional data to update state with
- *                     concurrently obtaining random numbers from the same
+ * \param add_len       Length of additional data
 *                     context or updating or reseeding the same context.
 *
- * \param ctx          The CTR_DRBG context.
+ * \note                If add_len is greater than MBEDTLS_CTR_DRBG_MAX_SEED_INPUT,
- * \param additional   The data to update the state with. This must not be
+ *                      only the first MBEDTLS_CTR_DRBG_MAX_SEED_INPUT bytes are used,
- *                     \c NULL unless \p add_len is \c 0.
+ *                      the remaining ones are silently discarded.
 * \param add_len      Length of \p additional in bytes. This must be at
 *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
 *
 * \return             \c 0 on success.
 * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
 *                     \p add_len is more than
 *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
 * \return             An error from the underlying AES cipher on failure.
 */
-int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
-                                 const unsigned char *additional,
+                      const unsigned char *additional, size_t add_len );
                                 size_t add_len );
 /**
- * \brief   This function updates a CTR_DRBG instance with additional
+ * \brief               CTR_DRBG generate random with additional update input
 *          data and uses it to generate random data.
 *
- * This function automatically reseeds if the reseed counter is exceeded
+ * Note: Automatically reseeds if reseed_counter is reached.
 * or prediction resistance is enabled.
 *
- * \note                This function is not thread-safe. It is not safe
+ * \param p_rng         CTR_DRBG context
- *                      to call this function if another thread might be
+ * \param output        Buffer to fill
- *                      concurrently obtaining random numbers from the same
+ * \param output_len    Length of the buffer
- *                      context or updating or reseeding the same context.
+ * \param additional    Additional data to update with (Can be NULL)
 * \param add_len       Length of additional data
 *
- * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ * \return              0 if successful, or
- *                      #mbedtls_ctr_drbg_context structure.
+ *                      MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED, or
- * \param output        The buffer to fill.
+ *                      MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
 * \param output_len    The length of the buffer in bytes.
 * \param additional    Additional data to update. Can be \c NULL, in which
 *                      case the additional data is empty regardless of
 *                      the value of \p add_len.
 * \param add_len       The length of the additional data
 *                      if \p additional is not \c NULL.
 *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
 *                      and less than
 *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
 *                      where \c entropy_len is the entropy length
 *                      configured for the context.
 *
 * \return    \c 0 on success.
 * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
 *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
 */
 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
                              unsigned char *output, size_t output_len,
                              const unsigned char *additional, size_t add_len );
 /**
- * \brief   This function uses CTR_DRBG to generate random data.
+ * \brief               CTR_DRBG generate random
 *
- * This function automatically reseeds if the reseed counter is exceeded
+ * Note: Automatically reseeds if reseed_counter is reached.
 * or prediction resistance is enabled.
 */
 #if defined(MBEDTLS_THREADING_C)
 /**
 * \note                When Mbed TLS is built with threading support,
 *                      it is safe to call mbedtls_ctr_drbg_random()
 *                      from multiple threads. Other operations, including
 *                      reseeding, are not thread-safe.
 */
 #endif /* MBEDTLS_THREADING_C */
 /**
 * \param p_rng         The CTR_DRBG context. This must be a pointer to a
 *                      #mbedtls_ctr_drbg_context structure.
 * \param output        The buffer to fill.
 * \param output_len    The length of the buffer in bytes.
 *
- * \return              \c 0 on success.
+ * \param p_rng         CTR_DRBG context
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ * \param output        Buffer to fill
- *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ * \param output_len    Length of the buffer
 *
 * \return              0 if successful, or
 *                      MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED, or
 *                      MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
 */
 int mbedtls_ctr_drbg_random( void *p_rng,
                     unsigned char *output, size_t output_len );
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED    __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief              This function updates the state of the CTR_DRBG context.
 *
 * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
 *                     in 2.16.0.
 *
 * \note               If \p add_len is greater than
 *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
 *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
 *                     The remaining Bytes are silently discarded.
 *
 * \param ctx          The CTR_DRBG context.
 * \param additional   The data to update the state with.
 * \param add_len      Length of \p additional data.
 */
 MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
    mbedtls_ctr_drbg_context *ctx,
    const unsigned char *additional,
    size_t add_len );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_FS_IO)
 /**
- * \brief               This function writes a seed file.
+ * \brief               Write a seed file
 *
- * \param ctx           The CTR_DRBG context.
+ * \param ctx           CTR_DRBG context
- * \param path          The name of the file.
+ * \param path          Name of the file
 *
- * \return              \c 0 on success.
+ * \return              0 if successful,
- * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ *                      MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, or
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
 *                      failure.
 */
 int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
 /**
- * \brief               This function reads and updates a seed file. The seed
+ * \brief               Read and update a seed file. Seed is added to this
- *                      is added to this instance.
+ *                      instance
 *
- * \param ctx           The CTR_DRBG context.
+ * \param ctx           CTR_DRBG context
- * \param path          The name of the file.
+ * \param path          Name of the file
 *
- * \return              \c 0 on success.
+ * \return              0 if successful,
- * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ *                      MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error,
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
- *                      reseed failure.
+ *                      MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG
 * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
 *                      seed file is too large.
 */
 int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
 #endif /* MBEDTLS_FS_IO */
 #if defined(MBEDTLS_SELF_TEST)
 /**
- * \brief               The CTR_DRBG checkup routine.
+ * \brief               Checkup routine
 *
- * \return              \c 0 on success.
+ * \return              0 if successful, or 1 if the test failed
 * \return              \c 1 on failure.
 */
 int mbedtls_ctr_drbg_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 /* Internal functions (do not call directly) */
 int mbedtls_ctr_drbg_seed_entropy_len( mbedtls_ctr_drbg_context *,
                               int (*)(void *, unsigned char *, size_t), void *,
--- a/include/mbedtls/debug.h
+++ b/include/mbedtls/debug.h
@ -2,16 +2,9 @@
 * \file debug.h
 *
 * \brief Functions for controlling and providing debug output from the library.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_DEBUG_H
 #define MBEDTLS_DEBUG_H
@ -90,11 +64,6 @@
    mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
 #endif
 #if defined(MBEDTLS_ECDH_C)
 #define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )               \
    mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
 #endif
 #else /* MBEDTLS_DEBUG_C */
 #define MBEDTLS_SSL_DEBUG_MSG( level, args )            do { } while( 0 )
@ -103,7 +72,6 @@
 #define MBEDTLS_SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
 #define MBEDTLS_SSL_DEBUG_ECP( level, text, X )         do { } while( 0 )
 #define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
 #define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )     do { } while( 0 )
 #endif /* MBEDTLS_DEBUG_C */
@ -252,36 +220,6 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
                      const char *text, const mbedtls_x509_crt *crt );
 #endif
 #if defined(MBEDTLS_ECDH_C)
 typedef enum
 {
    MBEDTLS_DEBUG_ECDH_Q,
    MBEDTLS_DEBUG_ECDH_QP,
    MBEDTLS_DEBUG_ECDH_Z,
 } mbedtls_debug_ecdh_attr;
 /**
 * \brief   Print a field of the ECDH structure in the SSL context to the debug
 *          output. This function is always used through the
 *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
 *          and line number parameters.
 *
 * \param ssl       SSL context
 * \param level     error level of the debug message
 * \param file      file the error has occurred in
 * \param line      line number the error has occurred in
 * \param ecdh      the ECDH context
 * \param attr      the identifier of the attribute being output
 *
 * \attention       This function is intended for INTERNAL usage within the
 *                  library only.
 */
 void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
                                const char *file, int line,
                                const mbedtls_ecdh_context *ecdh,
                                mbedtls_debug_ecdh_attr attr );
 #endif
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/des.h
+++ b/include/mbedtls/des.h
@ -3,19 +3,8 @@
 *
 * \brief DES block cipher
 *
- * \warning   DES is considered a weak cipher and its use constitutes a
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *            security risk. We recommend considering stronger ciphers
+ *  SPDX-License-Identifier: Apache-2.0
 *            instead.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,27 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 *
 */
 #ifndef MBEDTLS_DES_H
 #define MBEDTLS_DES_H
@ -68,27 +37,20 @@
 #define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
 /* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033  /**< DES hardware accelerator failed. */
 #define MBEDTLS_DES_KEY_SIZE    8
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_DES_ALT)
 // Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          DES context structure
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
-typedef struct mbedtls_des_context
+typedef struct
 {
    uint32_t sk[32];            /*!<  DES subkeys       */
 }
@ -97,24 +59,16 @@ mbedtls_des_context;
 /**
 * \brief          Triple-DES context structure
 */
-typedef struct mbedtls_des3_context
+typedef struct
 {
    uint32_t sk[96];            /*!<  3DES subkeys      */
 }
 mbedtls_des3_context;
 #else  /* MBEDTLS_DES_ALT */
 #include "des_alt.h"
 #endif /* MBEDTLS_DES_ALT */
 /**
 * \brief          Initialize DES context
 *
 * \param ctx      DES context to be initialized
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 void mbedtls_des_init( mbedtls_des_context *ctx );
@ -122,10 +76,6 @@ void mbedtls_des_init( mbedtls_des_context *ctx );
 * \brief          Clear DES context
 *
 * \param ctx      DES context to be cleared
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 void mbedtls_des_free( mbedtls_des_context *ctx );
@ -150,10 +100,6 @@ void mbedtls_des3_free( mbedtls_des3_context *ctx );
 *                 a parity bit to allow verification.
 *
 * \param key      8-byte secret key
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] );
@ -166,10 +112,6 @@ void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] );
 * \param key      8-byte secret key
 *
 * \return         0 is parity was ok, 1 if parity was not correct.
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
@ -179,10 +121,6 @@ int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SI
 * \param key      8-byte secret key
 *
 * \return         0 if no weak key was found, 1 if a weak key was identified.
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
@ -193,10 +131,6 @@ int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
 * \param key      8-byte secret key
 *
 * \return         0
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
@ -207,10 +141,6 @@ int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MB
 * \param key      8-byte secret key
 *
 * \return         0
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
@ -266,10 +196,6 @@ int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
 * \param output   64-bit output block
 *
 * \return         0 if successful
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
                    const unsigned char input[8],
@ -293,10 +219,6 @@ int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
 * \param iv       initialization vector (updated after use)
 * \param input    buffer holding the input data
 * \param output   buffer holding the output data
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
                    int mode,
@ -355,15 +277,20 @@ int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
 *
 * \param SK       Round keys
 * \param key      Base key
 *
 * \warning        DES is considered a weak cipher and its use constitutes a
 *                 security risk. We recommend considering stronger ciphers
 *                 instead.
 */
 void mbedtls_des_setkey( uint32_t SK[32],
                         const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
 #ifdef __cplusplus
 }
 #endif
-#if defined(MBEDTLS_SELF_TEST)
+#else  /* MBEDTLS_DES_ALT */
 #include "des_alt.h"
 #endif /* MBEDTLS_DES_ALT */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          Checkup routine
@ -372,8 +299,6 @@ void mbedtls_des_setkey( uint32_t SK[32],
 */
 int mbedtls_des_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
--- a/include/mbedtls/ecdh.h
+++ b/include/mbedtls/ecdh.h
@ -1,26 +1,10 @@
 /**
 * \file ecdh.h
 *
- * \brief This file contains ECDH definitions and functions.
+ * \brief Elliptic curve Diffie-Hellman
 *
- * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * key agreement protocol allowing two parties to establish a shared
+ *  SPDX-License-Identifier: Apache-2.0
 * secret over an insecure channel. Each party must have an
 * elliptic-curve public–private key pair.
 *
 * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
 * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
 * Cryptography</em>.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -34,204 +18,77 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ECDH_H
 #define MBEDTLS_ECDH_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "ecp.h"
 /*
 * Use a backward compatible ECDH context.
 *
 * This flag is always enabled for now and future versions might add a
 * configuration option that conditionally undefines this flag.
 * The configuration option in question may have a different name.
 *
 * Features undefining this flag, must have a warning in their description in
 * config.h stating that the feature breaks backward compatibility.
 */
 #define MBEDTLS_ECDH_LEGACY_CONTEXT
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
- * Defines the source of the imported EC key.
+ * When importing from an EC key, select if it is our key or the peer's key
 */
 typedef enum
 {
-    MBEDTLS_ECDH_OURS,   /**< Our key. */
+    MBEDTLS_ECDH_OURS,
-    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
+    MBEDTLS_ECDH_THEIRS,
 } mbedtls_ecdh_side;
 #if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
 /**
- * Defines the ECDH implementation used.
+ * \brief           ECDH context structure
 *
 * Later versions of the library may add new variants, therefore users should
 * not make any assumptions about them.
 */
-typedef enum
+typedef struct
 {
-    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
+    mbedtls_ecp_group grp;      /*!<  elliptic curve used                           */
-    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+    mbedtls_mpi d;              /*!<  our secret value (private key)                */
-} mbedtls_ecdh_variant;
+    mbedtls_ecp_point Q;        /*!<  our public value (public key)                 */
-
+    mbedtls_ecp_point Qp;       /*!<  peer's public value (public key)              */
-/**
+    mbedtls_mpi z;              /*!<  shared secret                                 */
- * The context used by the default ECDH implementation.
+    int point_format;   /*!<  format for point export in TLS messages       */
- *
+    mbedtls_ecp_point Vi;       /*!<  blinding value (for later)                    */
- * Later versions might change the structure of this context, therefore users
+    mbedtls_ecp_point Vf;       /*!<  un-blinding value (for later)                 */
- * should not make any assumptions about the structure of
+    mbedtls_mpi _d;             /*!<  previous d (for later)                        */
 * mbedtls_ecdh_context_mbed.
 */
 typedef struct mbedtls_ecdh_context_mbed
 {
    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
    mbedtls_mpi d;           /*!< The private key. */
    mbedtls_ecp_point Q;     /*!< The public key. */
    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
    mbedtls_mpi z;           /*!< The shared secret. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
 #endif
 } mbedtls_ecdh_context_mbed;
 #endif
 /**
 *
 * \warning         Performing multiple operations concurrently on the same
 *                  ECDSA context is not supported; objects of this type
 *                  should not be shared between multiple threads.
 * \brief           The ECDH context structure.
 */
 typedef struct mbedtls_ecdh_context
 {
 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
    mbedtls_mpi d;           /*!< The private key. */
    mbedtls_ecp_point Q;     /*!< The public key. */
    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
    mbedtls_mpi z;           /*!< The shared secret. */
    int point_format;        /*!< The format of point export in TLS messages. */
    mbedtls_ecp_point Vi;    /*!< The blinding value. */
    mbedtls_ecp_point Vf;    /*!< The unblinding value. */
    mbedtls_mpi _d;          /*!< The previous \p d. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
    int restart_enabled;        /*!< The flag for restartable mode. */
    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #else
    uint8_t point_format;       /*!< The format of point export in TLS messages
                                  as defined in RFC 4492. */
    mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
    mbedtls_ecdh_variant var;   /*!< The ECDH implementation/structure used. */
    union
    {
        mbedtls_ecdh_context_mbed   mbed_ecdh;
    } ctx;                      /*!< Implementation-specific context. The
                                  context in use is specified by the \c var
                                  field. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
    uint8_t restart_enabled;    /*!< The flag for restartable mode. Functions of
                                  an alternative implementation not supporting
                                  restartable mode must return
                                  MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
                                  if this flag is set. */
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
 }
 mbedtls_ecdh_context;
 /**
- * \brief           This function generates an ECDH keypair on an elliptic
+ * \brief           Generate a public key.
- *                  curve.
+ *                  Raw function that only does the core computation.
 *
- *                  This function performs the first of two core computations
+ * \param grp       ECP group
- *                  implemented during the ECDH key exchange. The second core
+ * \param d         Destination MPI (secret exponent, aka private key)
- *                  computation is performed by mbedtls_ecdh_compute_shared().
+ * \param Q         Destination point (public key)
 * \param f_rng     RNG function
 * \param p_rng     RNG parameter
 *
- * \see             ecp.h
+ * \return          0 if successful,
- *
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
 * \param grp       The ECP group to use. This must be initialized and have
 *                  domain parameters loaded, for example through
 *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
 * \param d         The destination MPI (private key).
 *                  This must be initialized.
 * \param Q         The destination point (public key).
 *                  This must be initialized.
 * \param f_rng     The RNG function to use. This must not be \c NULL.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL in case \p f_rng doesn't need a context argument.
 *
 * \return          \c 0 on success.
 * \return          Another \c MBEDTLS_ERR_ECP_XXX or
 *                  \c MBEDTLS_MPI_XXX error code on failure.
 */
 int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng );
 /**
- * \brief           This function computes the shared secret.
+ * \brief           Compute shared secret
 *                  Raw function that only does the core computation.
 *
- *                  This function performs the second of two core computations
+ * \param grp       ECP group
- *                  implemented during the ECDH key exchange. The first core
+ * \param z         Destination MPI (shared secret)
- *                  computation is performed by mbedtls_ecdh_gen_public().
+ * \param Q         Public key from other party
 * \param d         Our secret exponent (private key)
 * \param f_rng     RNG function (see notes)
 * \param p_rng     RNG parameter
 *
- * \see             ecp.h
+ * \return          0 if successful,
 *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
 *
- * \note            If \p f_rng is not NULL, it is used to implement
+ * \note            If f_rng is not NULL, it is used to implement
- *                  countermeasures against side-channel attacks.
+ *                  countermeasures against potential elaborate timing
- *                  For more information, see mbedtls_ecp_mul().
+ *                  attacks, see \c mbedtls_ecp_mul() for details.
 *
 * \param grp       The ECP group to use. This must be initialized and have
 *                  domain parameters loaded, for example through
 *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
 * \param z         The destination MPI (shared secret).
 *                  This must be initialized.
 * \param Q         The public key from another party.
 *                  This must be initialized.
 * \param d         Our secret exponent (private key).
 *                  This must be initialized.
 * \param f_rng     The RNG function. This may be \c NULL if randomization
 *                  of intermediate results during the ECP computations is
 *                  not needed (discouraged). See the documentation of
 *                  mbedtls_ecp_mul() for more.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL if \p f_rng is \c NULL or doesn't need a
 *                  context argument.
 *
 * \return          \c 0 on success.
 * \return          Another \c MBEDTLS_ERR_ECP_XXX or
 *                  \c MBEDTLS_MPI_XXX error code on failure.
 */
 int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
@ -239,64 +96,34 @@ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
                         void *p_rng );
 /**
- * \brief           This function initializes an ECDH context.
+ * \brief           Initialize context
 *
- * \param ctx       The ECDH context to initialize. This must not be \c NULL.
+ * \param ctx       Context to initialize
 */
 void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
 /**
- * \brief           This function sets up the ECDH context with the information
+ * \brief           Free context
 *                  given.
 *
- *                  This function should be called after mbedtls_ecdh_init() but
+ * \param ctx       Context to free
 *                  before mbedtls_ecdh_make_params(). There is no need to call
 *                  this function before mbedtls_ecdh_read_params().
 *
 *                  This is the first function used by a TLS server for ECDHE
 *                  ciphersuites.
 *
 * \param ctx       The ECDH context to set up. This must be initialized.
 * \param grp_id    The group id of the group to set up the context for.
 *
 * \return          \c 0 on success.
 */
 int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
                        mbedtls_ecp_group_id grp_id );
 /**
 * \brief           This function frees a context.
 *
 * \param ctx       The context to free. This may be \c NULL, in which
 *                  case this function does nothing. If it is not \c NULL,
 *                  it must point to an initialized ECDH context.
 */
 void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
 /**
- * \brief           This function generates an EC key pair and exports its
+ * \brief           Generate a public key and a TLS ServerKeyExchange payload.
- *                  in the format used in a TLS ServerKeyExchange handshake
+ *                  (First function used by a TLS server for ECDHE.)
 *                  message.
 *
- *                  This is the second function used by a TLS server for ECDHE
+ * \param ctx       ECDH context
- *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
+ * \param olen      number of chars written
 * \param buf       destination buffer
 * \param blen      length of buffer
 * \param f_rng     RNG function
 * \param p_rng     RNG parameter
 *
- * \see             ecp.h
+ * \note            This function assumes that ctx->grp has already been
 *                  properly set (for example using mbedtls_ecp_group_load).
 *
- * \param ctx       The ECDH context to use. This must be initialized
+ * \return          0 if successful, or an MBEDTLS_ERR_ECP_XXX error code
 *                  and bound to a group, for example via mbedtls_ecdh_setup().
 * \param olen      The address at which to store the number of Bytes written.
 * \param buf       The destination buffer. This must be a writable buffer of
 *                  length \p blen Bytes.
 * \param blen      The length of the destination buffer \p buf in Bytes.
 * \param f_rng     The RNG function to use. This must not be \c NULL.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL in case \p f_rng doesn't need a context argument.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
 */
 int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
                      unsigned char *buf, size_t blen,
@ -304,81 +131,45 @@ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
                      void *p_rng );
 /**
- * \brief           This function parses the ECDHE parameters in a
+ * \brief           Parse and procress a TLS ServerKeyExhange payload.
- *                  TLS ServerKeyExchange handshake message.
+ *                  (First function used by a TLS client for ECDHE.)
 *
- * \note            In a TLS handshake, this is the how the client
+ * \param ctx       ECDH context
- *                  sets up its ECDHE context from the server's public
+ * \param buf       pointer to start of input buffer
- *                  ECDHE key material.
+ * \param end       one past end of buffer
 *
 * \see             ecp.h
 *
 * \param ctx       The ECDHE context to use. This must be initialized.
 * \param buf       On input, \c *buf must be the start of the input buffer.
 *                  On output, \c *buf is updated to point to the end of the
 *                  data that has been read. On success, this is the first byte
 *                  past the end of the ServerKeyExchange parameters.
 *                  On error, this is the point at which an error has been
 *                  detected, which is usually not useful except to debug
 *                  failures.
 * \param end       The end of the input buffer.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
 *
 * \return          0 if successful, or an MBEDTLS_ERR_ECP_XXX error code
 */
 int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
-                              const unsigned char **buf,
+                      const unsigned char **buf, const unsigned char *end );
                              const unsigned char *end );
 /**
- * \brief           This function sets up an ECDH context from an EC key.
+ * \brief           Setup an ECDH context from an EC key.
 *                  (Used by clients and servers in place of the
 *                  ServerKeyEchange for static ECDH: import ECDH parameters
 *                  from a certificate's EC key information.)
 *
- *                  It is used by clients and servers in place of the
+ * \param ctx       ECDH constext to set
- *                  ServerKeyEchange for static ECDH, and imports ECDH
+ * \param key       EC key to use
- *                  parameters from the EC key information of a certificate.
+ * \param side      Is it our key (1) or the peer's key (0) ?
 *
 * \see             ecp.h
 *
 * \param ctx       The ECDH context to set up. This must be initialized.
 * \param key       The EC key to use. This must be initialized.
 * \param side      Defines the source of the key. Possible values are:
 *                  - #MBEDTLS_ECDH_OURS: The key is ours.
 *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
 *
 * \return          \c 0 on success.
 * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
 *
 * \return          0 if successful, or an MBEDTLS_ERR_ECP_XXX error code
 */
-int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
-                             const mbedtls_ecp_keypair *key,
+                     mbedtls_ecdh_side side );
                             mbedtls_ecdh_side side );
 /**
- * \brief           This function generates a public key and exports it
+ * \brief           Generate a public key and a TLS ClientKeyExchange payload.
- *                  as a TLS ClientKeyExchange payload.
+ *                  (Second function used by a TLS client for ECDH(E).)
 *
- *                  This is the second function used by a TLS client for ECDH(E)
+ * \param ctx       ECDH context
- *                  ciphersuites.
+ * \param olen      number of bytes actually written
 * \param buf       destination buffer
 * \param blen      size of destination buffer
 * \param f_rng     RNG function
 * \param p_rng     RNG parameter
 *
- * \see             ecp.h
+ * \return          0 if successful, or an MBEDTLS_ERR_ECP_XXX error code
 *
 * \param ctx       The ECDH context to use. This must be initialized
 *                  and bound to a group, the latter usually by
 *                  mbedtls_ecdh_read_params().
 * \param olen      The address at which to store the number of Bytes written.
 *                  This must not be \c NULL.
 * \param buf       The destination buffer. This must be a writable buffer
 *                  of length \p blen Bytes.
 * \param blen      The size of the destination buffer \p buf in Bytes.
 * \param f_rng     The RNG function to use. This must not be \c NULL.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL in case \p f_rng doesn't need a context argument.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
 */
 int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
                      unsigned char *buf, size_t blen,
@ -386,78 +177,36 @@ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
                      void *p_rng );
 /**
- * \brief       This function parses and processes the ECDHE payload of a
+ * \brief           Parse and process a TLS ClientKeyExchange payload.
- *              TLS ClientKeyExchange message.
+ *                  (Second function used by a TLS server for ECDH(E).)
 *
- *              This is the third function used by a TLS server for ECDH(E)
+ * \param ctx       ECDH context
- *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ * \param buf       start of input buffer
- *              mbedtls_ecdh_make_params().)
+ * \param blen      length of input buffer
 *
- * \see         ecp.h
+ * \return          0 if successful, or an MBEDTLS_ERR_ECP_XXX error code
 *
 * \param ctx   The ECDH context to use. This must be initialized
 *              and bound to a group, for example via mbedtls_ecdh_setup().
 * \param buf   The pointer to the ClientKeyExchange payload. This must
 *              be a readable buffer of length \p blen Bytes.
 * \param blen  The length of the input buffer \p buf in Bytes.
 *
 * \return      \c 0 on success.
 * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
 */
 int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
-                              const unsigned char *buf, size_t blen );
+                      const unsigned char *buf, size_t blen );
 /**
- * \brief           This function derives and exports the shared secret.
+ * \brief           Derive and export the shared secret.
 *                  (Last function used by both TLS client en servers.)
 *
- *                  This is the last function used by both TLS client
+ * \param ctx       ECDH context
- *                  and servers.
+ * \param olen      number of bytes written
 * \param buf       destination buffer
 * \param blen      buffer length
 * \param f_rng     RNG function, see notes for \c mbedtls_ecdh_compute_shared()
 * \param p_rng     RNG parameter
 *
- * \note            If \p f_rng is not NULL, it is used to implement
+ * \return          0 if successful, or an MBEDTLS_ERR_ECP_XXX error code
 *                  countermeasures against side-channel attacks.
 *                  For more information, see mbedtls_ecp_mul().
 *
 * \see             ecp.h
 * \param ctx       The ECDH context to use. This must be initialized
 *                  and have its own private key generated and the peer's
 *                  public key imported.
 * \param olen      The address at which to store the total number of
 *                  Bytes written on success. This must not be \c NULL.
 * \param buf       The buffer to write the generated shared key to. This
 *                  must be a writable buffer of size \p blen Bytes.
 * \param blen      The length of the destination buffer \p buf in Bytes.
 * \param f_rng     The RNG function, for blinding purposes. This may
 *                  b \c NULL if blinding isn't needed.
 * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
 *                  doesn't need a context argument.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
 */
 int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
                      unsigned char *buf, size_t blen,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng );
 #if defined(MBEDTLS_ECP_RESTARTABLE)
 /**
 * \brief           This function enables restartable EC computations for this
 *                  context.  (Default: disabled.)
 *
 * \see             \c mbedtls_ecp_set_max_ops()
 *
 * \note            It is not possible to safely disable restartable
 *                  computations once enabled, except by free-ing the context,
 *                  which cancels possible in-progress operations.
 *
 * \param ctx       The ECDH context to use. This must be initialized.
 */
 void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@ -1,24 +1,10 @@
 /**
 * \file ecdsa.h
 *
- * \brief This file contains ECDSA definitions and functions.
+ * \brief Elliptic curve DSA
 *
- * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * <em>Standards for Efficient Cryptography Group (SECG):
+ *  SPDX-License-Identifier: Apache-2.0
 * SEC1 Elliptic Curve Cryptography</em>.
 * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
 * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
 *
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -32,42 +18,16 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "ecp.h"
 #include "md.h"
 /*
- * RFC-4492 page 20:
+ * RFC 4492 page 20:
 *
 *     Ecdsa-Sig-Value ::= SEQUENCE {
 *         r       INTEGER,
@ -83,103 +43,38 @@
 #if MBEDTLS_ECP_MAX_BYTES > 124
 #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
 #endif
-/** The maximal size of an ECDSA signature in Bytes. */
+/** Maximum size of an ECDSA signature in bytes */
 #define MBEDTLS_ECDSA_MAX_LEN  ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
 /**
 * \brief           ECDSA context structure
 */
 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
- * \brief           The ECDSA context structure.
+ * \brief           Compute ECDSA signature of a previously hashed message
 *
- * \warning         Performing multiple operations concurrently on the same
+ * \note            The deterministic version is usually prefered.
 *                  ECDSA context is not supported; objects of this type
 *                  should not be shared between multiple threads.
 */
 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
 #if defined(MBEDTLS_ECP_RESTARTABLE)
 /**
 * \brief           Internal restart context for ecdsa_verify()
 *
- * \note            Opaque struct, defined in ecdsa.c
+ * \param grp       ECP group
- */
+ * \param r         First output integer
-typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+ * \param s         Second output integer
-
+ * \param d         Private signing key
-/**
+ * \param buf       Message hash
- * \brief           Internal restart context for ecdsa_sign()
+ * \param blen      Length of buf
- *
+ * \param f_rng     RNG function
- * \note            Opaque struct, defined in ecdsa.c
+ * \param p_rng     RNG parameter
 */
 typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 /**
 * \brief           Internal restart context for ecdsa_sign_det()
 *
 * \note            Opaque struct, defined in ecdsa.c
 */
 typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
 #endif
 /**
 * \brief           General context for resuming ECDSA operations
 */
 typedef struct
 {
    mbedtls_ecp_restart_ctx ecp;        /*!<  base context for ECP restart and
                                              shared administrative info    */
    mbedtls_ecdsa_restart_ver_ctx *ver; /*!<  ecdsa_verify() sub-context    */
    mbedtls_ecdsa_restart_sig_ctx *sig; /*!<  ecdsa_sign() sub-context      */
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
    mbedtls_ecdsa_restart_det_ctx *det; /*!<  ecdsa_sign_det() sub-context  */
 #endif
 } mbedtls_ecdsa_restart_ctx;
 #else /* MBEDTLS_ECP_RESTARTABLE */
 /* Now we can declare functions that take a pointer to that */
 typedef void mbedtls_ecdsa_restart_ctx;
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 /**
 * \brief           This function computes the ECDSA signature of a
 *                  previously-hashed message.
 *
 * \note            The deterministic version implemented in
 *                  mbedtls_ecdsa_sign_det() is usually preferred.
 *
 * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated
+ *                  bitlength of the group order, then the hash is truncated as
- *                  as defined in <em>Standards for Efficient Cryptography Group
+ *                  prescribed by SEC1 4.1.3 step 5.
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.3, step 5.
 *
- * \see             ecp.h
+ * \return          0 if successful,
- *
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
 * \param grp       The context for the elliptic curve to use.
 *                  This must be initialized and have group parameters
 *                  set, for example through mbedtls_ecp_group_load().
 * \param r         The MPI context in which to store the first part
 *                  the signature. This must be initialized.
 * \param s         The MPI context in which to store the second part
 *                  the signature. This must be initialized.
 * \param d         The private signing key. This must be initialized.
 * \param buf       The content to be signed. This is usually the hash of
 *                  the original data to be signed. This must be a readable
 *                  buffer of length \p blen Bytes. It may be \c NULL if
 *                  \p blen is zero.
 * \param blen      The length of \p buf in Bytes.
 * \param f_rng     The RNG function. This must not be \c NULL.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL if \p f_rng doesn't need a context parameter.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX
 *                  or \c MBEDTLS_MPI_XXX error code on failure.
 */
 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
@ -187,243 +82,86 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 /**
- * \brief           This function computes the ECDSA signature of a
+ * \brief           Compute ECDSA signature of a previously hashed message,
- *                  previously-hashed message, deterministic version.
+ *                  deterministic version (RFC 6979).
 *
- *                  For more information, see <em>RFC-6979: Deterministic
+ * \param grp       ECP group
- *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ * \param r         First output integer
- *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ * \param s         Second output integer
 * \param d         Private signing key
 * \param buf       Message hash
 * \param blen      Length of buf
 * \param md_alg    MD algorithm used to hash the message
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  prescribed by SEC1 4.1.3 step 5.
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.3, step 5.
 *
- * \warning         Since the output of the internal RNG is always the same for
+ * \return          0 if successful,
- *                  the same key and message, this limits the efficiency of
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
 *                  blinding and leaks information through side channels. For
 *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
 *
 *                  (Optimally the blinding is a random value that is different
 *                  on every execution. In this case the blinding is still
 *                  random from the attackers perspective, but is the same on
 *                  each execution. This means that this blinding does not
 *                  prevent attackers from recovering secrets by combining
 *                  several measurement traces, but may prevent some attacks
 *                  that exploit relationships between secret data.)
 *
 * \see             ecp.h
 *
 * \param grp       The context for the elliptic curve to use.
 *                  This must be initialized and have group parameters
 *                  set, for example through mbedtls_ecp_group_load().
 * \param r         The MPI context in which to store the first part
 *                  the signature. This must be initialized.
 * \param s         The MPI context in which to store the second part
 *                  the signature. This must be initialized.
 * \param d         The private signing key. This must be initialized
 *                  and setup, for example through mbedtls_ecp_gen_privkey().
 * \param buf       The hashed content to be signed. This must be a readable
 *                  buffer of length \p blen Bytes. It may be \c NULL if
 *                  \p blen is zero.
 * \param blen      The length of \p buf in Bytes.
 * \param md_alg    The hash algorithm used to hash the original data.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
 *                  error code on failure.
 */
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                            const unsigned char *buf, size_t blen,
+                    mbedtls_md_type_t md_alg );
                            mbedtls_md_type_t md_alg );
 /**
 * \brief           This function computes the ECDSA signature of a
 *                  previously-hashed message, deterministic version.
 *
 *                  For more information, see <em>RFC-6979: Deterministic
 *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
 *                  Curve Digital Signature Algorithm (ECDSA)</em>.
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
 *                  defined in <em>Standards for Efficient Cryptography Group
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.3, step 5.
 *
 * \see             ecp.h
 *
 * \param grp           The context for the elliptic curve to use.
 *                      This must be initialized and have group parameters
 *                      set, for example through mbedtls_ecp_group_load().
 * \param r             The MPI context in which to store the first part
 *                      the signature. This must be initialized.
 * \param s             The MPI context in which to store the second part
 *                      the signature. This must be initialized.
 * \param d             The private signing key. This must be initialized
 *                      and setup, for example through mbedtls_ecp_gen_privkey().
 * \param buf           The hashed content to be signed. This must be a readable
 *                      buffer of length \p blen Bytes. It may be \c NULL if
 *                      \p blen is zero.
 * \param blen          The length of \p buf in Bytes.
 * \param md_alg        The hash algorithm used to hash the original data.
 * \param f_rng_blind   The RNG function used for blinding. This must not be
 *                      \c NULL.
 * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
 *                      \c NULL if \p f_rng doesn't need a context parameter.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
 *                  error code on failure.
 */
 int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
                                mbedtls_mpi *s, const mbedtls_mpi *d,
                                const unsigned char *buf, size_t blen,
                                mbedtls_md_type_t md_alg,
                                int (*f_rng_blind)(void *, unsigned char *,
                                                   size_t),
                                void *p_rng_blind );
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 /**
- * \brief           This function verifies the ECDSA signature of a
+ * \brief           Verify ECDSA signature of a previously hashed message
- *                  previously-hashed message.
+ *
 * \param grp       ECP group
 * \param buf       Message hash
 * \param blen      Length of buf
 * \param Q         Public key to use for verification
 * \param r         First integer of the signature
 * \param s         Second integer of the signature
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  prescribed by SEC1 4.1.4 step 3.
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.4, step 3.
 *
- * \see             ecp.h
+ * \return          0 if successful,
- *
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid
- * \param grp       The ECP group to use.
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
 *                  This must be initialized and have group parameters
 *                  set, for example through mbedtls_ecp_group_load().
 * \param buf       The hashed content that was signed. This must be a readable
 *                  buffer of length \p blen Bytes. It may be \c NULL if
 *                  \p blen is zero.
 * \param blen      The length of \p buf in Bytes.
 * \param Q         The public key to use for verification. This must be
 *                  initialized and setup.
 * \param r         The first integer of the signature.
 *                  This must be initialized.
 * \param s         The second integer of the signature.
 *                  This must be initialized.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
 *                  is invalid.
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
 *                  error code on failure for any other reason.
 */
 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
-                          const unsigned char *buf, size_t blen,
+                  const unsigned char *buf, size_t blen,
-                          const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+                  const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s);
                          const mbedtls_mpi *s);
 /**
- * \brief           This function computes the ECDSA signature and writes it
+ * \brief           Compute ECDSA signature and write it to buffer,
- *                  to a buffer, serialized as defined in <em>RFC-4492:
+ *                  serialized as defined in RFC 4492 page 20.
- *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  (Not thread-safe to use same context in multiple threads)
 *                  Transport Layer Security (TLS)</em>.
 *
- * \warning         It is not thread-safe to use the same context in
+ * \note            The deterministic version (RFC 6979) is used if
- *                  multiple threads.
+ *                  MBEDTLS_ECDSA_DETERMINISTIC is defined.
 *
- * \note            The deterministic version is used if
+ * \param ctx       ECDSA context
- *                  #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
+ * \param md_alg    Algorithm that was used to hash the message
- *                  information, see <em>RFC-6979: Deterministic Usage
+ * \param hash      Message hash
- *                  of the Digital Signature Algorithm (DSA) and Elliptic
+ * \param hlen      Length of hash
- *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ * \param sig       Buffer that will hold the signature
 * \param slen      Length of the signature written
 * \param f_rng     RNG function
 * \param p_rng     RNG parameter
 *
 * \note            The "sig" buffer must be at least as large as twice the
 *                  size of the curve used, plus 9 (eg. 73 bytes if a 256-bit
 *                  curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe.
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  prescribed by SEC1 4.1.3 step 5.
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.3, step 5.
 *
- * \see             ecp.h
+ * \return          0 if successful,
- *
+ *                  or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or
- * \param ctx       The ECDSA context to use. This must be initialized
+ *                  MBEDTLS_ERR_ASN1_XXX error code
 *                  and have a group and private key bound to it, for example
 *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
 * \param md_alg    The message digest that was used to hash the message.
 * \param hash      The message hash to be signed. This must be a readable
 *                  buffer of length \p blen Bytes.
 * \param hlen      The length of the hash \p hash in Bytes.
 * \param sig       The buffer to which to write the signature. This must be a
 *                  writable buffer of length at least twice as large as the
 *                  size of the curve used, plus 9. For example, 73 Bytes if
 *                  a 256-bit curve is used. A buffer length of
 *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
 * \param slen      The address at which to store the actual length of
 *                  the signature written. Must not be \c NULL.
 * \param f_rng     The RNG function. This must not be \c NULL if
 *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
 *                  it is unused and may be set to \c NULL.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
 *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
-int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
                                   mbedtls_md_type_t md_alg,
                           const unsigned char *hash, size_t hlen,
                           unsigned char *sig, size_t *slen,
                           int (*f_rng)(void *, unsigned char *, size_t),
                           void *p_rng );
 /**
 * \brief           This function computes the ECDSA signature and writes it
 *                  to a buffer, in a restartable way.
 *
 * \see             \c mbedtls_ecdsa_write_signature()
 *
 * \note            This function is like \c mbedtls_ecdsa_write_signature()
 *                  but it can return early and restart according to the limit
 *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
 *
 * \param ctx       The ECDSA context to use. This must be initialized
 *                  and have a group and private key bound to it, for example
 *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
 * \param md_alg    The message digest that was used to hash the message.
 * \param hash      The message hash to be signed. This must be a readable
 *                  buffer of length \p blen Bytes.
 * \param hlen      The length of the hash \p hash in Bytes.
 * \param sig       The buffer to which to write the signature. This must be a
 *                  writable buffer of length at least twice as large as the
 *                  size of the curve used, plus 9. For example, 73 Bytes if
 *                  a 256-bit curve is used. A buffer length of
 *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
 * \param slen      The address at which to store the actual length of
 *                  the signature written. Must not be \c NULL.
 * \param f_rng     The RNG function. This must not be \c NULL if
 *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
 *                  it is unused and may be set to \c NULL.
 * \param p_rng     The RNG context to be passed to \p f_rng. This may be
 *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
 * \param rs_ctx    The restart context to use. This may be \c NULL to disable
 *                  restarting. If it is not \c NULL, it must point to an
 *                  initialized restart context.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
 *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
 int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
                           mbedtls_md_type_t md_alg,
                           const unsigned char *hash, size_t hlen,
                           unsigned char *sig, size_t *slen,
                           int (*f_rng)(void *, unsigned char *, size_t),
                           void *p_rng,
                           mbedtls_ecdsa_restart_ctx *rs_ctx );
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
@ -432,47 +170,31 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
 #define MBEDTLS_DEPRECATED
 #endif
 /**
- * \brief           This function computes an ECDSA signature and writes
+ * \brief           Compute ECDSA signature and write it to buffer,
- *                  it to a buffer, serialized as defined in <em>RFC-4492:
+ *                  serialized as defined in RFC 4492 page 20.
- *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Deterministic version, RFC 6979.
- *                  Transport Layer Security (TLS)</em>.
+ *                  (Not thread-safe to use same context in multiple threads)
 *
- *                  The deterministic version is defined in <em>RFC-6979:
+ * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in 2.0.0
 *                  Deterministic Usage of the Digital Signature Algorithm (DSA)
 *                  and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
 *
- * \warning         It is not thread-safe to use the same context in
+ * \param ctx       ECDSA context
- *                  multiple threads.
+ * \param hash      Message hash
 * \param hlen      Length of hash
 * \param sig       Buffer that will hold the signature
 * \param slen      Length of the signature written
 * \param md_alg    MD algorithm used to hash the message
 *
 * \note            The "sig" buffer must be at least as large as twice the
 *                  size of the curve used, plus 9 (eg. 73 bytes if a 256-bit
 *                  curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe.
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  prescribed by SEC1 4.1.3 step 5.
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.3, step 5.
 *
- * \see             ecp.h
+ * \return          0 if successful,
- *
+ *                  or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or
- * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
+ *                  MBEDTLS_ERR_ASN1_XXX error code
 *                  Mbed TLS version 2.0 and later.
 *
 * \param ctx       The ECDSA context to use. This must be initialized
 *                  and have a group and private key bound to it, for example
 *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
 * \param hash      The message hash to be signed. This must be a readable
 *                  buffer of length \p blen Bytes.
 * \param hlen      The length of the hash \p hash in Bytes.
 * \param sig       The buffer to which to write the signature. This must be a
 *                  writable buffer of length at least twice as large as the
 *                  size of the curve used, plus 9. For example, 73 Bytes if
 *                  a 256-bit curve is used. A buffer length of
 *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
 * \param slen      The address at which to store the actual length of
 *                  the signature written. Must not be \c NULL.
 * \param md_alg    The message digest that was used to hash the message.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
 *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
 */
 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
                               const unsigned char *hash, size_t hlen,
@ -483,145 +205,66 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 /**
- * \brief           This function reads and verifies an ECDSA signature.
+ * \brief           Read and verify an ECDSA signature
 *
 * \param ctx       ECDSA context
 * \param hash      Message hash
 * \param hlen      Size of hash
 * \param sig       Signature to read and verify
 * \param slen      Size of sig
 *
 * \note            If the bitlength of the message hash is larger than the
 *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  prescribed by SEC1 4.1.4 step 3.
 *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
 *                  4.1.4, step 3.
 *
- * \see             ecp.h
+ * \return          0 if successful,
- *
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
- * \param ctx       The ECDSA context to use. This must be initialized
+ *                  MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if the signature is
- *                  and have a group and public key bound to it.
+ *                  valid but its actual length is less than siglen,
- * \param hash      The message hash that was signed. This must be a readable
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX error code
 *                  buffer of length \p size Bytes.
 * \param hlen      The size of the hash \p hash.
 * \param sig       The signature to read and verify. This must be a readable
 *                  buffer of length \p slen Bytes.
 * \param slen      The size of \p sig in Bytes.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
 * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
 *                  signature in \p sig, but its length is less than \p siglen.
 * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
 *                  error code on failure for any other reason.
 */
 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
                          const unsigned char *hash, size_t hlen,
                          const unsigned char *sig, size_t slen );
 /**
- * \brief           This function reads and verifies an ECDSA signature,
+ * \brief           Generate an ECDSA keypair on the given curve
 *                  in a restartable way.
 *
- * \see             \c mbedtls_ecdsa_read_signature()
+ * \param ctx       ECDSA context in which the keypair should be stored
 * \param gid       Group (elliptic curve) to use. One of the various
 *                  MBEDTLS_ECP_DP_XXX macros depending on configuration.
 * \param f_rng     RNG function
 * \param p_rng     RNG parameter
 *
- * \note            This function is like \c mbedtls_ecdsa_read_signature()
+ * \return          0 on success, or a MBEDTLS_ERR_ECP_XXX code.
 *                  but it can return early and restart according to the limit
 *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
 *
 * \param ctx       The ECDSA context to use. This must be initialized
 *                  and have a group and public key bound to it.
 * \param hash      The message hash that was signed. This must be a readable
 *                  buffer of length \p size Bytes.
 * \param hlen      The size of the hash \p hash.
 * \param sig       The signature to read and verify. This must be a readable
 *                  buffer of length \p slen Bytes.
 * \param slen      The size of \p sig in Bytes.
 * \param rs_ctx    The restart context to use. This may be \c NULL to disable
 *                  restarting. If it is not \c NULL, it must point to an
 *                  initialized restart context.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
 * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
 *                  signature in \p sig, but its length is less than \p siglen.
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
 *                  error code on failure for any other reason.
 */
 int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
                          const unsigned char *hash, size_t hlen,
                          const unsigned char *sig, size_t slen,
                          mbedtls_ecdsa_restart_ctx *rs_ctx );
 /**
 * \brief          This function generates an ECDSA keypair on the given curve.
 *
 * \see            ecp.h
 *
 * \param ctx      The ECDSA context to store the keypair in.
 *                 This must be initialized.
 * \param gid      The elliptic curve to use. One of the various
 *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
 * \param f_rng    The RNG function to use. This must not be \c NULL.
 * \param p_rng    The RNG context to be passed to \p f_rng. This may be
 *                 \c NULL if \p f_rng doesn't need a context argument.
 *
 * \return         \c 0 on success.
 * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
 */
 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 /**
- * \brief           This function sets up an ECDSA context from an EC key pair.
+ * \brief           Set an ECDSA context from an EC key pair
 *
- * \see             ecp.h
+ * \param ctx       ECDSA context to set
 * \param key       EC key to use
 *
- * \param ctx       The ECDSA context to setup. This must be initialized.
+ * \return          0 on success, or a MBEDTLS_ERR_ECP_XXX code.
 * \param key       The EC key to use. This must be initialized and hold
 *                  a private-public key pair or a public key. In the former
 *                  case, the ECDSA context may be used for signature creation
 *                  and verification after this call. In the latter case, it
 *                  may be used for signature verification.
 *
 * \return          \c 0 on success.
 * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
 */
-int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key );
                                const mbedtls_ecp_keypair *key );
 /**
- * \brief           This function initializes an ECDSA context.
+ * \brief           Initialize context
 *
- * \param ctx       The ECDSA context to initialize.
+ * \param ctx       Context to initialize
 *                  This must not be \c NULL.
 */
 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
 /**
- * \brief           This function frees an ECDSA context.
+ * \brief           Free context
 *
- * \param ctx       The ECDSA context to free. This may be \c NULL,
+ * \param ctx       Context to free
 *                  in which case this function does nothing. If it
 *                  is not \c NULL, it must be initialized.
 */
 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
 #if defined(MBEDTLS_ECP_RESTARTABLE)
 /**
 * \brief           Initialize a restart context.
 *
 * \param ctx       The restart context to initialize.
 *                  This must not be \c NULL.
 */
 void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
 /**
 * \brief           Free the components of a restart context.
 *
 * \param ctx       The restart context to free. This may be \c NULL,
 *                  in which case this function does nothing. If it
 *                  is not \c NULL, it must be initialized.
 */
 void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/ecjpake.h
+++ b/include/mbedtls/ecjpake.h
@ -2,16 +2,9 @@
 * \file ecjpake.h
 *
 * \brief Elliptic curve J-PAKE
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ECJPAKE_H
 #define MBEDTLS_ECJPAKE_H
@ -65,11 +39,6 @@
 * The payloads are serialized in a way suitable for use in TLS, but could
 * also be use outside TLS.
 */
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "ecp.h"
 #include "md.h"
@ -86,7 +55,6 @@ typedef enum {
    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
 } mbedtls_ecjpake_role;
 #if !defined(MBEDTLS_ECJPAKE_ALT)
 /**
 * EC J-PAKE context structure.
 *
@ -98,7 +66,7 @@ typedef enum {
 * convetion from the Thread v1.0 spec. Correspondance is indicated in the
 * description as a pair C: client name, S: server name
 */
-typedef struct mbedtls_ecjpake_context
+typedef struct
 {
    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
    mbedtls_ecp_group grp;              /**< Elliptic curve                 */
@ -117,38 +85,29 @@ typedef struct mbedtls_ecjpake_context
    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
 } mbedtls_ecjpake_context;
 #else  /* MBEDTLS_ECJPAKE_ALT */
 #include "ecjpake_alt.h"
 #endif /* MBEDTLS_ECJPAKE_ALT */
 /**
- * \brief           Initialize an ECJPAKE context.
+ * \brief           Initialize a context
 *                  (just makes it ready for setup() or free()).
 *
- * \param ctx       The ECJPAKE context to initialize.
+ * \param ctx       context to initialize
 *                  This must not be \c NULL.
 */
 void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
 /**
- * \brief           Set up an ECJPAKE context for use.
+ * \brief           Set up a context for use
 *
 * \note            Currently the only values for hash/curve allowed by the
- *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
+ *                  standard are MBEDTLS_MD_SHA256/MBEDTLS_ECP_DP_SECP256R1.
 *
- * \param ctx       The ECJPAKE context to set up. This must be initialized.
+ * \param ctx       context to set up
- * \param role      The role of the caller. This must be either
+ * \param role      Our role: client or server
- *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash      hash function to use (MBEDTLS_MD_XXX)
- * \param hash      The identifier of the hash function to use,
+ * \param curve     elliptic curve identifier (MBEDTLS_ECP_DP_XXX)
- *                  for example #MBEDTLS_MD_SHA256.
+ * \param secret    pre-shared secret (passphrase)
- * \param curve     The identifier of the elliptic curve to use,
+ * \param len       length of the shared secret
 *                  for example #MBEDTLS_ECP_DP_SECP256R1.
 * \param secret    The pre-shared secret (passphrase). This must be
 *                  a readable buffer of length \p len Bytes. It need
 *                  only be valid for the duration of this call.
 * \param len       The length of the pre-shared secret \p secret.
 *
- * \return          \c 0 if successful.
+ * \return          0 if successfull,
- * \return          A negative error code on failure.
+ *                  a negative error code otherwise
 */
 int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
                           mbedtls_ecjpake_role role,
@ -158,34 +117,29 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
                           size_t len );
 /**
- * \brief           Check if an ECJPAKE context is ready for use.
+ * \brief           Check if a context is ready for use
 *
- * \param ctx       The ECJPAKE context to check. This must be
+ * \param ctx       Context to check
 *                  initialized.
 *
- * \return          \c 0 if the context is ready for use.
+ * \return          0 if the context is ready for use,
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise
 */
 int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
 /**
 * \brief           Generate and write the first round message
 *                  (TLS: contents of the Client/ServerHello extension,
- *                  excluding extension type and length bytes).
+ *                  excluding extension type and length bytes)
 *
- * \param ctx       The ECJPAKE context to use. This must be
+ * \param ctx       Context to use
- *                  initialized and set up.
+ * \param buf       Buffer to write the contents to
- * \param buf       The buffer to write the contents to. This must be a
+ * \param len       Buffer size
- *                  writable buffer of length \p len Bytes.
+ * \param olen      Will be updated with the number of bytes written
- * \param len       The length of \p buf in Bytes.
+ * \param f_rng     RNG function
- * \param olen      The address at which to store the total number
+ * \param p_rng     RNG parameter
 *                  of Bytes written to \p buf. This must not be \c NULL.
 * \param f_rng     The RNG function to use. This must not be \c NULL.
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This
 *                  may be \c NULL if \p f_rng doesn't use a context.
 *
- * \return          \c 0 if successful.
+ * \return          0 if successfull,
- * \return          A negative error code on failure.
+ *                  a negative error code otherwise
 */
 int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
                            unsigned char *buf, size_t len, size_t *olen,
@ -195,16 +149,14 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
 /**
 * \brief           Read and process the first round message
 *                  (TLS: contents of the Client/ServerHello extension,
- *                  excluding extension type and length bytes).
+ *                  excluding extension type and length bytes)
 *
- * \param ctx       The ECJPAKE context to use. This must be initialized
+ * \param ctx       Context to use
- *                  and set up.
+ * \param buf       Pointer to extension contents
- * \param buf       The buffer holding the first round message. This must
+ * \param len       Extension length
 *                  be a readable buffer of length \p len Bytes.
 * \param len       The length in Bytes of \p buf.
 *
- * \return          \c 0 if successful.
+ * \return          0 if successfull,
- * \return          A negative error code on failure.
+ *                  a negative error code otherwise
 */
 int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
                                    const unsigned char *buf,
@ -212,21 +164,17 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
 /**
 * \brief           Generate and write the second round message
- *                  (TLS: contents of the Client/ServerKeyExchange).
+ *                  (TLS: contents of the Client/ServerKeyExchange)
 *
- * \param ctx       The ECJPAKE context to use. This must be initialized,
+ * \param ctx       Context to use
- *                  set up, and already have performed round one.
+ * \param buf       Buffer to write the contents to
- * \param buf       The buffer to write the round two contents to.
+ * \param len       Buffer size
- *                  This must be a writable buffer of length \p len Bytes.
+ * \param olen      Will be updated with the number of bytes written
- * \param len       The size of \p buf in Bytes.
+ * \param f_rng     RNG function
- * \param olen      The address at which to store the total number of Bytes
+ * \param p_rng     RNG parameter
 *                  written to \p buf. This must not be \c NULL.
 * \param f_rng     The RNG function to use. This must not be \c NULL.
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This
 *                  may be \c NULL if \p f_rng doesn't use a context.
 *
- * \return          \c 0 if successful.
+ * \return          0 if successfull,
- * \return          A negative error code on failure.
+ *                  a negative error code otherwise
 */
 int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
                            unsigned char *buf, size_t len, size_t *olen,
@ -235,16 +183,14 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
 /**
 * \brief           Read and process the second round message
- *                  (TLS: contents of the Client/ServerKeyExchange).
+ *                  (TLS: contents of the Client/ServerKeyExchange)
 *
- * \param ctx       The ECJPAKE context to use. This must be initialized
+ * \param ctx       Context to use
- *                  and set up and already have performed round one.
+ * \param buf       Pointer to the message
- * \param buf       The buffer holding the second round message. This must
+ * \param len       Message length
 *                  be a readable buffer of length \p len Bytes.
 * \param len       The length in Bytes of \p buf.
 *
- * \return          \c 0 if successful.
+ * \return          0 if successfull,
- * \return          A negative error code on failure.
+ *                  a negative error code otherwise
 */
 int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
                                    const unsigned char *buf,
@ -252,21 +198,17 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
 /**
 * \brief           Derive the shared secret
- *                  (TLS: Pre-Master Secret).
+ *                  (TLS: Pre-Master Secret)
 *
- * \param ctx       The ECJPAKE context to use. This must be initialized,
+ * \param ctx       Context to use
- *                  set up and have performed both round one and two.
+ * \param buf       Buffer to write the contents to
- * \param buf       The buffer to write the derived secret to. This must
+ * \param len       Buffer size
- *                  be a writable buffer of length \p len Bytes.
+ * \param olen      Will be updated with the number of bytes written
- * \param len       The length of \p buf in Bytes.
+ * \param f_rng     RNG function
- * \param olen      The address at which to store the total number of Bytes
+ * \param p_rng     RNG parameter
 *                  written to \p buf. This must not be \c NULL.
 * \param f_rng     The RNG function to use. This must not be \c NULL.
 * \param p_rng     The RNG parameter to be passed to \p f_rng. This
 *                  may be \c NULL if \p f_rng doesn't use a context.
 *
- * \return          \c 0 if successful.
+ * \return          0 if successfull,
- * \return          A negative error code on failure.
+ *                  a negative error code otherwise
 */
 int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
                            unsigned char *buf, size_t len, size_t *olen,
@ -274,29 +216,23 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
                            void *p_rng );
 /**
- * \brief           This clears an ECJPAKE context and frees any
+ * \brief           Free a context's content
 *                  embedded data structure.
 *
- * \param ctx       The ECJPAKE context to free. This may be \c NULL,
+ * \param ctx       context to free
 *                  in which case this function does nothing. If it is not
 *                  \c NULL, it must point to an initialized ECJPAKE context.
 */
 void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if a test failed
 */
 int mbedtls_ecjpake_self_test( int verbose );
-
+#endif
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
 #endif /* ecjpake.h */
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
--- a/include/mbedtls/ecp_internal.h
+++ b/include/mbedtls/ecp_internal.h
@ -3,16 +3,9 @@
 *
 * \brief Function declarations for alternative implementation of elliptic curve
 * point arithmetic.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2016, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -26,26 +19,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 /*
@ -73,7 +47,7 @@
 * [6] Digital Signature Standard (DSS), FIPS 186-4.
 *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
 *
- * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
+ * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer 
 *     Security (TLS), RFC 4492.
 *     <https://tools.ietf.org/search/rfc4492>
 *
@ -86,12 +60,6 @@
 #ifndef MBEDTLS_ECP_INTERNAL_H
 #define MBEDTLS_ECP_INTERNAL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
 /**
--- a/include/mbedtls/entropy.h
+++ b/include/mbedtls/entropy.h
@ -2,16 +2,9 @@
 * \file entropy.h
 *
 * \brief Entropy accumulator implementation
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ENTROPY_H
 #define MBEDTLS_ENTROPY_H
@ -132,7 +106,7 @@ typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, s
 /**
 * \brief           Entropy source state
 */
-typedef struct mbedtls_entropy_source_state
+typedef struct
 {
    mbedtls_entropy_f_source_ptr    f_source;   /**< The entropy source callback */
    void *          p_source;   /**< The callback data pointer */
@ -145,17 +119,14 @@ mbedtls_entropy_source_state;
 /**
 * \brief           Entropy context structure
 */
-typedef struct mbedtls_entropy_context
+typedef struct
 {
    int accumulator_started; /* 0 after init.
                              * 1 after the first update.
                              * -1 after free. */
 #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
    mbedtls_sha512_context  accumulator;
 #else
    mbedtls_sha256_context  accumulator;
 #endif
-    int             source_count; /* Number of entries used in source. */
+    int             source_count;
    mbedtls_entropy_source_state    source[MBEDTLS_ENTROPY_MAX_SOURCES];
 #if defined(MBEDTLS_HAVEGE_C)
    mbedtls_havege_state    havege_data;
@ -193,7 +164,7 @@ void mbedtls_entropy_free( mbedtls_entropy_context *ctx );
 * \param threshold Minimum required from source before entropy is released
 *                  ( with mbedtls_entropy_func() ) (in bytes)
 * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
- *                  MBEDTLS_ENTROPY_SOURCE_WEAK.
+ *                  MBEDTSL_ENTROPY_SOURCE_WEAK.
 *                  At least one strong source needs to be added.
 *                  Weaker sources (such as the cycle counter) can be used as
 *                  a complement.
--- a/include/mbedtls/entropy_poll.h
+++ b/include/mbedtls/entropy_poll.h
@ -2,16 +2,9 @@
 * \file entropy_poll.h
 *
 * \brief Platform-specific and custom entropy polling functions
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ENTROPY_POLL_H
 #define MBEDTLS_ENTROPY_POLL_H
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@ -2,16 +2,9 @@
 * \file error.h
 *
 * \brief Error to string translation
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,36 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_ERROR_H
 #define MBEDTLS_ERROR_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /**
@ -81,37 +49,23 @@
 *
 * Module   Nr  Codes assigned
 * MPI       7  0x0002-0x0010
- * GCM       3  0x0012-0x0014   0x0013-0x0013
+ * GCM       2  0x0012-0x0014
- * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
+ * BLOWFISH  2  0x0016-0x0018
 * THREADING 3  0x001A-0x001E
- * AES       5  0x0020-0x0022   0x0021-0x0025
+ * AES       2  0x0020-0x0022
- * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
+ * CAMELLIA  2  0x0024-0x0026
- * XTEA      2  0x0028-0x0028   0x0029-0x0029
+ * XTEA      1  0x0028-0x0028
 * BASE64    2  0x002A-0x002C
 * OID       1  0x002E-0x002E   0x000B-0x000B
 * PADLOCK   1  0x0030-0x0030
- * DES       2  0x0032-0x0032   0x0033-0x0033
+ * DES       1  0x0032-0x0032
 * CTR_DBRG  4  0x0034-0x003A
 * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
- * NET      13  0x0042-0x0052   0x0043-0x0049
+ * NET      11  0x0042-0x0052   0x0043-0x0045
 * ARIA      4  0x0058-0x005E
 * ASN1      7  0x0060-0x006C
 * CMAC      1  0x007A-0x007A
 * PBKDF2    1  0x007C-0x007C
- * HMAC_DRBG 4                  0x0003-0x0009
+ * HMAC_DRBG 4  0x0003-0x0009
- * CCM       3                  0x000D-0x0011
+ * CCM       2                  0x000D-0x000F
 * ARC4      1                  0x0019-0x0019
 * MD2       1                  0x002B-0x002B
 * MD4       1                  0x002D-0x002D
 * MD5       1                  0x002F-0x002F
 * RIPEMD160 1                  0x0031-0x0031
 * SHA1      1                  0x0035-0x0035 0x0073-0x0073
 * SHA256    1                  0x0037-0x0037 0x0074-0x0074
 * SHA512    1                  0x0039-0x0039 0x0075-0x0075
 * CHACHA20  3                  0x0051-0x0055
 * POLY1305  3                  0x0057-0x005B
 * CHACHAPOLY 2 0x0054-0x0056
 * PLATFORM  1  0x0070-0x0072
 *
 * High-level module nr (3 bits - 0x0...-0x7...)
 * Name      ID  Nr of Errors
@ -119,16 +73,14 @@
 * PKCS#12   1   4 (Started from top)
 * X509      2   20
 * PKCS5     2   4 (Started from top)
- * DHM       3   11
+ * DHM       3   9
- * PK        3   15 (Started from top)
+ * PK        3   14 (Started from top)
- * RSA       4   11
+ * RSA       4   9
- * ECP       4   10 (Started from top)
+ * ECP       4   8 (Started from top)
- * MD        5   5
+ * MD        5   4
- * HKDF      5   1 (Started from top)
+ * CIPHER    6   6
- * SSL       5   1 (Started from 0x5E80)
+ * SSL       6   17 (Started from top)
- * CIPHER    6   8
+ * SSL       7   31
 * SSL       6   23 (Started from top)
 * SSL       7   32
 *
 * Module dependent error code (5 bits 0x.00.-0x.F8.)
 */
--- a/include/mbedtls/gcm.h
+++ b/include/mbedtls/gcm.h
@ -1,25 +1,10 @@
 /**
 * \file gcm.h
 *
- * \brief This file contains GCM definitions and functions.
+ * \brief Galois/Counter mode for 128-bit block ciphers
 *
- * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ *  SPDX-License-Identifier: Apache-2.0
 * (GCM), Natl. Inst. Stand. Technol.</em>
 *
 * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
 * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
 *
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -33,37 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_GCM_H
 #define MBEDTLS_GCM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "cipher.h"
 #include <stdint.h>
@ -72,69 +31,46 @@
 #define MBEDTLS_GCM_DECRYPT     0
 #define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
 /* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013  /**< GCM hardware accelerator failed. */
 #define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_GCM_ALT)
 /**
- * \brief          The GCM context structure.
+ * \brief          GCM context structure
 */
-typedef struct mbedtls_gcm_context
+typedef struct {
-{
+    mbedtls_cipher_context_t cipher_ctx;/*!< cipher context used */
-    mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
+    uint64_t HL[16];            /*!< Precalculated HTable */
-    uint64_t HL[16];                      /*!< Precalculated HTable low. */
+    uint64_t HH[16];            /*!< Precalculated HTable */
-    uint64_t HH[16];                      /*!< Precalculated HTable high. */
+    uint64_t len;               /*!< Total data length */
-    uint64_t len;                         /*!< The total length of the encrypted data. */
+    uint64_t add_len;           /*!< Total add length */
-    uint64_t add_len;                     /*!< The total length of the additional data. */
+    unsigned char base_ectr[16];/*!< First ECTR for tag */
-    unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
+    unsigned char y[16];        /*!< Y working value */
-    unsigned char y[16];                  /*!< The Y working value. */
+    unsigned char buf[16];      /*!< buf working value */
-    unsigned char buf[16];                /*!< The buf working value. */
+    int mode;                   /*!< Encrypt or Decrypt */
    int mode;                             /*!< The operation to perform:
                                               #MBEDTLS_GCM_ENCRYPT or
                                               #MBEDTLS_GCM_DECRYPT. */
 }
 mbedtls_gcm_context;
 #else  /* !MBEDTLS_GCM_ALT */
 #include "gcm_alt.h"
 #endif /* !MBEDTLS_GCM_ALT */
 /**
- * \brief           This function initializes the specified GCM context,
+ * \brief           Initialize GCM context (just makes references valid)
- *                  to make references valid, and prepares the context
+ *                  Makes the context ready for mbedtls_gcm_setkey() or
- *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
+ *                  mbedtls_gcm_free().
 *
- *                  The function does not bind the GCM context to a particular
+ * \param ctx       GCM context to initialize
 *                  cipher, nor set the key. For this purpose, use
 *                  mbedtls_gcm_setkey().
 *
 * \param ctx       The GCM context to initialize. This must not be \c NULL.
 */
 void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
 /**
- * \brief           This function associates a GCM context with a
+ * \brief           GCM initialization (encryption)
 *                  cipher algorithm and a key.
 *
- * \param ctx       The GCM context. This must be initialized.
+ * \param ctx       GCM context to be initialized
- * \param cipher    The 128-bit block cipher to use.
+ * \param cipher    cipher to use (a 128-bit block cipher)
- * \param key       The encryption key. This must be a readable buffer of at
+ * \param key       encryption key
- *                  least \p keybits bits.
+ * \param keybits   must be 128, 192 or 256
 * \param keybits   The key size in bits. Valid options are:
 *                  <ul><li>128 bits</li>
 *                  <li>192 bits</li>
 *                  <li>256 bits</li></ul>
 *
- * \return          \c 0 on success.
+ * \return          0 if successful, or a cipher specific error code
 * \return          A cipher-specific error code on failure.
 */
 int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
                        mbedtls_cipher_id_t cipher,
@ -142,55 +78,26 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
                        unsigned int keybits );
 /**
- * \brief           This function performs GCM encryption or decryption of a buffer.
+ * \brief           GCM buffer encryption/decryption using a block cipher
 *
- * \note            For encryption, the output buffer can be the same as the
+ * \note On encryption, the output buffer can be the same as the input buffer.
- *                  input buffer. For decryption, the output buffer cannot be
+ *       On decryption, the output buffer cannot be the same as input buffer.
- *                  the same as input buffer. If the buffers overlap, the output
+ *       If buffers overlap, the output buffer must trail at least 8 bytes
- *                  buffer must trail at least 8 Bytes behind the input buffer.
+ *       behind the input buffer.
 *
- * \warning         When this function performs a decryption, it outputs the
+ * \param ctx       GCM context
- *                  authentication tag and does not verify that the data is
+ * \param mode      MBEDTLS_GCM_ENCRYPT or MBEDTLS_GCM_DECRYPT
- *                  authentic. You should use this function to perform encryption
+ * \param length    length of the input data
- *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ * \param iv        initialization vector
 * \param iv_len    length of IV
 * \param add       additional data
 * \param add_len   length of additional data
 * \param input     buffer holding the input data
 * \param output    buffer for holding the output data
 * \param tag_len   length of the tag to generate
 * \param tag       buffer for holding the tag
 *
- * \param ctx       The GCM context to use for encryption or decryption. This
+ * \return         0 if successful
 *                  must be initialized.
 * \param mode      The operation to perform:
 *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
 *                    The ciphertext is written to \p output and the
 *                    authentication tag is written to \p tag.
 *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
 *                    The plaintext is written to \p output and the
 *                    authentication tag is written to \p tag.
 *                    Note that this mode is not recommended, because it does
 *                    not verify the authenticity of the data. For this reason,
 *                    you should use mbedtls_gcm_auth_decrypt() instead of
 *                    calling this function in decryption mode.
 * \param length    The length of the input data, which is equal to the length
 *                  of the output data.
 * \param iv        The initialization vector. This must be a readable buffer of
 *                  at least \p iv_len Bytes.
 * \param iv_len    The length of the IV.
 * \param add       The buffer holding the additional data. This must be of at
 *                  least that size in Bytes.
 * \param add_len   The length of the additional data.
 * \param input     The buffer holding the input data. If \p length is greater
 *                  than zero, this must be a readable buffer of at least that
 *                  size in Bytes.
 * \param output    The buffer for holding the output data. If \p length is greater
 *                  than zero, this must be a writable buffer of at least that
 *                  size in Bytes.
 * \param tag_len   The length of the tag to generate.
 * \param tag       The buffer for holding the tag. This must be a writable
 *                  buffer of at least \p tag_len Bytes.
 *
 * \return          \c 0 if the encryption or decryption was performed
 *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
 *                  this does not indicate that the data is authentic.
 * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
 *                  not valid or a cipher-specific error code if the encryption
 *                  or decryption failed.
 */
 int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
                       int mode,
@ -205,37 +112,25 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
                       unsigned char *tag );
 /**
- * \brief           This function performs a GCM authenticated decryption of a
+ * \brief           GCM buffer authenticated decryption using a block cipher
 *                  buffer.
 *
- * \note            For decryption, the output buffer cannot be the same as
+ * \note On decryption, the output buffer cannot be the same as input buffer.
- *                  input buffer. If the buffers overlap, the output buffer
+ *       If buffers overlap, the output buffer must trail at least 8 bytes
- *                  must trail at least 8 Bytes behind the input buffer.
+ *       behind the input buffer.
 *
- * \param ctx       The GCM context. This must be initialized.
+ * \param ctx       GCM context
- * \param length    The length of the ciphertext to decrypt, which is also
+ * \param length    length of the input data
- *                  the length of the decrypted plaintext.
+ * \param iv        initialization vector
- * \param iv        The initialization vector. This must be a readable buffer
+ * \param iv_len    length of IV
- *                  of at least \p iv_len Bytes.
+ * \param add       additional data
- * \param iv_len    The length of the IV.
+ * \param add_len   length of additional data
- * \param add       The buffer holding the additional data. This must be of at
+ * \param tag       buffer holding the tag
- *                  least that size in Bytes.
+ * \param tag_len   length of the tag
- * \param add_len   The length of the additional data.
+ * \param input     buffer holding the input data
- * \param tag       The buffer holding the tag to verify. This must be a
+ * \param output    buffer for holding the output data
 *                  readable buffer of at least \p tag_len Bytes.
 * \param tag_len   The length of the tag to verify.
 * \param input     The buffer holding the ciphertext. If \p length is greater
 *                  than zero, this must be a readable buffer of at least that
 *                  size.
 * \param output    The buffer for holding the decrypted plaintext. If \p length
 *                  is greater than zero, this must be a writable buffer of at
 *                  least that size.
 *
- * \return          \c 0 if successful and authenticated.
+ * \return         0 if successful and authenticated,
- * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ *                 MBEDTLS_ERR_GCM_AUTH_FAILED if tag does not match
 * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
 *                  not valid or a cipher-specific error code if the decryption
 *                  failed.
 */
 int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
                      size_t length,
@ -249,21 +144,16 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
                      unsigned char *output );
 /**
- * \brief           This function starts a GCM encryption or decryption
+ * \brief           Generic GCM stream start function
 *                  operation.
 *
- * \param ctx       The GCM context. This must be initialized.
+ * \param ctx       GCM context
- * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
+ * \param mode      MBEDTLS_GCM_ENCRYPT or MBEDTLS_GCM_DECRYPT
- *                  #MBEDTLS_GCM_DECRYPT.
+ * \param iv        initialization vector
- * \param iv        The initialization vector. This must be a readable buffer of
+ * \param iv_len    length of IV
- *                  at least \p iv_len Bytes.
+ * \param add       additional data (or NULL if length is 0)
- * \param iv_len    The length of the IV.
+ * \param add_len   length of additional data
 * \param add       The buffer holding the additional data, or \c NULL
 *                  if \p add_len is \c 0.
 * \param add_len   The length of the additional data. If \c 0,
 *                  \p add may be \c NULL.
 *
- * \return          \c 0 on success.
+ * \return         0 if successful
 */
 int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
                int mode,
@ -273,29 +163,21 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
                size_t add_len );
 /**
- * \brief           This function feeds an input buffer into an ongoing GCM
+ * \brief           Generic GCM update function. Encrypts/decrypts using the
- *                  encryption or decryption operation.
+ *                  given GCM context. Expects input to be a multiple of 16
 *                  bytes! Only the last call before mbedtls_gcm_finish() can be less
 *                  than 16 bytes!
 *
- *    `             The function expects input to be a multiple of 16
+ * \note On decryption, the output buffer cannot be the same as input buffer.
- *                  Bytes. Only the last call before calling
+ *       If buffers overlap, the output buffer must trail at least 8 bytes
- *                  mbedtls_gcm_finish() can be less than 16 Bytes.
+ *       behind the input buffer.
 *
- * \note            For decryption, the output buffer cannot be the same as
+ * \param ctx       GCM context
- *                  input buffer. If the buffers overlap, the output buffer
+ * \param length    length of the input data
- *                  must trail at least 8 Bytes behind the input buffer.
+ * \param input     buffer holding the input data
 * \param output    buffer for holding the output data
 *
- * \param ctx       The GCM context. This must be initialized.
+ * \return         0 if successful or MBEDTLS_ERR_GCM_BAD_INPUT
 * \param length    The length of the input data. This must be a multiple of
 *                  16 except in the last call before mbedtls_gcm_finish().
 * \param input     The buffer holding the input data. If \p length is greater
 *                  than zero, this must be a readable buffer of at least that
 *                  size in Bytes.
 * \param output    The buffer for holding the output data. If \p length is
 *                  greater than zero, this must be a writable buffer of at
 *                  least that size in Bytes.
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
 */
 int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
                size_t length,
@ -303,49 +185,36 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
                unsigned char *output );
 /**
- * \brief           This function finishes the GCM operation and generates
+ * \brief           Generic GCM finalisation function. Wraps up the GCM stream
- *                  the authentication tag.
+ *                  and generates the tag. The tag can have a maximum length of
 *                  16 bytes.
 *
- *                  It wraps up the GCM stream, and generates the
+ * \param ctx       GCM context
- *                  tag. The tag can have a maximum length of 16 Bytes.
+ * \param tag       buffer for holding the tag
 * \param tag_len   length of the tag to generate (must be at least 4)
 *
- * \param ctx       The GCM context. This must be initialized.
+ * \return          0 if successful or MBEDTLS_ERR_GCM_BAD_INPUT
 * \param tag       The buffer for holding the tag. This must be a writable
 *                  buffer of at least \p tag_len Bytes.
 * \param tag_len   The length of the tag to generate. This must be at least
 *                  four.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
 */
 int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
                unsigned char *tag,
                size_t tag_len );
 /**
- * \brief           This function clears a GCM context and the underlying
+ * \brief           Free a GCM context and underlying cipher sub-context
 *                  cipher sub-context.
 *
- * \param ctx       The GCM context to clear. If this is \c NULL, the call has
+ * \param ctx       GCM context to free
 *                  no effect. Otherwise, this must be initialized.
 */
 void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
 #if defined(MBEDTLS_SELF_TEST)
 /**
- * \brief          The GCM checkup routine.
+ * \brief          Checkup routine
 *
- * \return         \c 0 on success.
+ * \return         0 if successful, or 1 if the test failed
 * \return         \c 1 on failure.
 */
 int mbedtls_gcm_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
 #endif /* gcm.h */
--- a/include/mbedtls/havege.h
+++ b/include/mbedtls/havege.h
@ -2,16 +2,9 @@
 * \file havege.h
 *
 * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,36 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_HAVEGE_H
 #define MBEDTLS_HAVEGE_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
@ -66,7 +34,7 @@ extern "C" {
 /**
 * \brief          HAVEGE state structure
 */
-typedef struct mbedtls_havege_state
+typedef struct
 {
    int PT1, PT2, offset[2];
    int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
--- a/include/mbedtls/hkdf.h
+++ b/include/mbedtls/hkdf.h
@ -1,166 +0,0 @@
 /**
 * \file hkdf.h
 *
 * \brief   This file contains the HKDF interface.
 *
 *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
 *          specified by RFC 5869.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_HKDF_H
 #define MBEDTLS_HKDF_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "md.h"
 /**
 *  \name HKDF Error codes
 *  \{
 */
 #define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80  /**< Bad input parameters to function. */
 /* \} name */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
 *          (HKDF).
 *
 *  \param  md        A hash function; md.size denotes the length of the hash
 *                    function output in bytes.
 *  \param  salt      An optional salt value (a non-secret random value);
 *                    if the salt is not provided, a string of all zeros of
 *                    md.size length is used as the salt.
 *  \param  salt_len  The length in bytes of the optional \p salt.
 *  \param  ikm       The input keying material.
 *  \param  ikm_len   The length in bytes of \p ikm.
 *  \param  info      An optional context and application specific information
 *                    string. This can be a zero-length string.
 *  \param  info_len  The length of \p info in bytes.
 *  \param  okm       The output keying material of \p okm_len bytes.
 *  \param  okm_len   The length of the output keying material in bytes. This
 *                    must be less than or equal to 255 * md.size bytes.
 *
 *  \return 0 on success.
 *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
 *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
 *          MD layer.
 */
 int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
                  const unsigned char *info, size_t info_len,
                  unsigned char *okm, size_t okm_len );
 /**
 *  \brief  Take the input keying material \p ikm and extract from it a
 *          fixed-length pseudorandom key \p prk.
 *
 *  \warning    This function should only be used if the security of it has been
 *              studied and established in that particular context (eg. TLS 1.3
 *              key schedule). For standard HKDF security guarantees use
 *              \c mbedtls_hkdf instead.
 *
 *  \param       md        A hash function; md.size denotes the length of the
 *                         hash function output in bytes.
 *  \param       salt      An optional salt value (a non-secret random value);
 *                         if the salt is not provided, a string of all zeros
 *                         of md.size length is used as the salt.
 *  \param       salt_len  The length in bytes of the optional \p salt.
 *  \param       ikm       The input keying material.
 *  \param       ikm_len   The length in bytes of \p ikm.
 *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
 *
 *  \return 0 on success.
 *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
 *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
 *          MD layer.
 */
 int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
                          const unsigned char *salt, size_t salt_len,
                          const unsigned char *ikm, size_t ikm_len,
                          unsigned char *prk );
 /**
 *  \brief  Expand the supplied \p prk into several additional pseudorandom
 *          keys, which is the output of the HKDF.
 *
 *  \warning    This function should only be used if the security of it has been
 *              studied and established in that particular context (eg. TLS 1.3
 *              key schedule). For standard HKDF security guarantees use
 *              \c mbedtls_hkdf instead.
 *
 *  \param  md        A hash function; md.size denotes the length of the hash
 *                    function output in bytes.
 *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
 *                    usually the output from the HKDF extract step.
 *  \param  prk_len   The length in bytes of \p prk.
 *  \param  info      An optional context and application specific information
 *                    string. This can be a zero-length string.
 *  \param  info_len  The length of \p info in bytes.
 *  \param  okm       The output keying material of \p okm_len bytes.
 *  \param  okm_len   The length of the output keying material in bytes. This
 *                    must be less than or equal to 255 * md.size bytes.
 *
 *  \return 0 on success.
 *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
 *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
 *          MD layer.
 */
 int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
                         size_t prk_len, const unsigned char *info,
                         size_t info_len, unsigned char *okm, size_t okm_len );
 #ifdef __cplusplus
 }
 #endif
 #endif /* hkdf.h */
--- a/include/mbedtls/hmac_drbg.h
+++ b/include/mbedtls/hmac_drbg.h
@ -1,21 +1,10 @@
 /**
 * \file hmac_drbg.h
 *
- * \brief The HMAC_DRBG pseudorandom generator.
+ * \brief HMAC_DRBG (NIST SP 800-90A)
 *
- * This module implements the HMAC_DRBG pseudorandom generator described
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
+ *  SPDX-License-Identifier: Apache-2.0
 * Deterministic Random Bit Generators</em>.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,40 +18,15 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_HMAC_DRBG_H
 #define MBEDTLS_HMAC_DRBG_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "md.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "threading.h"
+#include "mbedtls/threading.h"
 #endif
 /*
@ -109,9 +73,9 @@ extern "C" {
 /**
 * HMAC_DRBG context.
 */
-typedef struct mbedtls_hmac_drbg_context
+typedef struct
 {
-    /* Working state: the key K is not stored explicitly,
+    /* Working state: the key K is not stored explicitely,
     * but is implied by the HMAC context */
    mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
    unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
@ -128,99 +92,43 @@ typedef struct mbedtls_hmac_drbg_context
    void *p_entropy;            /*!< context for the entropy function        */
 #if defined(MBEDTLS_THREADING_C)
    /* Invariant: the mutex is initialized if and only if
     * md_ctx->md_info != NULL. This means that the mutex is initialized
     * during the initial seeding in mbedtls_hmac_drbg_seed() or
     * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
     *
     * Note that this invariant may change without notice. Do not rely on it
     * and do not access the mutex directly in application code.
     */
    mbedtls_threading_mutex_t mutex;
 #endif
 } mbedtls_hmac_drbg_context;
 /**
- * \brief               HMAC_DRBG context initialization.
+ * \brief               HMAC_DRBG context initialization
 *                      Makes the context ready for mbedtls_hmac_drbg_seed(),
 *                      mbedtls_hmac_drbg_seed_buf() or
 *                      mbedtls_hmac_drbg_free().
 *
- * This function makes the context ready for mbedtls_hmac_drbg_seed(),
+ * \param ctx           HMAC_DRBG context to be initialized
 * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
 *
 * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
 *                      by default. Override this value by calling
 *                      mbedtls_hmac_drbg_set_reseed_interval().
 *
 * \param ctx           HMAC_DRBG context to be initialized.
 */
 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
 /**
- * \brief               HMAC_DRBG initial seeding.
+ * \brief               HMAC_DRBG initial seeding
 *                      Seed and setup entropy source for future reseeds.
 *
- * Set the initial seed and set up the entropy source for future reseeds.
+ * \param ctx           HMAC_DRBG context to be seeded
 * \param md_info       MD algorithm to use for HMAC_DRBG
 * \param f_entropy     Entropy callback (p_entropy, buffer to fill, buffer
 *                      length)
 * \param p_entropy     Entropy context
 * \param custom        Personalization data (Device specific identifiers)
 *                      (Can be NULL)
 * \param len           Length of personalization data
 *
- * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * \note                The "security strength" as defined by NIST is set to:
- * to use the entropy module:
+ *                      128 bits if md_alg is SHA-1,
- * - \p f_entropy is mbedtls_entropy_func();
+ *                      192 bits if md_alg is SHA-224,
- * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *                      256 bits if md_alg is SHA-256 or higher.
 *   with mbedtls_entropy_init() (which registers the platform's default
 *   entropy sources).
 *
 * You can provide a personalization string in addition to the
 * entropy source, to make this instantiation as unique as possible.
 *
 * \note                By default, the security strength as defined by NIST is:
 *                      - 128 bits if \p md_info is SHA-1;
 *                      - 192 bits if \p md_info is SHA-224;
 *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
 *                      Note that SHA-256 is just as efficient as SHA-224.
 *                      The security strength can be reduced if a smaller
 *                      entropy length is set with
 *                      mbedtls_hmac_drbg_set_entropy_len().
 *
- * \note                The default entropy length is the security strength
+ * \return              0 if successful, or
- *                      (converted from bits to bytes). You can override
+ *                      MBEDTLS_ERR_MD_BAD_INPUT_DATA, or
- *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
+ *                      MBEDTLS_ERR_MD_ALLOC_FAILED, or
- *
+ *                      MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED.
 * \note                During the initial seeding, this function calls
 *                      the entropy source to obtain a nonce
 *                      whose length is half the entropy length.
 */
 #if defined(MBEDTLS_THREADING_C)
 /**
 * \note                When Mbed TLS is built with threading support,
 *                      after this function returns successfully,
 *                      it is safe to call mbedtls_hmac_drbg_random()
 *                      from multiple threads. Other operations, including
 *                      reseeding, are not thread-safe.
 */
 #endif /* MBEDTLS_THREADING_C */
 /**
 * \param ctx           HMAC_DRBG context to be seeded.
 * \param md_info       MD algorithm to use for HMAC_DRBG.
 * \param f_entropy     The entropy callback, taking as arguments the
 *                      \p p_entropy context, the buffer to fill, and the
 *                      length of the buffer.
 *                      \p f_entropy is always called with a length that is
 *                      less than or equal to the entropy length.
 * \param p_entropy     The entropy context to pass to \p f_entropy.
 * \param custom        The personalization string.
 *                      This can be \c NULL, in which case the personalization
 *                      string is empty regardless of the value of \p len.
 * \param len           The length of the personalization string.
 *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
 *                      and also at most
 *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
 *                      where \p entropy_len is the entropy length
 *                      described above.
 *
 * \return              \c 0 if successful.
 * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
 *                      invalid.
 * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
 *                      memory to allocate context data.
 * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
 *                      if the call to \p f_entropy failed.
 */
 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
                    const mbedtls_md_info_t * md_info,
@ -231,156 +139,95 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
 /**
 * \brief               Initilisation of simpified HMAC_DRBG (never reseeds).
 *                      (For use with deterministic ECDSA.)
 *
- * This function is meant for use in algorithms that need a pseudorandom
+ * \param ctx           HMAC_DRBG context to be initialised
- * input such as deterministic ECDSA.
+ * \param md_info       MD algorithm to use for HMAC_DRBG
- */
+ * \param data          Concatenation of entropy string and additional data
-#if defined(MBEDTLS_THREADING_C)
+ * \param data_len      Length of data in bytes
 /**
 * \note                When Mbed TLS is built with threading support,
 *                      after this function returns successfully,
 *                      it is safe to call mbedtls_hmac_drbg_random()
 *                      from multiple threads. Other operations, including
 *                      reseeding, are not thread-safe.
 */
 #endif /* MBEDTLS_THREADING_C */
 /**
 * \param ctx           HMAC_DRBG context to be initialised.
 * \param md_info       MD algorithm to use for HMAC_DRBG.
 * \param data          Concatenation of the initial entropy string and
 *                      the additional data.
 * \param data_len      Length of \p data in bytes.
 *
- * \return              \c 0 if successful. or
+ * \return              0 if successful, or
- * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      MBEDTLS_ERR_MD_BAD_INPUT_DATA, or
- *                      invalid.
+ *                      MBEDTLS_ERR_MD_ALLOC_FAILED.
 * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
 *                      memory to allocate context data.
 */
 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
                        const mbedtls_md_info_t * md_info,
                        const unsigned char *data, size_t data_len );
 /**
- * \brief               This function turns prediction resistance on or off.
+ * \brief               Enable / disable prediction resistance (Default: Off)
 *                      The default value is off.
 *
- * \note                If enabled, entropy is gathered at the beginning of
+ * Note: If enabled, entropy is used for ctx->entropy_len before each call!
- *                      every call to mbedtls_hmac_drbg_random_with_add()
+ *       Only use this if you have ample supply of good entropy!
 *                      or mbedtls_hmac_drbg_random().
 *                      Only use this if your entropy source has sufficient
 *                      throughput.
 *
- * \param ctx           The HMAC_DRBG context.
+ * \param ctx           HMAC_DRBG context
- * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
+ * \param resistance    MBEDTLS_HMAC_DRBG_PR_ON or MBEDTLS_HMAC_DRBG_PR_OFF
 */
 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
                                          int resistance );
 /**
- * \brief               This function sets the amount of entropy grabbed on each
+ * \brief               Set the amount of entropy grabbed on each reseed
- *                      seed or reseed.
+ *                      (Default: given by the security strength, which
 *                      depends on the hash used, see \c mbedtls_hmac_drbg_init() )
 *
- * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
+ * \param ctx           HMAC_DRBG context
- *
+ * \param len           Amount of entropy to grab, in bytes
 * \param ctx           The HMAC_DRBG context.
 * \param len           The amount of entropy to grab, in bytes.
 */
 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
                                size_t len );
 /**
- * \brief               Set the reseed interval.
+ * \brief               Set the reseed interval
 *                      (Default: MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
 *
- * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
+ * \param ctx           HMAC_DRBG context
- * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
+ * \param interval      Reseed interval
 * is called again.
 *
 * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
 *
 * \param ctx           The HMAC_DRBG context.
 * \param interval      The reseed interval.
 */
 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
                                    int interval );
 /**
- * \brief               This function updates the state of the HMAC_DRBG context.
+ * \brief               HMAC_DRBG update state
 *
- * \note                This function is not thread-safe. It is not safe
+ * \param ctx           HMAC_DRBG context
- *                      to call this function if another thread might be
+ * \param additional    Additional data to update state with, or NULL
- *                      concurrently obtaining random numbers from the same
+ * \param add_len       Length of additional data, or 0
 *                      context or updating or reseeding the same context.
 *
- * \param ctx           The HMAC_DRBG context.
+ * \note                Additional data is optional, pass NULL and 0 as second
- * \param additional    The data to update the state with.
+ *                      third argument if no additional data is being used.
 *                      If this is \c NULL, there is no additional data.
 * \param add_len       Length of \p additional in bytes.
 *                      Unused if \p additional is \c NULL.
 *
 * \return              \c 0 on success, or an error from the underlying
 *                      hash calculation.
 */
-int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
                       const unsigned char *additional, size_t add_len );
 /**
- * \brief               This function reseeds the HMAC_DRBG context, that is
+ * \brief               HMAC_DRBG reseeding (extracts data from entropy source)
 *                      extracts data from the entropy source.
 *
- * \note                This function is not thread-safe. It is not safe
+ * \param ctx           HMAC_DRBG context
- *                      to call this function if another thread might be
+ * \param additional    Additional data to add to state (Can be NULL)
- *                      concurrently obtaining random numbers from the same
+ * \param len           Length of additional data
 *                      context or updating or reseeding the same context.
 *
- * \param ctx           The HMAC_DRBG context.
+ * \return              0 if successful, or
- * \param additional    Additional data to add to the state.
+ *                      MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
 *                      If this is \c NULL, there is no additional data
 *                      and \p len should be \c 0.
 * \param len           The length of the additional data.
 *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
 *                      and also at most
 *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
 *                      where \p entropy_len is the entropy length
 *                      (see mbedtls_hmac_drbg_set_entropy_len()).
 *
 * \return              \c 0 if successful.
 * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
 *                      if a call to the entropy function failed.
 */
 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
                      const unsigned char *additional, size_t len );
 /**
- * \brief   This function updates an HMAC_DRBG instance with additional
+ * \brief               HMAC_DRBG generate random with additional update input
 *          data and uses it to generate random data.
 *
- * This function automatically reseeds if the reseed counter is exceeded
+ * Note: Automatically reseeds if reseed_counter is reached or PR is enabled.
 * or prediction resistance is enabled.
 *
- * \note                This function is not thread-safe. It is not safe
+ * \param p_rng         HMAC_DRBG context
- *                      to call this function if another thread might be
+ * \param output        Buffer to fill
- *                      concurrently obtaining random numbers from the same
+ * \param output_len    Length of the buffer
- *                      context or updating or reseeding the same context.
+ * \param additional    Additional data to update with (can be NULL)
 * \param add_len       Length of additional data (can be 0)
 *
- * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ * \return              0 if successful, or
- *                      #mbedtls_hmac_drbg_context structure.
+ *                      MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or
- * \param output        The buffer to fill.
+ *                      MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG, or
- * \param output_len    The length of the buffer in bytes.
+ *                      MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG.
 *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
 * \param additional    Additional data to update with.
 *                      If this is \c NULL, there is no additional data
 *                      and \p add_len should be \c 0.
 * \param add_len       The length of the additional data.
 *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
 *
 * \return              \c 0 if successful.
 * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
 *                      if a call to the entropy source failed.
 * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
 *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
 * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
 *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
 */
 int mbedtls_hmac_drbg_random_with_add( void *p_rng,
                               unsigned char *output, size_t output_len,
@ -388,93 +235,49 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
                               size_t add_len );
 /**
- * \brief   This function uses HMAC_DRBG to generate random data.
+ * \brief               HMAC_DRBG generate random
 *
- * This function automatically reseeds if the reseed counter is exceeded
+ * Note: Automatically reseeds if reseed_counter is reached or PR is enabled.
 * or prediction resistance is enabled.
 */
 #if defined(MBEDTLS_THREADING_C)
 /**
 * \note                When Mbed TLS is built with threading support,
 *                      it is safe to call mbedtls_ctr_drbg_random()
 *                      from multiple threads. Other operations, including
 *                      reseeding, are not thread-safe.
 */
 #endif /* MBEDTLS_THREADING_C */
 /**
 * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
 *                      #mbedtls_hmac_drbg_context structure.
 * \param output        The buffer to fill.
 * \param out_len       The length of the buffer in bytes.
 *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
 *
- * \return              \c 0 if successful.
+ * \param p_rng         HMAC_DRBG context
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ * \param output        Buffer to fill
- *                      if a call to the entropy source failed.
+ * \param out_len       Length of the buffer
- * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *
- *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \return              0 if successful, or
 *                      MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or
 *                      MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
 */
 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
 /**
- * \brief               This function resets HMAC_DRBG context to the state immediately
+ * \brief               Free an HMAC_DRBG context
 *                      after initial call of mbedtls_hmac_drbg_init().
 *
- * \param ctx           The HMAC_DRBG context to free.
+ * \param ctx           HMAC_DRBG context to free.
 */
 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED    __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief               This function updates the state of the HMAC_DRBG context.
 *
 * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
 *                      in 2.16.0.
 *
 * \param ctx           The HMAC_DRBG context.
 * \param additional    The data to update the state with.
 *                      If this is \c NULL, there is no additional data.
 * \param add_len       Length of \p additional in bytes.
 *                      Unused if \p additional is \c NULL.
 */
 MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
    mbedtls_hmac_drbg_context *ctx,
    const unsigned char *additional, size_t add_len );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_FS_IO)
 /**
- * \brief               This function writes a seed file.
+ * \brief               Write a seed file
 *
- * \param ctx           The HMAC_DRBG context.
+ * \param ctx           HMAC_DRBG context
- * \param path          The name of the file.
+ * \param path          Name of the file
 *
- * \return              \c 0 on success.
+ * \return              0 if successful, 1 on file error, or
- * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ *                      MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
 * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
 *                      failure.
 */
 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
 /**
- * \brief               This function reads and updates a seed file. The seed
+ * \brief               Read and update a seed file. Seed is added to this
- *                      is added to this instance.
+ *                      instance
 *
- * \param ctx           The HMAC_DRBG context.
+ * \param ctx           HMAC_DRBG context
- * \param path          The name of the file.
+ * \param path          Name of the file
 *
- * \return              \c 0 on success.
+ * \return              0 if successful, 1 on file error,
- * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ *                      MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED or
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
 *                      reseed failure.
 * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
 *                      seed file is too large.
 */
 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
 #endif /* MBEDTLS_FS_IO */
@ -482,10 +285,9 @@ int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const ch
 #if defined(MBEDTLS_SELF_TEST)
 /**
- * \brief               The HMAC_DRBG Checkup routine.
+ * \brief               Checkup routine
 *
- * \return              \c 0 if successful.
+ * \return              0 if successful, or 1 if the test failed
 * \return              \c 1 if the test failed.
 */
 int mbedtls_hmac_drbg_self_test( int verbose );
 #endif
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@ -1,19 +1,12 @@
- /**
+/**
 * \file md.h
 *
- * \brief This file contains the generic message-digest wrapper.
+ * \brief Generic message digest wrapper
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -27,70 +20,33 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_MD_H
 #define MBEDTLS_MD_H
 #include <stddef.h>
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080  /**< The selected feature is not available. */
 #define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
 #define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
 /* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief     Supported message digests.
 *
 * \warning   MD2, MD4, MD5 and SHA-1 are considered weak message digests and
 *            their use constitutes a security risk. We recommend considering
 *            stronger message digests instead.
 *
 */
 typedef enum {
-    MBEDTLS_MD_NONE=0,    /**< None. */
+    MBEDTLS_MD_NONE=0,
-    MBEDTLS_MD_MD2,       /**< The MD2 message digest. */
+    MBEDTLS_MD_MD2,
-    MBEDTLS_MD_MD4,       /**< The MD4 message digest. */
+    MBEDTLS_MD_MD4,
-    MBEDTLS_MD_MD5,       /**< The MD5 message digest. */
+    MBEDTLS_MD_MD5,
-    MBEDTLS_MD_SHA1,      /**< The SHA-1 message digest. */
+    MBEDTLS_MD_SHA1,
-    MBEDTLS_MD_SHA224,    /**< The SHA-224 message digest. */
+    MBEDTLS_MD_SHA224,
-    MBEDTLS_MD_SHA256,    /**< The SHA-256 message digest. */
+    MBEDTLS_MD_SHA256,
-    MBEDTLS_MD_SHA384,    /**< The SHA-384 message digest. */
+    MBEDTLS_MD_SHA384,
-    MBEDTLS_MD_SHA512,    /**< The SHA-512 message digest. */
+    MBEDTLS_MD_SHA512,
-    MBEDTLS_MD_RIPEMD160, /**< The RIPEMD-160 message digest. */
+    MBEDTLS_MD_RIPEMD160,
 } mbedtls_md_type_t;
 #if defined(MBEDTLS_SHA512_C)
@ -100,82 +56,65 @@ typedef enum {
 #endif
 /**
- * Opaque struct defined in md_internal.h.
+ * Opaque struct defined in md_internal.h
 */
 typedef struct mbedtls_md_info_t mbedtls_md_info_t;
 /**
- * The generic message-digest context.
+ * Generic message digest context.
 */
-typedef struct mbedtls_md_context_t
+typedef struct {
-{
+    /** Information about the associated message digest */
    /** Information about the associated message digest. */
    const mbedtls_md_info_t *md_info;
-    /** The digest-specific context. */
+    /** Digest-specific context */
    void *md_ctx;
-    /** The HMAC part of the context. */
+    /** HMAC part of the context */
    void *hmac_ctx;
 } mbedtls_md_context_t;
 /**
- * \brief           This function returns the list of digests supported by the
+ * \brief Returns the list of digests supported by the generic digest module.
 *                  generic digest module.
 *
- * \note            The list starts with the strongest available hashes.
+ * \return          a statically allocated array of digests, the last entry
- *
+ *                  is 0.
 * \return          A statically allocated array of digests. Each element
 *                  in the returned list is an integer belonging to the
 *                  message-digest enumeration #mbedtls_md_type_t.
 *                  The last entry is 0.
 */
 const int *mbedtls_md_list( void );
 /**
- * \brief           This function returns the message-digest information
+ * \brief           Returns the message digest information associated with the
- *                  associated with the given digest name.
+ *                  given digest name.
 *
- * \param md_name   The name of the digest to search for.
+ * \param md_name   Name of the digest to search for.
 *
- * \return          The message-digest information associated with \p md_name.
+ * \return          The message digest information associated with md_name or
- * \return          NULL if the associated message-digest information is not found.
+ *                  NULL if not found.
 */
 const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name );
 /**
- * \brief           This function returns the message-digest information
+ * \brief           Returns the message digest information associated with the
- *                  associated with the given digest type.
+ *                  given digest type.
 *
- * \param md_type   The type of digest to search for.
+ * \param md_type   type of digest to search for.
 *
- * \return          The message-digest information associated with \p md_type.
+ * \return          The message digest information associated with md_type or
- * \return          NULL if the associated message-digest information is not found.
+ *                  NULL if not found.
 */
 const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type );
 /**
- * \brief           This function initializes a message-digest context without
+ * \brief           Initialize a md_context (as NONE)
- *                  binding it to a particular message-digest algorithm.
+ *                  This should always be called first.
- *
+ *                  Prepares the context for mbedtls_md_setup() or mbedtls_md_free().
 *                  This function should always be called first. It prepares the
 *                  context for mbedtls_md_setup() for binding it to a
 *                  message-digest algorithm.
 */
 void mbedtls_md_init( mbedtls_md_context_t *ctx );
 /**
- * \brief           This function clears the internal structure of \p ctx and
+ * \brief           Free and clear the internal structures of ctx.
- *                  frees any embedded internal structure, but does not free
+ *                  Can be called at any time after mbedtls_md_init().
- *                  \p ctx itself.
+ *                  Mandatory once mbedtls_md_setup() has been called.
 *
 *                  If you have called mbedtls_md_setup() on \p ctx, you must
 *                  call mbedtls_md_free() when you are no longer using the
 *                  context.
 *                  Calling this function if you have previously
 *                  called mbedtls_md_init() and nothing else is optional.
 *                  You must not call this function if you have not called
 *                  mbedtls_md_init().
 */
 void mbedtls_md_free( mbedtls_md_context_t *ctx );
@ -186,300 +125,220 @@ void mbedtls_md_free( mbedtls_md_context_t *ctx );
 #define MBEDTLS_DEPRECATED
 #endif
 /**
- * \brief           This function selects the message digest algorithm to use,
+ * \brief           Select MD to use and allocate internal structures.
- *                  and allocates internal structures.
+ *                  Should be called after mbedtls_md_init() or mbedtls_md_free().
 *
 *                  It should be called after mbedtls_md_init() or mbedtls_md_free().
 *                  Makes it necessary to call mbedtls_md_free() later.
 *
 * \deprecated      Superseded by mbedtls_md_setup() in 2.0.0
 *
- * \param ctx       The context to set up.
+ * \param ctx       Context to set up.
- * \param md_info   The information structure of the message-digest algorithm
+ * \param md_info   Message digest to use.
 *                  to use.
 *
- * \return          \c 0 on success.
+ * \returns         \c 0 on success,
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  \c MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure,
- *                  failure.
+ *                  \c MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure.
 * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
 */
 int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info ) MBEDTLS_DEPRECATED;
 #undef MBEDTLS_DEPRECATED
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
 /**
- * \brief           This function selects the message digest algorithm to use,
+ * \brief           Select MD to use and allocate internal structures.
- *                  and allocates internal structures.
+ *                  Should be called after mbedtls_md_init() or mbedtls_md_free().
 *                  Makes it necessary to call mbedtls_md_free() later.
 *
- *                  It should be called after mbedtls_md_init() or
+ * \param ctx       Context to set up.
- *                  mbedtls_md_free(). Makes it necessary to call
+ * \param md_info   Message digest to use.
- *                  mbedtls_md_free() later.
+ * \param hmac      0 to save some memory if HMAC will not be used,
 *                  non-zero is HMAC is going to be used with this context.
 *
- * \param ctx       The context to set up.
+ * \returns         \c 0 on success,
- * \param md_info   The information structure of the message-digest algorithm
+ *                  \c MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure,
- *                  to use.
+ *                  \c MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure.
 * \param hmac      Defines if HMAC is used. 0: HMAC is not used (saves some memory),
 *                  or non-zero: HMAC is used with this context.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
 */
 int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac );
 /**
- * \brief           This function clones the state of an message-digest
+ * \brief           Clone the state of an MD context
 *                  context.
 *
- * \note            You must call mbedtls_md_setup() on \c dst before calling
+ * \note            The two contexts must have been setup to the same type
- *                  this function.
+ *                  (cloning from SHA-256 to SHA-512 make no sense).
 *
- * \note            The two contexts must have the same type,
+ * \warning         Only clones the MD state, not the HMAC state! (for now)
 *                  for example, both are SHA-256.
 *
- * \warning         This function clones the message-digest state, not the
+ * \param dst       The destination context
- *                  HMAC state.
+ * \param src       The context to be cloned
 *
- * \param dst       The destination context.
+ * \return          \c 0 on success,
- * \param src       The context to be cloned.
+ *                  \c MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
 */
 int mbedtls_md_clone( mbedtls_md_context_t *dst,
                      const mbedtls_md_context_t *src );
 /**
- * \brief           This function extracts the message-digest size from the
+ * \brief           Returns the size of the message digest output.
 *                  message-digest information structure.
 *
- * \param md_info   The information structure of the message-digest algorithm
+ * \param md_info   message digest info
 *                  to use.
 *
- * \return          The size of the message-digest output in Bytes.
+ * \return          size of the message digest output in bytes.
 */
 unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info );
 /**
- * \brief           This function extracts the message-digest type from the
+ * \brief           Returns the type of the message digest output.
 *                  message-digest information structure.
 *
- * \param md_info   The information structure of the message-digest algorithm
+ * \param md_info   message digest info
 *                  to use.
 *
- * \return          The type of the message digest.
+ * \return          type of the message digest output.
 */
 mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info );
 /**
- * \brief           This function extracts the message-digest name from the
+ * \brief           Returns the name of the message digest output.
 *                  message-digest information structure.
 *
- * \param md_info   The information structure of the message-digest algorithm
+ * \param md_info   message digest info
 *                  to use.
 *
- * \return          The name of the message digest.
+ * \return          name of the message digest output.
 */
 const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info );
 /**
- * \brief           This function starts a message-digest computation.
+ * \brief           Prepare the context to digest a new message.
 *                  Generally called after mbedtls_md_setup() or mbedtls_md_finish().
 *                  Followed by mbedtls_md_update().
 *
- *                  You must call this function after setting up the context
+ * \param ctx       generic message digest context.
 *                  with mbedtls_md_setup(), and before passing data with
 *                  mbedtls_md_update().
 *
- * \param ctx       The generic message-digest context.
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *
+ *                  verification fails.
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_starts( mbedtls_md_context_t *ctx );
 /**
- * \brief           This function feeds an input buffer into an ongoing
+ * \brief           Generic message digest process buffer
- *                  message-digest computation.
+ *                  Called between mbedtls_md_starts() and mbedtls_md_finish().
 *                  May be called repeatedly.
 *
- *                  You must call mbedtls_md_starts() before calling this
+ * \param ctx       Generic message digest context
- *                  function. You may call this function multiple times.
+ * \param input     buffer holding the  datal
- *                  Afterwards, call mbedtls_md_finish().
+ * \param ilen      length of the input data
 *
- * \param ctx       The generic message-digest context.
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- * \param input     The buffer holding the input data.
+ *                  verification fails.
 * \param ilen      The length of the input data.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen );
 /**
- * \brief           This function finishes the digest operation,
+ * \brief           Generic message digest final digest
- *                  and writes the result to the output buffer.
+ *                  Called after mbedtls_md_update().
 *                  Usually followed by mbedtls_md_free() or mbedtls_md_starts().
 *
- *                  Call this function after a call to mbedtls_md_starts(),
+ * \param ctx       Generic message digest context
- *                  followed by any number of calls to mbedtls_md_update().
+ * \param output    Generic message digest checksum result
 *                  Afterwards, you may either clear the context with
 *                  mbedtls_md_free(), or call mbedtls_md_starts() to reuse
 *                  the context for another digest operation with the same
 *                  algorithm.
 *
- * \param ctx       The generic message-digest context.
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- * \param output    The buffer for the generic message-digest checksum result.
+ *                  verification fails.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output );
 /**
- * \brief          This function calculates the message-digest of a buffer,
+ * \brief          Output = message_digest( input buffer )
 *                 with respect to a configurable message-digest algorithm
 *                 in a single call.
 *
- *                 The result is calculated as
+ * \param md_info  message digest info
- *                 Output = message_digest(input buffer).
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   Generic message digest checksum result
 *
- * \param md_info  The information structure of the message-digest algorithm
+ * \returns        0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                 to use.
+ *                 verification fails.
 * \param input    The buffer holding the data.
 * \param ilen     The length of the input data.
 * \param output   The generic message-digest checksum result.
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                 failure.
 */
 int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
        unsigned char *output );
 #if defined(MBEDTLS_FS_IO)
 /**
- * \brief          This function calculates the message-digest checksum
+ * \brief          Output = message_digest( file contents )
 *                 result of the contents of the provided file.
 *
- *                 The result is calculated as
+ * \param md_info  message digest info
- *                 Output = message_digest(file contents).
+ * \param path     input file name
 * \param output   generic message digest checksum result
 *
- * \param md_info  The information structure of the message-digest algorithm
+ * \return         0 if successful,
- *                 to use.
+ *                 MBEDTLS_ERR_MD_FILE_IO_ERROR if file input failed,
- * \param path     The input file name.
+ *                 MBEDTLS_ERR_MD_BAD_INPUT_DATA if md_info was NULL.
 * \param output   The generic message-digest checksum result.
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_MD_FILE_IO_ERROR on an I/O error accessing
 *                 the file pointed by \p path.
 * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
 */
 int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path,
                     unsigned char *output );
 #endif /* MBEDTLS_FS_IO */
 /**
- * \brief           This function sets the HMAC key and prepares to
+ * \brief           Set HMAC key and prepare to authenticate a new message.
- *                  authenticate a new message.
+ *                  Usually called after mbedtls_md_setup() or mbedtls_md_hmac_finish().
 *
- *                  Call this function after mbedtls_md_setup(), to use
+ * \param ctx       HMAC context
- *                  the MD context for an HMAC calculation, then call
+ * \param key       HMAC secret key
- *                  mbedtls_md_hmac_update() to provide the input data, and
+ * \param keylen    length of the HMAC key in bytes
 *                  mbedtls_md_hmac_finish() to get the HMAC value.
 *
- * \param ctx       The message digest context containing an embedded HMAC
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                  context.
+ *                  verification fails.
 * \param key       The HMAC secret key.
 * \param keylen    The length of the HMAC key in Bytes.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
                    size_t keylen );
 /**
- * \brief           This function feeds an input buffer into an ongoing HMAC
+ * \brief           Generic HMAC process buffer.
- *                  computation.
+ *                  Called between mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
 *                  and mbedtls_md_hmac_finish().
 *                  May be called repeatedly.
 *
- *                  Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
+ * \param ctx       HMAC context
- *                  before calling this function.
+ * \param input     buffer holding the  data
- *                  You may call this function multiple times to pass the
+ * \param ilen      length of the input data
 *                  input piecewise.
 *                  Afterwards, call mbedtls_md_hmac_finish().
 *
- * \param ctx       The message digest context containing an embedded HMAC
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                  context.
+ *                  verification fails.
 * \param input     The buffer holding the input data.
 * \param ilen      The length of the input data.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input,
                    size_t ilen );
 /**
- * \brief           This function finishes the HMAC operation, and writes
+ * \brief           Output HMAC.
- *                  the result to the output buffer.
+ *                  Called after mbedtls_md_hmac_update().
 *                  Usually followed by mbedtls_md_hmac_reset(),
 *                  mbedtls_md_hmac_starts(), or mbedtls_md_free().
 *
- *                  Call this function after mbedtls_md_hmac_starts() and
+ * \param ctx       HMAC context
- *                  mbedtls_md_hmac_update() to get the HMAC value. Afterwards
+ * \param output    Generic HMAC checksum result
 *                  you may either call mbedtls_md_free() to clear the context,
 *                  or call mbedtls_md_hmac_reset() to reuse the context with
 *                  the same HMAC key.
 *
- * \param ctx       The message digest context containing an embedded HMAC
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                  context.
+ *                  verification fails.
 * \param output    The generic HMAC checksum result.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output);
 /**
- * \brief           This function prepares to authenticate a new message with
+ * \brief           Prepare to authenticate a new message with the same key.
- *                  the same key as the previous HMAC operation.
+ *                  Called after mbedtls_md_hmac_finish() and before
 *                  mbedtls_md_hmac_update().
 *
- *                  You may call this function after mbedtls_md_hmac_finish().
+ * \param ctx       HMAC context to be reset
 *                  Afterwards call mbedtls_md_hmac_update() to pass the new
 *                  input.
 *
- * \param ctx       The message digest context containing an embedded HMAC
+ * \returns         0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                  context.
+ *                  verification fails.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                  failure.
 */
 int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx );
 /**
- * \brief          This function calculates the full generic HMAC
+ * \brief          Output = Generic_HMAC( hmac key, input buffer )
 *                 on the input buffer with the provided key.
 *
- *                 The function allocates the context, performs the
+ * \param md_info  message digest info
- *                 calculation, and frees the context.
+ * \param key      HMAC secret key
 * \param keylen   length of the HMAC key in bytes
 * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   Generic HMAC-result
 *
- *                 The HMAC result is calculated as
+ * \returns        0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
- *                 output = generic HMAC(hmac key, input buffer).
+ *                 verification fails.
 *
 * \param md_info  The information structure of the message-digest algorithm
 *                 to use.
 * \param key      The HMAC secret key.
 * \param keylen   The length of the HMAC secret key in Bytes.
 * \param input    The buffer holding the input data.
 * \param ilen     The length of the input data.
 * \param output   The generic HMAC result.
 *
 * \return         \c 0 on success.
 * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
 *                 failure.
 */
 int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
                const unsigned char *input, size_t ilen,
--- a/include/mbedtls/md2.h
+++ b/include/mbedtls/md2.h
@ -3,19 +3,8 @@
 *
 * \brief MD2 message digest algorithm (hash function)
 *
- * \warning MD2 is considered a weak message digest and its use constitutes a
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *          security risk. We recommend considering stronger message digests
+ *  SPDX-License-Identifier: Apache-2.0
 *          instead.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,27 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 *
 */
 #ifndef MBEDTLS_MD2_H
 #define MBEDTLS_MD2_H
@ -62,26 +31,18 @@
 #include <stddef.h>
-/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
+#if !defined(MBEDTLS_MD2_ALT)
-#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
+// Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_MD2_ALT)
 // Regular implementation
 //
 /**
 * \brief          MD2 context structure
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-typedef struct mbedtls_md2_context
+typedef struct
 {
    unsigned char cksum[16];    /*!< checksum of the data block */
    unsigned char state[48];    /*!< intermediate digest state  */
@ -90,19 +51,10 @@ typedef struct mbedtls_md2_context
 }
 mbedtls_md2_context;
 #else  /* MBEDTLS_MD2_ALT */
 #include "md2_alt.h"
 #endif /* MBEDTLS_MD2_ALT */
 /**
 * \brief          Initialize MD2 context
 *
 * \param ctx      MD2 context to be initialized
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md2_init( mbedtls_md2_context *ctx );
@ -110,11 +62,6 @@ void mbedtls_md2_init( mbedtls_md2_context *ctx );
 * \brief          Clear MD2 context
 *
 * \param ctx      MD2 context to be cleared
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md2_free( mbedtls_md2_context *ctx );
@ -123,11 +70,6 @@ void mbedtls_md2_free( mbedtls_md2_context *ctx );
 *
 * \param dst      The destination context
 * \param src      The context to be cloned
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md2_clone( mbedtls_md2_context *dst,
                        const mbedtls_md2_context *src );
@ -136,193 +78,56 @@ void mbedtls_md2_clone( mbedtls_md2_context *dst,
 * \brief          MD2 context setup
 *
 * \param ctx      context to be initialized
 *
 * \return         0 if successful
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx );
+void mbedtls_md2_starts( mbedtls_md2_context *ctx );
 /**
 * \brief          MD2 process buffer
 *
 * \param ctx      MD2 context
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 *
 * \return         0 if successful
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, size_t ilen );
                            const unsigned char *input,
                            size_t ilen );
 /**
 * \brief          MD2 final digest
 *
 * \param ctx      MD2 context
 * \param output   MD2 checksum result
 *
 * \return         0 if successful
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+void mbedtls_md2_finish( mbedtls_md2_context *ctx, unsigned char output[16] );
                            unsigned char output[16] );
-/**
+#ifdef __cplusplus
- * \brief          MD2 process data block (internal use only)
+}
 *
 * \param ctx      MD2 context
 *
 * \return         0 if successful
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 int mbedtls_internal_md2_process( mbedtls_md2_context *ctx );
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          MD2 context setup
 *
 * \deprecated     Superseded by mbedtls_md2_starts_ret() in 2.7.0
 *
 * \param ctx      context to be initialized
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md2_starts( mbedtls_md2_context *ctx );
-/**
+#else  /* MBEDTLS_MD2_ALT */
- * \brief          MD2 process buffer
+#include "md2_alt.h"
- *
+#endif /* MBEDTLS_MD2_ALT */
 * \deprecated     Superseded by mbedtls_md2_update_ret() in 2.7.0
 *
 * \param ctx      MD2 context
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md2_update( mbedtls_md2_context *ctx,
                                            const unsigned char *input,
                                            size_t ilen );
-/**
+#ifdef __cplusplus
- * \brief          MD2 final digest
+extern "C" {
- *
+#endif
 * \deprecated     Superseded by mbedtls_md2_finish_ret() in 2.7.0
 *
 * \param ctx      MD2 context
 * \param output   MD2 checksum result
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md2_finish( mbedtls_md2_context *ctx,
                                            unsigned char output[16] );
 /**
 * \brief          MD2 process data block (internal use only)
 *
 * \deprecated     Superseded by mbedtls_internal_md2_process() in 2.7.0
 *
 * \param ctx      MD2 context
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md2_process( mbedtls_md2_context *ctx );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 /**
 * \brief          Output = MD2( input buffer )
 *
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   MD2 checksum result
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md2_ret( const unsigned char *input,
+void mbedtls_md2( const unsigned char *input, size_t ilen, unsigned char output[16] );
                     size_t ilen,
                     unsigned char output[16] );
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          Output = MD2( input buffer )
 *
 * \deprecated     Superseded by mbedtls_md2_ret() in 2.7.0
 *
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 * \param output   MD2 checksum result
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input,
                                     size_t ilen,
                                     unsigned char output[16] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 *
 * \warning        MD2 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 int mbedtls_md2_self_test( int verbose );
-#endif /* MBEDTLS_SELF_TEST */
+/* Internal use */
 void mbedtls_md2_process( mbedtls_md2_context *ctx );
 #ifdef __cplusplus
 }
--- a/include/mbedtls/md4.h
+++ b/include/mbedtls/md4.h
@ -3,19 +3,8 @@
 *
 * \brief MD4 message digest algorithm (hash function)
 *
- * \warning MD4 is considered a weak message digest and its use constitutes a
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *          security risk. We recommend considering stronger message digests
+ *  SPDX-License-Identifier: Apache-2.0
 *          instead.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,27 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 *
 */
 #ifndef MBEDTLS_MD4_H
 #define MBEDTLS_MD4_H
@ -63,26 +32,18 @@
 #include <stddef.h>
 #include <stdint.h>
-/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#if !defined(MBEDTLS_MD4_ALT)
-#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
+// Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_MD4_ALT)
 // Regular implementation
 //
 /**
 * \brief          MD4 context structure
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-typedef struct mbedtls_md4_context
+typedef struct
 {
    uint32_t total[2];          /*!< number of bytes processed  */
    uint32_t state[4];          /*!< intermediate digest state  */
@ -90,19 +51,10 @@ typedef struct mbedtls_md4_context
 }
 mbedtls_md4_context;
 #else  /* MBEDTLS_MD4_ALT */
 #include "md4_alt.h"
 #endif /* MBEDTLS_MD4_ALT */
 /**
 * \brief          Initialize MD4 context
 *
 * \param ctx      MD4 context to be initialized
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md4_init( mbedtls_md4_context *ctx );
@ -110,11 +62,6 @@ void mbedtls_md4_init( mbedtls_md4_context *ctx );
 * \brief          Clear MD4 context
 *
 * \param ctx      MD4 context to be cleared
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md4_free( mbedtls_md4_context *ctx );
@ -123,11 +70,6 @@ void mbedtls_md4_free( mbedtls_md4_context *ctx );
 *
 * \param dst      The destination context
 * \param src      The context to be cloned
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md4_clone( mbedtls_md4_context *dst,
                        const mbedtls_md4_context *src );
@ -136,198 +78,56 @@ void mbedtls_md4_clone( mbedtls_md4_context *dst,
 * \brief          MD4 context setup
 *
 * \param ctx      context to be initialized
 *
 * \return         0 if successful
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 */
-int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx );
+void mbedtls_md4_starts( mbedtls_md4_context *ctx );
 /**
 * \brief          MD4 process buffer
 *
 * \param ctx      MD4 context
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 *
 * \return         0 if successful
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+void mbedtls_md4_update( mbedtls_md4_context *ctx, const unsigned char *input, size_t ilen );
                            const unsigned char *input,
                            size_t ilen );
 /**
 * \brief          MD4 final digest
 *
 * \param ctx      MD4 context
 * \param output   MD4 checksum result
 *
 * \return         0 if successful
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+void mbedtls_md4_finish( mbedtls_md4_context *ctx, unsigned char output[16] );
                            unsigned char output[16] );
-/**
+#ifdef __cplusplus
- * \brief          MD4 process data block (internal use only)
+}
 *
 * \param ctx      MD4 context
 * \param data     buffer holding one block of data
 *
 * \return         0 if successful
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
                                  const unsigned char data[64] );
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          MD4 context setup
 *
 * \deprecated     Superseded by mbedtls_md4_starts_ret() in 2.7.0
 *
 * \param ctx      context to be initialized
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md4_starts( mbedtls_md4_context *ctx );
-/**
+#else  /* MBEDTLS_MD4_ALT */
- * \brief          MD4 process buffer
+#include "md4_alt.h"
- *
+#endif /* MBEDTLS_MD4_ALT */
 * \deprecated     Superseded by mbedtls_md4_update_ret() in 2.7.0
 *
 * \param ctx      MD4 context
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md4_update( mbedtls_md4_context *ctx,
                                            const unsigned char *input,
                                            size_t ilen );
-/**
+#ifdef __cplusplus
- * \brief          MD4 final digest
+extern "C" {
- *
+#endif
 * \deprecated     Superseded by mbedtls_md4_finish_ret() in 2.7.0
 *
 * \param ctx      MD4 context
 * \param output   MD4 checksum result
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md4_finish( mbedtls_md4_context *ctx,
                                            unsigned char output[16] );
 /**
 * \brief          MD4 process data block (internal use only)
 *
 * \deprecated     Superseded by mbedtls_internal_md4_process() in 2.7.0
 *
 * \param ctx      MD4 context
 * \param data     buffer holding one block of data
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md4_process( mbedtls_md4_context *ctx,
                                             const unsigned char data[64] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 /**
 * \brief          Output = MD4( input buffer )
 *
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   MD4 checksum result
 *
 * \return         0 if successful
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md4_ret( const unsigned char *input,
+void mbedtls_md4( const unsigned char *input, size_t ilen, unsigned char output[16] );
                     size_t ilen,
                     unsigned char output[16] );
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          Output = MD4( input buffer )
 *
 * \deprecated     Superseded by mbedtls_md4_ret() in 2.7.0
 *
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 * \param output   MD4 checksum result
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input,
                                     size_t ilen,
                                     unsigned char output[16] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 *
 * \warning        MD4 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 int mbedtls_md4_self_test( int verbose );
-#endif /* MBEDTLS_SELF_TEST */
+/* Internal use */
 void mbedtls_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] );
 #ifdef __cplusplus
 }
--- a/include/mbedtls/md5.h
+++ b/include/mbedtls/md5.h
@ -3,19 +3,8 @@
 *
 * \brief MD5 message digest algorithm (hash function)
 *
- * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *            security risk. We recommend considering stronger message
+ *  SPDX-License-Identifier: Apache-2.0
 *            digests instead.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_MD5_H
 #define MBEDTLS_MD5_H
@ -62,26 +32,18 @@
 #include <stddef.h>
 #include <stdint.h>
-/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
+#if !defined(MBEDTLS_MD5_ALT)
-#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
+// Regular implementation
 //
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_MD5_ALT)
 // Regular implementation
 //
 /**
 * \brief          MD5 context structure
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-typedef struct mbedtls_md5_context
+typedef struct
 {
    uint32_t total[2];          /*!< number of bytes processed  */
    uint32_t state[4];          /*!< intermediate digest state  */
@ -89,19 +51,10 @@ typedef struct mbedtls_md5_context
 }
 mbedtls_md5_context;
 #else  /* MBEDTLS_MD5_ALT */
 #include "md5_alt.h"
 #endif /* MBEDTLS_MD5_ALT */
 /**
 * \brief          Initialize MD5 context
 *
 * \param ctx      MD5 context to be initialized
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md5_init( mbedtls_md5_context *ctx );
@ -109,11 +62,6 @@ void mbedtls_md5_init( mbedtls_md5_context *ctx );
 * \brief          Clear MD5 context
 *
 * \param ctx      MD5 context to be cleared
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md5_free( mbedtls_md5_context *ctx );
@ -122,11 +70,6 @@ void mbedtls_md5_free( mbedtls_md5_context *ctx );
 *
 * \param dst      The destination context
 * \param src      The context to be cloned
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 void mbedtls_md5_clone( mbedtls_md5_context *dst,
                        const mbedtls_md5_context *src );
@ -135,200 +78,57 @@ void mbedtls_md5_clone( mbedtls_md5_context *dst,
 * \brief          MD5 context setup
 *
 * \param ctx      context to be initialized
 *
 * \return         0 if successful
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx );
+void mbedtls_md5_starts( mbedtls_md5_context *ctx );
 /**
 * \brief          MD5 process buffer
 *
 * \param ctx      MD5 context
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 *
 * \return         0 if successful
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen );
                            const unsigned char *input,
                            size_t ilen );
 /**
 * \brief          MD5 final digest
 *
 * \param ctx      MD5 context
 * \param output   MD5 checksum result
 *
 * \return         0 if successful
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] );
                            unsigned char output[16] );
-/**
+/* Internal use */
- * \brief          MD5 process data block (internal use only)
+void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] );
 *
 * \param ctx      MD5 context
 * \param data     buffer holding one block of data
 *
 * \return         0 if successful
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
                                  const unsigned char data[64] );
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#ifdef __cplusplus
-#if defined(MBEDTLS_DEPRECATED_WARNING)
+}
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          MD5 context setup
 *
 * \deprecated     Superseded by mbedtls_md5_starts_ret() in 2.7.0
 *
 * \param ctx      context to be initialized
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md5_starts( mbedtls_md5_context *ctx );
-/**
+#else  /* MBEDTLS_MD5_ALT */
- * \brief          MD5 process buffer
+#include "md5_alt.h"
- *
+#endif /* MBEDTLS_MD5_ALT */
 * \deprecated     Superseded by mbedtls_md5_update_ret() in 2.7.0
 *
 * \param ctx      MD5 context
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md5_update( mbedtls_md5_context *ctx,
                                            const unsigned char *input,
                                            size_t ilen );
-/**
+#ifdef __cplusplus
- * \brief          MD5 final digest
+extern "C" {
- *
+#endif
 * \deprecated     Superseded by mbedtls_md5_finish_ret() in 2.7.0
 *
 * \param ctx      MD5 context
 * \param output   MD5 checksum result
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md5_finish( mbedtls_md5_context *ctx,
                                            unsigned char output[16] );
 /**
 * \brief          MD5 process data block (internal use only)
 *
 * \deprecated     Superseded by mbedtls_internal_md5_process() in 2.7.0
 *
 * \param ctx      MD5 context
 * \param data     buffer holding one block of data
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md5_process( mbedtls_md5_context *ctx,
                                             const unsigned char data[64] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 /**
 * \brief          Output = MD5( input buffer )
 *
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   MD5 checksum result
 *
 * \return         0 if successful
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
-int mbedtls_md5_ret( const unsigned char *input,
+void mbedtls_md5( const unsigned char *input, size_t ilen, unsigned char output[16] );
                     size_t ilen,
                     unsigned char output[16] );
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          Output = MD5( input buffer )
 *
 * \deprecated     Superseded by mbedtls_md5_ret() in 2.7.0
 *
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 * \param output   MD5 checksum result
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input,
                                     size_t ilen,
                                     unsigned char output[16] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 *
 * \warning        MD5 is considered a weak message digest and its use
 *                 constitutes a security risk. We recommend considering
 *                 stronger message digests instead.
 *
 */
 int mbedtls_md5_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/md_internal.h
+++ b/include/mbedtls/md_internal.h
@ -6,16 +6,9 @@
 * \warning This in an internal header. Do not include directly.
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,26 +22,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_MD_WRAP_H
 #define MBEDTLS_MD_WRAP_H
@ -84,17 +58,17 @@ struct mbedtls_md_info_t
    int block_size;
    /** Digest initialisation function */
-    int (*starts_func)( void *ctx );
+    void (*starts_func)( void *ctx );
    /** Digest update function */
-    int (*update_func)( void *ctx, const unsigned char *input, size_t ilen );
+    void (*update_func)( void *ctx, const unsigned char *input, size_t ilen );
    /** Digest finalisation function */
-    int (*finish_func)( void *ctx, unsigned char *output );
+    void (*finish_func)( void *ctx, unsigned char *output );
    /** Generic digest function */
-    int (*digest_func)( const unsigned char *input, size_t ilen,
+    void (*digest_func)( const unsigned char *input, size_t ilen,
-                        unsigned char *output );
+                         unsigned char *output );
    /** Allocate a new context */
    void * (*ctx_alloc_func)( void );
@ -106,7 +80,7 @@ struct mbedtls_md_info_t
    void (*clone_func)( void *dst, const void *src );
    /** Internal use only */
-    int (*process_func)( void *ctx, const unsigned char *input );
+    void (*process_func)( void *ctx, const unsigned char *input );
 };
 #if defined(MBEDTLS_MD2_C)
--- a/include/mbedtls/memory_buffer_alloc.h
+++ b/include/mbedtls/memory_buffer_alloc.h
@ -2,16 +2,9 @@
 * \file memory_buffer_alloc.h
 *
 * \brief Buffer-based memory allocator
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
 #define MBEDTLS_MEMORY_BUFFER_ALLOC_H
--- a/include/mbedtls/net.h
+++ b/include/mbedtls/net.h
@ -1,19 +1,10 @@
 /**
 * \file net.h
 *
- * \brief Deprecated header file that includes net_sockets.h
+ * \brief Deprecated header file that includes mbedtls/net_sockets.h
 *
- * \deprecated Superseded by mbedtls/net_sockets.h
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- */
+ *  SPDX-License-Identifier: Apache-2.0
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -27,35 +18,13 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
- *  **********
+ * \deprecated Superseded by mbedtls/net_sockets.h
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "net_sockets.h"
+#include "mbedtls/net_sockets.h"
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
 #endif /* MBEDTLS_DEPRECATED_WARNING */
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@ -1,33 +1,10 @@
 /**
 * \file net_sockets.h
 *
- * \brief   Network sockets abstraction layer to integrate Mbed TLS into a
+ * \brief Network communication functions
 *          BSD-style sockets API.
 *
- *          The network sockets module provides an example integration of the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *          Mbed TLS library into a BSD sockets implementation. The module is
+ *  SPDX-License-Identifier: Apache-2.0
 *          intended to be an example of how Mbed TLS can be integrated into a
 *          networking stack, as well as to be Mbed TLS's network integration
 *          for its supported platforms.
 *
 *          The module is intended only to be used with the Mbed TLS library and
 *          is not intended to be used by third party application software
 *          directly.
 *
 *          The supported platforms are as follows:
 *              * Microsoft Windows and Windows CE
 *              * POSIX/Unix platforms including Linux, OS X
 *
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -41,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_NET_SOCKETS_H
 #define MBEDTLS_NET_SOCKETS_H
@ -87,17 +45,12 @@
 #define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
 #define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
 #define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
 #define MBEDTLS_ERR_NET_POLL_FAILED                       -0x0047  /**< Polling the net context failed. */
 #define MBEDTLS_ERR_NET_BAD_INPUT_DATA                    -0x0049  /**< Input invalid. */
 #define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
 #define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
 #define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
 #define MBEDTLS_NET_POLL_READ  1 /**< Used in \c mbedtls_net_poll to check for pending data  */
 #define MBEDTLS_NET_POLL_WRITE 2 /**< Used in \c mbedtls_net_poll to check if write possible */
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -109,7 +62,7 @@ extern "C" {
 * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
 * structures for hand-made UDP demultiplexing).
 */
-typedef struct mbedtls_net_context
+typedef struct
 {
    int fd;             /**< The underlying file descriptor                 */
 }
@ -151,7 +104,6 @@ int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char
 *
 * \return         0 if successful, or one of:
 *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
 *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
 *                      MBEDTLS_ERR_NET_BIND_FAILED,
 *                      MBEDTLS_ERR_NET_LISTEN_FAILED
 *
@ -165,14 +117,11 @@ int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char
 *
 * \param bind_ctx  Relevant socket
 * \param client_ctx Will contain the connected client socket
- * \param client_ip Will contain the client IP address, can be NULL
+ * \param client_ip Will contain the client IP address
 * \param buf_size  Size of the client_ip buffer
- * \param ip_len    Will receive the size of the client IP written,
+ * \param ip_len    Will receive the size of the client IP written
 *                  can be NULL if client_ip is null
 *
 * \return          0 if successful, or
 *                  MBEDTLS_ERR_NET_SOCKET_FAILED,
 *                  MBEDTLS_ERR_NET_BIND_FAILED,
 *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
 *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
 *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
@ -182,33 +131,6 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
                        mbedtls_net_context *client_ctx,
                        void *client_ip, size_t buf_size, size_t *ip_len );
 /**
 * \brief          Check and wait for the context to be ready for read/write
 *
 * \note           The current implementation of this function uses
 *                 select() and returns an error if the file descriptor
 *                 is \c FD_SETSIZE or greater.
 *
 * \param ctx      Socket to check
 * \param rw       Bitflag composed of MBEDTLS_NET_POLL_READ and
 *                 MBEDTLS_NET_POLL_WRITE specifying the events
 *                 to wait for:
 *                 - If MBEDTLS_NET_POLL_READ is set, the function
 *                   will return as soon as the net context is available
 *                   for reading.
 *                 - If MBEDTLS_NET_POLL_WRITE is set, the function
 *                   will return as soon as the net context is available
 *                   for writing.
 * \param timeout  Maximal amount of time to wait before returning,
 *                 in milliseconds. If \c timeout is zero, the
 *                 function returns immediately. If \c timeout is
 *                 -1u, the function blocks potentially indefinitely.
 *
 * \return         Bitmask composed of MBEDTLS_NET_POLL_READ/WRITE
 *                 on success or timeout, or a negative return code otherwise.
 */
 int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout );
 /**
 * \brief          Set the socket blocking
 *
@ -270,21 +192,16 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
 *                 'timeout' seconds. If no error occurs, the actual amount
 *                 read is returned.
 *
 * \note           The current implementation of this function uses
 *                 select() and returns an error if the file descriptor
 *                 is \c FD_SETSIZE or greater.
 *
 * \param ctx      Socket
 * \param buf      The buffer to write to
 * \param len      Maximum length of the buffer
 * \param timeout  Maximum number of milliseconds to wait for data
 *                 0 means no timeout (wait forever)
 *
- * \return         The number of bytes received if successful.
+ * \return         the number of bytes received,
- *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out.
+ *                 or a non-zero error code:
 *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
 *                 MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
 *                 Another negative error code (MBEDTLS_ERR_NET_xxx)
 *                 for other failures.
 *
 * \note           This function will block (until data becomes available or
 *                 timeout is reached) even if the socket is set to
--- a/include/mbedtls/nist_kw.h
+++ b/include/mbedtls/nist_kw.h
@ -1,209 +0,0 @@
 /**
 * \file nist_kw.h
 *
 * \brief This file provides an API for key wrapping (KW) and key wrapping with
 *        padding (KWP) as defined in NIST SP 800-38F.
 *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
 *
 *        Key wrapping specifies a deterministic authenticated-encryption mode
 *        of operation, according to <em>NIST SP 800-38F: Recommendation for
 *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
 *        purpose is to protect cryptographic keys.
 *
 *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
 *        https://tools.ietf.org/html/rfc3394
 *        https://tools.ietf.org/html/rfc5649
 *
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_NIST_KW_H
 #define MBEDTLS_NIST_KW_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "cipher.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
 typedef enum
 {
    MBEDTLS_KW_MODE_KW = 0,
    MBEDTLS_KW_MODE_KWP = 1
 } mbedtls_nist_kw_mode_t;
 #if !defined(MBEDTLS_NIST_KW_ALT)
 // Regular implementation
 //
 /**
 * \brief    The key wrapping context-type definition. The key wrapping context is passed
 *           to the APIs called.
 *
 * \note     The definition of this type may change in future library versions.
 *           Don't make any assumptions on this context!
 */
 typedef struct {
    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
 } mbedtls_nist_kw_context;
 #else  /* MBEDTLS_NIST_key wrapping_ALT */
 #include "nist_kw_alt.h"
 #endif /* MBEDTLS_NIST_KW_ALT */
 /**
 * \brief           This function initializes the specified key wrapping context
 *                  to make references valid and prepare the context
 *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
 *
 * \param ctx       The key wrapping context to initialize.
 *
 */
 void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx );
 /**
 * \brief           This function initializes the key wrapping context set in the
 *                  \p ctx parameter and sets the encryption key.
 *
 * \param ctx       The key wrapping context.
 * \param cipher    The 128-bit block cipher to use. Only AES is supported.
 * \param key       The Key Encryption Key (KEK).
 * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
 * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
 *
 * \return          \c 0 on success.
 * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
 * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
 *                  which are not supported.
 * \return          cipher-specific error code on failure of the underlying cipher.
 */
 int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
                            mbedtls_cipher_id_t cipher,
                            const unsigned char *key,
                            unsigned int keybits,
                            const int is_wrap );
 /**
 * \brief   This function releases and clears the specified key wrapping context
 *          and underlying cipher sub-context.
 *
 * \param ctx       The key wrapping context to clear.
 */
 void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx );
 /**
 * \brief           This function encrypts a buffer using key wrapping.
 *
 * \param ctx       The key wrapping context to use for encryption.
 * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
 * \param input     The buffer holding the input data.
 * \param in_len    The length of the input data in Bytes.
 *                  The input uses units of 8 Bytes called semiblocks.
 *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
 *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
 * \param[out] output    The buffer holding the output data.
 *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
 *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
 *                  8 bytes for KWP (15 bytes at most).</li></ul>
 * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
 * \param[in] out_size The capacity of the output buffer.
 *
 * \return          \c 0 on success.
 * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
 * \return          cipher-specific error code on failure of the underlying cipher.
 */
 int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
                          const unsigned char *input, size_t in_len,
                          unsigned char *output, size_t* out_len, size_t out_size );
 /**
 * \brief           This function decrypts a buffer using key wrapping.
 *
 * \param ctx       The key wrapping context to use for decryption.
 * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
 * \param input     The buffer holding the input data.
 * \param in_len    The length of the input data in Bytes.
 *                  The input uses units of 8 Bytes called semiblocks.
 *                  The input must be a multiple of semiblocks.
 *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
 *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
 * \param[out] output    The buffer holding the output data.
 *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
 * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
 *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
 *                  depending on how much padding was added to the data.
 * \param[in] out_size The capacity of the output buffer.
 *
 * \return          \c 0 on success.
 * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
 * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
 * \return          cipher-specific error code on failure of the underlying cipher.
 */
 int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
                            const unsigned char *input, size_t in_len,
                            unsigned char *output, size_t* out_len, size_t out_size);
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 /**
 * \brief          The key wrapping checkup routine.
 *
 * \return         \c 0 on success.
 * \return         \c 1 on failure.
 */
 int mbedtls_nist_kw_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
 #ifdef __cplusplus
 }
 #endif
 #endif /* MBEDTLS_NIST_KW_H */
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@ -2,16 +2,9 @@
 * \file oid.h
 *
 * \brief Object Identifier (OID) database
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_OID_H
 #define MBEDTLS_OID_H
@ -122,8 +96,6 @@
 /* ISO arc for standard certificate and CRL extensions */
 #define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
 #define MBEDTLS_OID_NIST_ALG                    MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
 /**
 * Private Internet Extensions
 * { iso(1) identified-organization(3) dod(6) internet(1)
@ -246,42 +218,21 @@
 #define MBEDTLS_OID_DIGEST_ALG_MD4              MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
 #define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
 #define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_SHA1 /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_GOV "\x03\x04\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_GOV "\x03\x04\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_GOV "\x03\x04\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_GOV "\x03\x04\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
 #define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
 #define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
 #define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
 #define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
 #define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
 /*
 * Encryption algorithms
 */
 #define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
 #define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
 #define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
 /*
 * Key Wrapping algorithms
 */
 /*
 * RFC 5649
 */
 #define MBEDTLS_OID_AES128_KW                   MBEDTLS_OID_AES "\x05" /** id-aes128-wrap     OBJECT IDENTIFIER ::= { aes 5 } */
 #define MBEDTLS_OID_AES128_KWP                  MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
 #define MBEDTLS_OID_AES192_KW                   MBEDTLS_OID_AES "\x19" /** id-aes192-wrap     OBJECT IDENTIFIER ::= { aes 25 } */
 #define MBEDTLS_OID_AES192_KWP                  MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
 #define MBEDTLS_OID_AES256_KW                   MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap     OBJECT IDENTIFIER ::= { aes 45 } */
 #define MBEDTLS_OID_AES256_KWP                  MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
 /*
 * PKCS#5 OIDs
 */
@ -428,8 +379,7 @@ extern "C" {
 /**
 * \brief Base OID descriptor structure
 */
-typedef struct mbedtls_oid_descriptor_t
+typedef struct {
 {
    const char *asn1;               /*!< OID ASN.1 representation       */
    size_t asn1_len;                /*!< length of asn1                 */
    const char *name;               /*!< official name (e.g. from RFC)  */
@ -563,16 +513,6 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t
 * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
 */
 int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
 /**
 * \brief          Translate hmac algorithm OID into md_type
 *
 * \param oid      OID to use
 * \param md_hmac  place to store message hmac algorithm
 *
 * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
 */
 int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
 #endif /* MBEDTLS_MD_C */
 /**
--- a/include/mbedtls/padlock.h
+++ b/include/mbedtls/padlock.h
@ -4,18 +4,8 @@
 * \brief VIA PadLock ACE for HW encryption/decryption supported by some
 *        processors
 *
- * \warning These functions are only for internal use by other library
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *          functions; you must not call them directly.
+ *  SPDX-License-Identifier: Apache-2.0
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -29,36 +19,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PADLOCK_H
 #define MBEDTLS_PADLOCK_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "aes.h"
 #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
@ -84,17 +49,14 @@
 #define MBEDTLS_PADLOCK_PHE 0x0C00
 #define MBEDTLS_PADLOCK_PMM 0x3000
-#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) x & ~15))
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
- * \brief          Internal PadLock detection routine
+ * \brief          PadLock detection routine
 *
 * \note           This function is only for internal use by other library
 *                 functions; you must not call it directly.
 *
 * \param feature  The feature to detect
 *
@ -103,10 +65,7 @@ extern "C" {
 int mbedtls_padlock_has_support( int feature );
 /**
- * \brief          Internal PadLock AES-ECB block en(de)cryption
+ * \brief          PadLock AES-ECB block en(de)cryption
 *
 * \note           This function is only for internal use by other library
 *                 functions; you must not call it directly.
 *
 * \param ctx      AES context
 * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@ -116,15 +75,12 @@ int mbedtls_padlock_has_support( int feature );
 * \return         0 if success, 1 if operation failed
 */
 int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
-                               int mode,
+                       int mode,
-                               const unsigned char input[16],
+                       const unsigned char input[16],
-                               unsigned char output[16] );
+                       unsigned char output[16] );
 /**
- * \brief          Internal PadLock AES-CBC buffer en(de)cryption
+ * \brief          PadLock AES-CBC buffer en(de)cryption
 *
 * \note           This function is only for internal use by other library
 *                 functions; you must not call it directly.
 *
 * \param ctx      AES context
 * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@ -136,11 +92,11 @@ int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
 * \return         0 if success, 1 if operation failed
 */
 int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
-                               int mode,
+                       int mode,
-                               size_t length,
+                       size_t length,
-                               unsigned char iv[16],
+                       unsigned char iv[16],
-                               const unsigned char *input,
+                       const unsigned char *input,
-                               unsigned char *output );
+                       unsigned char *output );
 #ifdef __cplusplus
 }
--- a/include/mbedtls/pem.h
+++ b/include/mbedtls/pem.h
@ -2,16 +2,9 @@
 * \file pem.h
 *
 * \brief Privacy Enhanced Mail (PEM) decoding
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,36 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PEM_H
 #define MBEDTLS_PEM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /**
@ -82,7 +50,7 @@ extern "C" {
 /**
 * \brief       PEM context structure
 */
-typedef struct mbedtls_pem_context
+typedef struct
 {
    unsigned char *buf;     /*!< buffer for decoded data             */
    size_t buflen;          /*!< length of the buffer                */
@ -137,27 +105,17 @@ void mbedtls_pem_free( mbedtls_pem_context *ctx );
 * \brief           Write a buffer of PEM information from a DER encoded
 *                  buffer.
 *
- * \param header    The header string to write.
+ * \param header    header string to write
- * \param footer    The footer string to write.
+ * \param footer    footer string to write
- * \param der_data  The DER data to encode.
+ * \param der_data  DER data to write
- * \param der_len   The length of the DER data \p der_data in Bytes.
+ * \param der_len   length of the DER data
- * \param buf       The buffer to write to.
+ * \param buf       buffer to write to
- * \param buf_len   The length of the output buffer \p buf in Bytes.
+ * \param buf_len   length of output buffer
- * \param olen      The address at which to store the total length written
+ * \param olen      total length written / required (if buf_len is not enough)
 *                  or required (if \p buf_len is not enough).
 *
- * \note            You may pass \c NULL for \p buf and \c 0 for \p buf_len
+ * \return          0 on success, or a specific PEM or BASE64 error code. On
- *                  to request the length of the resulting PEM buffer in
+ *                  MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required
- *                  `*olen`.
+ *                  size.
 *
 * \note            This function may be called with overlapping \p der_data
 *                  and \p buf buffers.
 *
 * \return          \c 0 on success.
 * \return          #MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if \p buf isn't large
 *                  enough to hold the PEM buffer. In  this case, `*olen` holds
 *                  the required minimum size of \p buf.
 * \return          Another PEM or BASE64 error code on other kinds of failure.
 */
 int mbedtls_pem_write_buffer( const char *header, const char *footer,
                      const unsigned char *der_data, size_t der_len,
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@ -2,16 +2,9 @@
 * \file pk.h
 *
 * \brief Public Key abstraction layer
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PK_H
@ -88,10 +62,7 @@
 #define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80  /**< The algorithm tag or value is invalid. */
 #define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00  /**< Elliptic curve is unsupported (only NIST curves are supported). */
 #define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980  /**< Unavailable feature, e.g. RSA disabled for RSA key. */
-#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The buffer contains a valid signature followed by more data. */
+#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The signature is valid but its length is less than expected. */
 /* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880  /**< PK hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
@ -114,7 +85,7 @@ typedef enum {
 * \brief           Options for RSASSA-PSS signature verification.
 *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
 */
-typedef struct mbedtls_pk_rsassa_pss_options
+typedef struct
 {
    mbedtls_md_type_t mgf1_hash_id;
    int expected_salt_len;
@ -134,7 +105,7 @@ typedef enum
 /**
 * \brief           Item to send to the debug module
 */
-typedef struct mbedtls_pk_debug_item
+typedef struct
 {
    mbedtls_pk_debug_type type;
    const char *name;
@ -152,25 +123,11 @@ typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
 /**
 * \brief           Public key container
 */
 typedef struct mbedtls_pk_context
 {
    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
    void *                      pk_ctx;  /**< Underlying public key context  */
 } mbedtls_pk_context;
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
 /**
 * \brief           Context for resuming operations
 */
 typedef struct
 {
-    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
+    const mbedtls_pk_info_t *   pk_info; /**< Public key informations        */
-    void *                      rs_ctx;  /**< Underlying restart context     */
+    void *                      pk_ctx;  /**< Underlying public key context  */
-} mbedtls_pk_restart_ctx;
+} mbedtls_pk_context;
 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 /* Now we can declare functions that take a pointer to that */
 typedef void mbedtls_pk_restart_ctx;
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 #if defined(MBEDTLS_RSA_C)
 /**
@ -222,45 +179,20 @@ typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
 const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
 /**
- * \brief           Initialize a #mbedtls_pk_context (as NONE).
+ * \brief           Initialize a mbedtls_pk_context (as NONE)
 *
 * \param ctx       The context to initialize.
 *                  This must not be \c NULL.
 */
 void mbedtls_pk_init( mbedtls_pk_context *ctx );
 /**
- * \brief           Free the components of a #mbedtls_pk_context.
+ * \brief           Free a mbedtls_pk_context
 *
 * \param ctx       The context to clear. It must have been initialized.
 *                  If this is \c NULL, this function does nothing.
 */
 void mbedtls_pk_free( mbedtls_pk_context *ctx );
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
 /**
 * \brief           Initialize a restart context
 *
 * \param ctx       The context to initialize.
 *                  This must not be \c NULL.
 */
 void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx );
 /**
 * \brief           Free the components of a restart context
 *
 * \param ctx       The context to clear. It must have been initialized.
 *                  If this is \c NULL, this function does nothing.
 */
 void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 /**
 * \brief           Initialize a PK context with the information given
 *                  and allocates the type-specific PK subcontext.
 *
- * \param ctx       Context to initialize. It must not have been set
+ * \param ctx       Context to initialize. Must be empty (type NONE).
 *                  up yet (type #MBEDTLS_PK_NONE).
 * \param info      Information to use
 *
 * \return          0 on success,
@ -276,8 +208,7 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
 /**
 * \brief           Initialize an RSA-alt context
 *
- * \param ctx       Context to initialize. It must not have been set
+ * \param ctx       Context to initialize. Must be empty (type NONE).
 *                  up yet (type #MBEDTLS_PK_NONE).
 * \param key       RSA key pointer
 * \param decrypt_func  Decryption function
 * \param sign_func     Signing function
@ -297,7 +228,7 @@ int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
 /**
 * \brief           Get the size in bits of the underlying key
 *
- * \param ctx       The context to query. It must have been initialized.
+ * \param ctx       Context to use
 *
 * \return          Key size in bits, or 0 on error
 */
@ -305,8 +236,7 @@ size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx );
 /**
 * \brief           Get the length in bytes of the underlying key
- *
+ * \param ctx       Context to use
 * \param ctx       The context to query. It must have been initialized.
 *
 * \return          Key length in bytes, or 0 on error
 */
@ -318,21 +248,18 @@ static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
 /**
 * \brief           Tell if a context can do the operation given by type
 *
- * \param ctx       The context to query. It must have been initialized.
+ * \param ctx       Context to test
- * \param type      The desired type.
+ * \param type      Target type
 *
- * \return          1 if the context can do operations on the given type.
+ * \return          0 if context can't do the operations,
- * \return          0 if the context cannot do the operations on the given
+ *                  1 otherwise.
 *                  type. This is always the case for a context that has
 *                  been initialized but not set up, or that has been
 *                  cleared with mbedtls_pk_free().
 */
 int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
 /**
 * \brief           Verify signature (including padding if relevant).
 *
- * \param ctx       The PK context to use. It must have been set up.
+ * \param ctx       PK context to use
 * \param md_alg    Hash algorithm used (see notes)
 * \param hash      Hash of the message to sign
 * \param hash_len  Hash length or 0 (see notes)
@ -340,8 +267,8 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
 * \param sig_len   Signature length
 *
 * \return          0 on success (signature is valid),
- *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if the signature is
- *                  signature in sig but its length is less than \p siglen,
+ *                  valid but its actual length is less than sig_len,
 *                  or a specific error code.
 *
 * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
@ -357,39 +284,13 @@ int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
               const unsigned char *hash, size_t hash_len,
               const unsigned char *sig, size_t sig_len );
 /**
 * \brief           Restartable version of \c mbedtls_pk_verify()
 *
 * \note            Performs the same job as \c mbedtls_pk_verify(), but can
 *                  return early and restart according to the limit set with
 *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
 *                  operations. For RSA, same as \c mbedtls_pk_verify().
 *
 * \param ctx       The PK context to use. It must have been set up.
 * \param md_alg    Hash algorithm used (see notes)
 * \param hash      Hash of the message to sign
 * \param hash_len  Hash length or 0 (see notes)
 * \param sig       Signature to verify
 * \param sig_len   Signature length
 * \param rs_ctx    Restart context (NULL to disable restart)
 *
 * \return          See \c mbedtls_pk_verify(), or
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 */
 int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
               mbedtls_md_type_t md_alg,
               const unsigned char *hash, size_t hash_len,
               const unsigned char *sig, size_t sig_len,
               mbedtls_pk_restart_ctx *rs_ctx );
 /**
 * \brief           Verify signature, with options.
 *                  (Includes verification of the padding depending on type.)
 *
 * \param type      Signature type (inc. possible padding type) to verify
 * \param options   Pointer to type-specific options, or NULL
- * \param ctx       The PK context to use. It must have been set up.
+ * \param ctx       PK context to use
 * \param md_alg    Hash algorithm used (see notes)
 * \param hash      Hash of the message to sign
 * \param hash_len  Hash length or 0 (see notes)
@ -397,10 +298,10 @@ int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
 * \param sig_len   Signature length
 *
 * \return          0 on success (signature is valid),
- *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
+ *                  MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
 *                  used for this type of signatures,
- *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if the signature is
- *                  signature in sig but its length is less than \p siglen,
+ *                  valid but its actual length is less than sig_len,
 *                  or a specific error code.
 *
 * \note            If hash_len is 0, then the length associated with md_alg
@ -420,8 +321,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
 /**
 * \brief           Make signature, including padding if relevant.
 *
- * \param ctx       The PK context to use. It must have been set up
+ * \param ctx       PK context to use - must hold a private key
 *                  with a private key.
 * \param md_alg    Hash algorithm used (see notes)
 * \param hash      Hash of the message to sign
 * \param hash_len  Hash length or 0 (see notes)
@ -441,55 +341,16 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
 *
 * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
 *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
 *
 * \note            In order to ensure enough space for the signature, the
 *                  \p sig buffer size must be of at least
 *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
 */
 int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
             const unsigned char *hash, size_t hash_len,
             unsigned char *sig, size_t *sig_len,
             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 /**
 * \brief           Restartable version of \c mbedtls_pk_sign()
 *
 * \note            Performs the same job as \c mbedtls_pk_sign(), but can
 *                  return early and restart according to the limit set with
 *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
 *                  operations. For RSA, same as \c mbedtls_pk_sign().
 *
 * \note            In order to ensure enough space for the signature, the
 *                  \p sig buffer size must be of at least
 *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
 *
 * \param ctx       The PK context to use. It must have been set up
 *                  with a private key.
 * \param md_alg    Hash algorithm used (see notes)
 * \param hash      Hash of the message to sign
 * \param hash_len  Hash length or 0 (see notes)
 * \param sig       Place to write the signature
 * \param sig_len   Number of bytes written
 * \param f_rng     RNG function
 * \param p_rng     RNG parameter
 * \param rs_ctx    Restart context (NULL to disable restart)
 *
 * \return          See \c mbedtls_pk_sign(), or
 * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
 *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
 */
 int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
             mbedtls_md_type_t md_alg,
             const unsigned char *hash, size_t hash_len,
             unsigned char *sig, size_t *sig_len,
             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
             mbedtls_pk_restart_ctx *rs_ctx );
 /**
 * \brief           Decrypt message (including padding if relevant).
 *
- * \param ctx       The PK context to use. It must have been set up
+ * \param ctx       PK context to use - must hold a private key
 *                  with a private key.
 * \param input     Input to decrypt
 * \param ilen      Input size
 * \param output    Decrypted output
@ -510,7 +371,7 @@ int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
 /**
 * \brief           Encrypt message (including padding if relevant).
 *
- * \param ctx       The PK context to use. It must have been set up.
+ * \param ctx       PK context to use
 * \param input     Message to encrypt
 * \param ilen      Message size
 * \param output    Encrypted output
@ -541,7 +402,7 @@ int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_conte
 /**
 * \brief           Export debug information
 *
- * \param ctx       The PK context to use. It must have been initialized.
+ * \param ctx       Context to use
 * \param items     Place to write debug items
 *
 * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
@ -551,7 +412,7 @@ int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *item
 /**
 * \brief           Access the type name
 *
- * \param ctx       The PK context to use. It must have been initialized.
+ * \param ctx       Context to use
 *
 * \return          Type name on success, or "invalid PK"
 */
@ -560,10 +421,9 @@ const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
 /**
 * \brief           Get the key type
 *
- * \param ctx       The PK context to use. It must have been initialized.
+ * \param ctx       Context to use
 *
- * \return          Type on success.
+ * \return          Type on success, or MBEDTLS_PK_NONE
 * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
 */
 mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
@ -572,22 +432,12 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
 /**
 * \brief           Parse a private key in PEM or DER format
 *
- * \param ctx       The PK context to fill. It must have been initialized
+ * \param ctx       key to be initialized
- *                  but not set up.
+ * \param key       input buffer
- * \param key       Input buffer to parse.
+ * \param keylen    size of the buffer
- *                  The buffer must contain the input exactly, with no
+ *                  (including the terminating null byte for PEM data)
- *                  extra trailing material. For PEM, the buffer must
+ * \param pwd       password for decryption (optional)
- *                  contain a null-terminated string.
+ * \param pwdlen    size of the password
 * \param keylen    Size of \b key in bytes.
 *                  For PEM data, this includes the terminating null byte,
 *                  so \p keylen must be equal to `strlen(key) + 1`.
 * \param pwd       Optional password for decryption.
 *                  Pass \c NULL if expecting a non-encrypted key.
 *                  Pass a string of \p pwdlen bytes if expecting an encrypted
 *                  key; a non-encrypted key will also be accepted.
 *                  The empty password is not supported.
 * \param pwdlen    Size of the password in bytes.
 *                  Ignored if \p pwd is \c NULL.
 *
 * \note            On entry, ctx must be empty, either freshly initialised
 *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@ -605,15 +455,10 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
 /**
 * \brief           Parse a public key in PEM or DER format
 *
- * \param ctx       The PK context to fill. It must have been initialized
+ * \param ctx       key to be initialized
- *                  but not set up.
+ * \param key       input buffer
- * \param key       Input buffer to parse.
+ * \param keylen    size of the buffer
- *                  The buffer must contain the input exactly, with no
+ *                  (including the terminating null byte for PEM data)
 *                  extra trailing material. For PEM, the buffer must
 *                  contain a null-terminated string.
 * \param keylen    Size of \b key in bytes.
 *                  For PEM data, this includes the terminating null byte,
 *                  so \p keylen must be equal to `strlen(key) + 1`.
 *
 * \note            On entry, ctx must be empty, either freshly initialised
 *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@ -631,14 +476,9 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
 /**
 * \brief           Load and parse a private key
 *
- * \param ctx       The PK context to fill. It must have been initialized
+ * \param ctx       key to be initialized
 *                  but not set up.
 * \param path      filename to read the private key from
- * \param password  Optional password to decrypt the file.
+ * \param password  password to decrypt the file (can be NULL)
 *                  Pass \c NULL if expecting a non-encrypted key.
 *                  Pass a null-terminated string if expecting an encrypted
 *                  key; a non-encrypted key will also be accepted.
 *                  The empty password is not supported.
 *
 * \note            On entry, ctx must be empty, either freshly initialised
 *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@ -655,8 +495,7 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
 /**
 * \brief           Load and parse a public key
 *
- * \param ctx       The PK context to fill. It must have been initialized
+ * \param ctx       key to be initialized
 *                  but not set up.
 * \param path      filename to read the public key from
 *
 * \note            On entry, ctx must be empty, either freshly initialised
@ -679,7 +518,7 @@ int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
 *                        return value to determine where you should start
 *                        using the buffer
 *
- * \param ctx       PK context which must contain a valid private key.
+ * \param ctx       private to write away
 * \param buf       buffer to write to
 * \param size      size of the buffer
 *
@ -694,7 +533,7 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *ctx, unsigned char *buf, size_
 *                        return value to determine where you should start
 *                        using the buffer
 *
- * \param ctx       PK context which must contain a valid public or private key.
+ * \param ctx       public key to write away
 * \param buf       buffer to write to
 * \param size      size of the buffer
 *
@ -707,10 +546,9 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *ctx, unsigned char *buf, si
 /**
 * \brief           Write a public key to a PEM string
 *
- * \param ctx       PK context which must contain a valid public or private key.
+ * \param ctx       public key to write away
- * \param buf       Buffer to write to. The output includes a
+ * \param buf       buffer to write to
- *                  terminating null byte.
+ * \param size      size of the buffer
 * \param size      Size of the buffer in bytes.
 *
 * \return          0 if successful, or a specific error code
 */
@ -719,10 +557,9 @@ int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *ctx, unsigned char *buf, si
 /**
 * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
 *
- * \param ctx       PK context which must contain a valid private key.
+ * \param ctx       private to write away
- * \param buf       Buffer to write to. The output includes a
+ * \param buf       buffer to write to
- *                  terminating null byte.
+ * \param size      size of the buffer
 * \param size      Size of the buffer in bytes.
 *
 * \return          0 if successful, or a specific error code
 */
@ -741,8 +578,7 @@ int mbedtls_pk_write_key_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_
 *
 * \param p         the position in the ASN.1 data
 * \param end       end of the buffer
- * \param pk        The PK context to fill. It must have been initialized
+ * \param pk        the key to fill
 *                  but not set up.
 *
 * \return          0 if successful, or a specific PK error code
 */
@ -757,7 +593,7 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
 *
 * \param p         reference to current position pointer
 * \param start     start of the buffer (for bounds-checking)
- * \param key       PK context which must contain a valid public or private key.
+ * \param key       public key to write away
 *
 * \return          the length written or a negative error code
 */
--- a/include/mbedtls/pk_internal.h
+++ b/include/mbedtls/pk_internal.h
@ -1,17 +1,10 @@
 /**
- * \file pk_internal.h
+ * \file pk.h
 *
 * \brief Public Key abstraction layer: wrapper functions
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PK_WRAP_H
@ -84,21 +58,6 @@ struct mbedtls_pk_info_t
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng );
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
    /** Verify signature (restartable) */
    int (*verify_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
                           const unsigned char *hash, size_t hash_len,
                           const unsigned char *sig, size_t sig_len,
                           void *rs_ctx );
    /** Make signature (restartable) */
    int (*sign_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
                         const unsigned char *hash, size_t hash_len,
                         unsigned char *sig, size_t *sig_len,
                         int (*f_rng)(void *, unsigned char *, size_t),
                         void *p_rng, void *rs_ctx );
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
    /** Decrypt message */
    int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
                         unsigned char *output, size_t *olen, size_t osize,
@ -120,14 +79,6 @@ struct mbedtls_pk_info_t
    /** Free the given context */
    void (*ctx_free_func)( void *ctx );
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
    /** Allocate the restart context */
    void * (*rs_alloc_func)( void );
    /** Free the restart context */
    void (*rs_free_func)( void *rs_ctx );
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
    /** Interface with the debug module */
    void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
--- a/include/mbedtls/pkcs11.h
+++ b/include/mbedtls/pkcs11.h
@ -4,16 +4,9 @@
 * \brief Wrapper for PKCS#11 library libpkcs11-helper
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -27,26 +20,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PKCS11_H
 #define MBEDTLS_PKCS11_H
@ -75,8 +49,7 @@ extern "C" {
 /**
 * Context for PKCS #11 private keys.
 */
-typedef struct mbedtls_pkcs11_context
+typedef struct {
 {
        pkcs11h_certificate_t pkcs11h_cert;
        int len;
 } mbedtls_pkcs11_context;
--- a/include/mbedtls/pkcs12.h
+++ b/include/mbedtls/pkcs12.h
@ -2,16 +2,9 @@
 * \file pkcs12.h
 *
 * \brief PKCS#12 Personal Information Exchange Syntax
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,36 +18,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PKCS12_H
 #define MBEDTLS_PKCS12_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "md.h"
 #include "cipher.h"
 #include "asn1.h"
@ -77,8 +45,6 @@
 extern "C" {
 #endif
 #if defined(MBEDTLS_ASN1_PARSE_C)
 /**
 * \brief            PKCS12 Password Based function (encryption / decryption)
 *                   for pbeWithSHAAnd128BitRC4
@ -120,8 +86,6 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
                const unsigned char *input, size_t len,
                unsigned char *output );
 #endif /* MBEDTLS_ASN1_PARSE_C */
 /**
 * \brief            The PKCS#12 derivation function uses a password and a salt
 *                   to produce pseudo-random bits for a particular "purpose".
--- a/include/mbedtls/pkcs5.h
+++ b/include/mbedtls/pkcs5.h
@ -4,16 +4,9 @@
 * \brief PKCS#5 functions
 *
 * \author Mathias Olsson <mathias@kompetensum.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -27,36 +20,11 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PKCS5_H
 #define MBEDTLS_PKCS5_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "asn1.h"
 #include "md.h"
@ -75,8 +43,6 @@
 extern "C" {
 #endif
 #if defined(MBEDTLS_ASN1_PARSE_C)
 /**
 * \brief          PKCS#5 PBES2 function
 *
@ -95,8 +61,6 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
                 const unsigned char *data, size_t datalen,
                 unsigned char *output );
 #endif /* MBEDTLS_ASN1_PARSE_C */
 /**
 * \brief          PKCS#5 PBKDF2 using HMAC
 *
@ -116,8 +80,6 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p
                       unsigned int iteration_count,
                       uint32_t key_length, unsigned char *output );
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
 *
@ -125,8 +87,6 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p
 */
 int mbedtls_pkcs5_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@ -1,26 +1,10 @@
 /**
 * \file platform.h
 *
- * \brief This file contains the definitions and functions of the
+ * \brief mbed TLS Platform abstraction layer
 *        Mbed TLS platform abstraction layer.
 *
- *        The platform abstraction layer removes the need for the library
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *        to directly link to standard C library functions or operating
+ *  SPDX-License-Identifier: Apache-2.0
 *        system services, making the library easier to port and embed.
 *        Application developers and users of the library can provide their own
 *        implementations of these functions, or implementations specific to
 *        their platform, which can be statically linked to the library or
 *        dynamically configured at runtime.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -34,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PLATFORM_H
 #define MBEDTLS_PLATFORM_H
@ -65,12 +30,9 @@
 #endif
 #if defined(MBEDTLS_HAVE_TIME)
-#include "platform_time.h"
+#include "mbedtls/platform_time.h"
 #endif
 #define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070 /**< Hardware accelerator failed */
 #define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -89,34 +51,34 @@ extern "C" {
 #include <time.h>
 #if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
 #if defined(_WIN32)
-#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< Default snprintf to use  */
 #else
-#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< Default snprintf to use  */
 #endif
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
-#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
+#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< Default printf to use  */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
-#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */
+#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
-#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< The default \c calloc function to use. */
+#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< Default allocator to use */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_FREE)
-#define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
+#define MBEDTLS_PLATFORM_STD_FREE       free /**< Default free to use */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_EXIT)
-#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
+#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< Default exit to use */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_TIME)
-#define MBEDTLS_PLATFORM_STD_TIME       time    /**< The default \c time function to use. */
+#define MBEDTLS_PLATFORM_STD_TIME       time    /**< Default time to use */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
-#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< The default exit value to use. */
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< Default exit value to use */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
-#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< The default exit value to use. */
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< Default exit value to use */
 #endif
 #if defined(MBEDTLS_FS_IO)
 #if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
@ -139,7 +101,7 @@ extern "C" {
 /* \} name SECTION: Module settings */
 /*
- * The function pointers for calloc and free.
+ * The function pointers for calloc and free
 */
 #if defined(MBEDTLS_PLATFORM_MEMORY)
 #if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
@ -149,17 +111,16 @@ extern "C" {
 #else
 /* For size_t */
 #include <stddef.h>
-extern void *mbedtls_calloc( size_t n, size_t size );
+extern void * (*mbedtls_calloc)( size_t n, size_t size );
-extern void mbedtls_free( void *ptr );
+extern void (*mbedtls_free)( void *ptr );
 /**
- * \brief               This function dynamically sets the memory-management
+ * \brief   Set your own memory implementation function pointers
 *                      functions used by the library, during runtime.
 *
- * \param calloc_func   The \c calloc function implementation.
+ * \param calloc_func   the calloc function implementation
- * \param free_func     The \c free function implementation.
+ * \param free_func     the free function implementation
 *
- * \return              \c 0.
+ * \return              0 if successful
 */
 int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
                              void (*free_func)( void * ) );
@ -178,13 +139,11 @@ int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
 extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
 /**
- * \brief                This function dynamically configures the fprintf
+ * \brief   Set your own fprintf function pointer
 *                       function that is called when the
 *                       mbedtls_fprintf() function is invoked by the library.
 *
- * \param fprintf_func   The \c fprintf function implementation.
+ * \param fprintf_func   the fprintf function implementation
 *
- * \return               \c 0.
+ * \return              0
 */
 int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char *,
                                               ... ) );
@ -203,13 +162,11 @@ int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char
 extern int (*mbedtls_printf)( const char *format, ... );
 /**
- * \brief               This function dynamically configures the snprintf
+ * \brief   Set your own printf function pointer
 *                      function that is called when the mbedtls_snprintf()
 *                      function is invoked by the library.
 *
- * \param printf_func   The \c printf function implementation.
+ * \param printf_func   the printf function implementation
 *
- * \return              \c 0 on success.
+ * \return              0
 */
 int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) );
 #else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
@ -238,12 +195,11 @@ int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... );
 extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... );
 /**
- * \brief                 This function allows configuring a custom
+ * \brief   Set your own snprintf function pointer
 *                        \c snprintf function pointer.
 *
- * \param snprintf_func   The \c snprintf function implementation.
+ * \param snprintf_func   the snprintf function implementation
 *
- * \return                \c 0 on success.
+ * \return              0
 */
 int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
                                                 const char * format, ... ) );
@ -251,7 +207,7 @@ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
 #if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
 #define mbedtls_snprintf   MBEDTLS_PLATFORM_SNPRINTF_MACRO
 #else
-#define mbedtls_snprintf   MBEDTLS_PLATFORM_STD_SNPRINTF
+#define mbedtls_snprintf   snprintf
 #endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
 #endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
@ -262,13 +218,11 @@ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
 extern void (*mbedtls_exit)( int status );
 /**
- * \brief             This function dynamically configures the exit
+ * \brief   Set your own exit function pointer
 *                    function that is called when the mbedtls_exit()
 *                    function is invoked by the library.
 *
- * \param exit_func   The \c exit function implementation.
+ * \param exit_func   the exit function implementation
 *
- * \return            \c 0 on success.
+ * \return              0
 */
 int mbedtls_platform_set_exit( void (*exit_func)( int status ) );
 #else
@ -311,13 +265,12 @@ extern int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len );
 extern int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len );
 /**
- * \brief   This function allows configuring custom seed file writing and
+ * \brief   Set your own seed file writing/reading functions
 *          reading functions.
 *
- * \param   nv_seed_read_func   The seed reading function implementation.
+ * \param   nv_seed_read_func   the seed reading function implementation
- * \param   nv_seed_write_func  The seed writing function implementation.
+ * \param   nv_seed_write_func  the seed writing function implementation
 *
- * \return  \c 0 on success.
+ * \return              0
 */
 int mbedtls_platform_set_nv_seed(
            int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
@ -338,14 +291,13 @@ int mbedtls_platform_set_nv_seed(
 #if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
 /**
- * \brief   The platform context structure.
+ * \brief   Platform context structure
 *
 * \note    This structure may be used to assist platform-specific
- *          setup or teardown operations.
+ *          setup/teardown operations.
 */
-typedef struct mbedtls_platform_context
+typedef struct {
-{
+    char dummy; /**< Placeholder member as empty structs are not portable */
    char dummy; /**< A placeholder member, as empty structs are not portable. */
 }
 mbedtls_platform_context;
@ -354,34 +306,33 @@ mbedtls_platform_context;
 #endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
 /**
- * \brief   This function performs any platform-specific initialization
+ * \brief   Perform any platform initialisation operations
 *          operations.
 *
- * \note    This function should be called before any other library functions.
+ * \param   ctx     mbed TLS context
 *
- *          Its implementation is platform-specific, and unless
+ * \return  0 if successful
 *          platform-specific code is provided, it does nothing.
 *
- * \note    The usage and necessity of this function is dependent on the platform.
+ * \note    This function is intended to allow platform specific initialisation,
 *          and should be called before any other library functions. Its
 *          implementation is platform specific, and by default, unless platform
 *          specific code is provided, it does nothing.
 *
- * \param   ctx     The platform context.
+ *          Its use and whether its necessary to be called is dependent on the
- *
+ *          platform.
 * \return  \c 0 on success.
 */
 int mbedtls_platform_setup( mbedtls_platform_context *ctx );
 /**
- * \brief   This function performs any platform teardown operations.
+ * \brief   Perform any platform teardown operations
 *
- * \note    This function should be called after every other Mbed TLS module
+ * \param   ctx     mbed TLS context
 *          has been correctly freed using the appropriate free function.
 *
- *          Its implementation is platform-specific, and unless
+ * \note    This function should be called after every other mbed TLS module has
- *          platform-specific code is provided, it does nothing.
+ *          been correctly freed using the appropriate free function.
- *
+ *          Its implementation is platform specific, and by default, unless
- * \note    The usage and necessity of this function is dependent on the platform.
+ *          platform specific code is provided, it does nothing.
 *
 * \param   ctx     The platform context.
 *
 *          Its use and whether its necessary to be called is dependent on the
 *          platform.
 */
 void mbedtls_platform_teardown( mbedtls_platform_context *ctx );
--- a/include/mbedtls/platform_time.h
+++ b/include/mbedtls/platform_time.h
@ -2,16 +2,9 @@
 * \file platform_time.h
 *
 * \brief mbed TLS Platform time abstraction
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PLATFORM_TIME_H
 #define MBEDTLS_PLATFORM_TIME_H
--- a/include/mbedtls/platform_util.h
+++ b/include/mbedtls/platform_util.h
@ -1,221 +0,0 @@
 /**
 * \file platform_util.h
 *
 * \brief Common and shared functions used by multiple modules in the Mbed TLS
 *        library.
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_PLATFORM_UTIL_H
 #define MBEDTLS_PLATFORM_UTIL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #if defined(MBEDTLS_HAVE_TIME_DATE)
 #include "platform_time.h"
 #include <time.h>
 #endif /* MBEDTLS_HAVE_TIME_DATE */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if defined(MBEDTLS_CHECK_PARAMS)
 #if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
 /* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert
 * (which is what our config.h suggests). */
 #include <assert.h>
 #endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
 #if defined(MBEDTLS_PARAM_FAILED)
 /** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
 *
 * This flag can be used to check whether it is safe to assume that
 * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
 */
 #define MBEDTLS_PARAM_FAILED_ALT
 #elif defined(MBEDTLS_CHECK_PARAMS_ASSERT)
 #define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
 #define MBEDTLS_PARAM_FAILED_ALT
 #else /* MBEDTLS_PARAM_FAILED */
 #define MBEDTLS_PARAM_FAILED( cond ) \
    mbedtls_param_failed( #cond, __FILE__, __LINE__ )
 /**
 * \brief       User supplied callback function for parameter validation failure.
 *              See #MBEDTLS_CHECK_PARAMS for context.
 *
 *              This function will be called unless an alternative treatement
 *              is defined through the #MBEDTLS_PARAM_FAILED macro.
 *
 *              This function can return, and the operation will be aborted, or
 *              alternatively, through use of setjmp()/longjmp() can resume
 *              execution in the application code.
 *
 * \param failure_condition The assertion that didn't hold.
 * \param file  The file where the assertion failed.
 * \param line  The line in the file where the assertion failed.
 */
 void mbedtls_param_failed( const char *failure_condition,
                           const char *file,
                           int line );
 #endif /* MBEDTLS_PARAM_FAILED */
 /* Internal macro meant to be called only from within the library. */
 #define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  \
    do {                                            \
        if( !(cond) )                               \
        {                                           \
            MBEDTLS_PARAM_FAILED( cond );           \
            return( ret );                          \
        }                                           \
    } while( 0 )
 /* Internal macro meant to be called only from within the library. */
 #define MBEDTLS_INTERNAL_VALIDATE( cond )           \
    do {                                            \
        if( !(cond) )                               \
        {                                           \
            MBEDTLS_PARAM_FAILED( cond );           \
            return;                                 \
        }                                           \
    } while( 0 )
 #else /* MBEDTLS_CHECK_PARAMS */
 /* Internal macros meant to be called only from within the library. */
 #define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  do { } while( 0 )
 #define MBEDTLS_INTERNAL_VALIDATE( cond )           do { } while( 0 )
 #endif /* MBEDTLS_CHECK_PARAMS */
 /* Internal helper macros for deprecating API constants. */
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 /* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
 * to avoid conflict with other headers which define and use
 * it, too. We might want to move all these definitions here at
 * some point for uniformity. */
 #define MBEDTLS_DEPRECATED __attribute__((deprecated))
 MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
 #define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
    ( (mbedtls_deprecated_string_constant_t) ( VAL ) )
 MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
 #define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL )       \
    ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
 #undef MBEDTLS_DEPRECATED
 #else /* MBEDTLS_DEPRECATED_WARNING */
 #define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
 #define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
 #endif /* MBEDTLS_DEPRECATED_WARNING */
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
 /**
 * \brief       Securely zeroize a buffer
 *
 *              The function is meant to wipe the data contained in a buffer so
 *              that it can no longer be recovered even if the program memory
 *              is later compromised. Call this function on sensitive data
 *              stored on the stack before returning from a function, and on
 *              sensitive data stored on the heap before freeing the heap
 *              object.
 *
 *              It is extremely difficult to guarantee that calls to
 *              mbedtls_platform_zeroize() are not removed by aggressive
 *              compiler optimizations in a portable way. For this reason, Mbed
 *              TLS provides the configuration option
 *              MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
 *              mbedtls_platform_zeroize() to use a suitable implementation for
 *              their platform and needs
 *
 * \param buf   Buffer to be zeroized
 * \param len   Length of the buffer in bytes
 *
 */
 void mbedtls_platform_zeroize( void *buf, size_t len );
 #if defined(MBEDTLS_HAVE_TIME_DATE)
 /**
 * \brief      Platform-specific implementation of gmtime_r()
 *
 *             The function is a thread-safe abstraction that behaves
 *             similarly to the gmtime_r() function from Unix/POSIX.
 *
 *             Mbed TLS will try to identify the underlying platform and
 *             make use of an appropriate underlying implementation (e.g.
 *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
 *             not possible, then gmtime() will be used. In this case, calls
 *             from the library to gmtime() will be guarded by the mutex
 *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
 *             enabled. It is recommended that calls from outside the library
 *             are also guarded by this mutex.
 *
 *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
 *             unconditionally use the alternative implementation for
 *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
 *
 * \param tt     Pointer to an object containing time (in seconds) since the
 *               epoch to be converted
 * \param tm_buf Pointer to an object where the results will be stored
 *
 * \return      Pointer to an object of type struct tm on success, otherwise
 *              NULL
 */
 struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
                                      struct tm *tm_buf );
 #endif /* MBEDTLS_HAVE_TIME_DATE */
 #ifdef __cplusplus
 }
 #endif
 #endif /* MBEDTLS_PLATFORM_UTIL_H */
--- a/include/mbedtls/poly1305.h
+++ b/include/mbedtls/poly1305.h
@ -1,218 +0,0 @@
 /**
 * \file poly1305.h
 *
 * \brief   This file contains Poly1305 definitions and functions.
 *
 *          Poly1305 is a one-time message authenticator that can be used to
 *          authenticate messages. Poly1305-AES was created by Daniel
 *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
 *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
 *          7539.
 *
 * \author Daniel King <damaki.gh@gmail.com>
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_POLY1305_H
 #define MBEDTLS_POLY1305_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stdint.h>
 #include <stddef.h>
 #define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057 /**< Invalid input parameter(s). */
 /* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
 * used. */
 #define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE    -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
 /* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
 */
 #define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED        -0x005B  /**< Poly1305 hardware accelerator failed. */
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_POLY1305_ALT)
 typedef struct mbedtls_poly1305_context
 {
    uint32_t r[4];      /** The value for 'r' (low 128 bits of the key). */
    uint32_t s[4];      /** The value for 's' (high 128 bits of the key). */
    uint32_t acc[5];    /** The accumulator number. */
    uint8_t queue[16];  /** The current partial block of data. */
    size_t queue_len;   /** The number of bytes stored in 'queue'. */
 }
 mbedtls_poly1305_context;
 #else  /* MBEDTLS_POLY1305_ALT */
 #include "poly1305_alt.h"
 #endif /* MBEDTLS_POLY1305_ALT */
 /**
 * \brief           This function initializes the specified Poly1305 context.
 *
 *                  It must be the first API called before using
 *                  the context.
 *
 *                  It is usually followed by a call to
 *                  \c mbedtls_poly1305_starts(), then one or more calls to
 *                  \c mbedtls_poly1305_update(), then one call to
 *                  \c mbedtls_poly1305_finish(), then finally
 *                  \c mbedtls_poly1305_free().
 *
 * \param ctx       The Poly1305 context to initialize. This must
 *                  not be \c NULL.
 */
 void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx );
 /**
 * \brief           This function releases and clears the specified
 *                  Poly1305 context.
 *
 * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
 *                  case this function is a no-op. If it is not \c NULL, it must
 *                  point to an initialized Poly1305 context.
 */
 void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
 /**
 * \brief           This function sets the one-time authentication key.
 *
 * \warning         The key must be unique and unpredictable for each
 *                  invocation of Poly1305.
 *
 * \param ctx       The Poly1305 context to which the key should be bound.
 *                  This must be initialized.
 * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
                             const unsigned char key[32] );
 /**
 * \brief           This functions feeds an input buffer into an ongoing
 *                  Poly1305 computation.
 *
 *                  It is called between \c mbedtls_cipher_poly1305_starts() and
 *                  \c mbedtls_cipher_poly1305_finish().
 *                  It can be called repeatedly to process a stream of data.
 *
 * \param ctx       The Poly1305 context to use for the Poly1305 operation.
 *                  This must be initialized and bound to a key.
 * \param ilen      The length of the input data in Bytes.
 *                  Any value is accepted.
 * \param input     The buffer holding the input data.
 *                  This pointer can be \c NULL if `ilen == 0`.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
                             const unsigned char *input,
                             size_t ilen );
 /**
 * \brief           This function generates the Poly1305 Message
 *                  Authentication Code (MAC).
 *
 * \param ctx       The Poly1305 context to use for the Poly1305 operation.
 *                  This must be initialized and bound to a key.
 * \param mac       The buffer to where the MAC is written. This must
 *                  be a writable buffer of length \c 16 Bytes.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
                             unsigned char mac[16] );
 /**
 * \brief           This function calculates the Poly1305 MAC of the input
 *                  buffer with the provided key.
 *
 * \warning         The key must be unique and unpredictable for each
 *                  invocation of Poly1305.
 *
 * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
 * \param ilen      The length of the input data in Bytes.
 *                  Any value is accepted.
 * \param input     The buffer holding the input data.
 *                  This pointer can be \c NULL if `ilen == 0`.
 * \param mac       The buffer to where the MAC is written. This must be
 *                  a writable buffer of length \c 16 Bytes.
 *
 * \return          \c 0 on success.
 * \return          A negative error code on failure.
 */
 int mbedtls_poly1305_mac( const unsigned char key[32],
                          const unsigned char *input,
                          size_t ilen,
                          unsigned char mac[16] );
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief           The Poly1305 checkup routine.
 *
 * \return          \c 0 on success.
 * \return          \c 1 on failure.
 */
 int mbedtls_poly1305_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
 #endif /* MBEDTLS_POLY1305_H */
--- a/include/mbedtls/ripemd160.h
+++ b/include/mbedtls/ripemd160.h
@ -2,16 +2,9 @@
 * \file ripemd160.h
 *
 * \brief RIPE MD-160 message digest
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
- *  This file is provided under the Apache License 2.0, or the
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  GNU General Public License v2.0 or later.
+ *  SPDX-License-Identifier: Apache-2.0
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
@ -25,26 +18,7 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
- *  **********
+ *  This file is part of mbed TLS (https://tls.mbed.org)
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 */
 #ifndef MBEDTLS_RIPEMD160_H
 #define MBEDTLS_RIPEMD160_H
@ -58,22 +32,18 @@
 #include <stddef.h>
 #include <stdint.h>
-/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
+#if !defined(MBEDTLS_RIPEMD160_ALT)
- */
+// Regular implementation
-#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031  /**< RIPEMD160 hardware accelerator failed */
+//
 #ifdef __cplusplus
 extern "C" {
 #endif
 #if !defined(MBEDTLS_RIPEMD160_ALT)
 // Regular implementation
 //
 /**
 * \brief          RIPEMD-160 context structure
 */
-typedef struct mbedtls_ripemd160_context
+typedef struct
 {
    uint32_t total[2];          /*!< number of bytes processed  */
    uint32_t state[5];          /*!< intermediate digest state  */
@ -81,10 +51,6 @@ typedef struct mbedtls_ripemd160_context
 }
 mbedtls_ripemd160_context;
 #else  /* MBEDTLS_RIPEMD160_ALT */
 #include "ripemd160.h"
 #endif /* MBEDTLS_RIPEMD160_ALT */
 /**
 * \brief          Initialize RIPEMD-160 context
 *
@ -112,139 +78,51 @@ void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
 * \brief          RIPEMD-160 context setup
 *
 * \param ctx      context to be initialized
 *
 * \return         0 if successful
 */
-int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx );
+void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx );
 /**
 * \brief          RIPEMD-160 process buffer
 *
 * \param ctx      RIPEMD-160 context
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 *
 * \return         0 if successful
 */
-int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx,
-                                  const unsigned char *input,
+                       const unsigned char *input, size_t ilen );
                                  size_t ilen );
 /**
 * \brief          RIPEMD-160 final digest
 *
 * \param ctx      RIPEMD-160 context
 * \param output   RIPEMD-160 checksum result
 *
 * \return         0 if successful
 */
-int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx, unsigned char output[20] );
                                  unsigned char output[20] );
-/**
+/* Internal use */
- * \brief          RIPEMD-160 process data block (internal use only)
+void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx, const unsigned char data[64] );
 *
 * \param ctx      RIPEMD-160 context
 * \param data     buffer holding one block of data
 *
 * \return         0 if successful
 */
 int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
                                        const unsigned char data[64] );
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#ifdef __cplusplus
-#if defined(MBEDTLS_DEPRECATED_WARNING)
+}
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          RIPEMD-160 context setup
 *
 * \deprecated     Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0
 *
 * \param ctx      context to be initialized
 */
 MBEDTLS_DEPRECATED void mbedtls_ripemd160_starts(
                                            mbedtls_ripemd160_context *ctx );
-/**
+#else  /* MBEDTLS_RIPEMD160_ALT */
- * \brief          RIPEMD-160 process buffer
+#include "ripemd160.h"
- *
+#endif /* MBEDTLS_RIPEMD160_ALT */
 * \deprecated     Superseded by mbedtls_ripemd160_update_ret() in 2.7.0
 *
 * \param ctx      RIPEMD-160 context
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 */
 MBEDTLS_DEPRECATED void mbedtls_ripemd160_update(
                                                mbedtls_ripemd160_context *ctx,
                                                const unsigned char *input,
                                                size_t ilen );
-/**
+#ifdef __cplusplus
- * \brief          RIPEMD-160 final digest
+extern "C" {
- *
+#endif
 * \deprecated     Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0
 *
 * \param ctx      RIPEMD-160 context
 * \param output   RIPEMD-160 checksum result
 */
 MBEDTLS_DEPRECATED void mbedtls_ripemd160_finish(
                                                mbedtls_ripemd160_context *ctx,
                                                unsigned char output[20] );
 /**
 * \brief          RIPEMD-160 process data block (internal use only)
 *
 * \deprecated     Superseded by mbedtls_internal_ripemd160_process() in 2.7.0
 *
 * \param ctx      RIPEMD-160 context
 * \param data     buffer holding one block of data
 */
 MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
                                            mbedtls_ripemd160_context *ctx,
                                            const unsigned char data[64] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 /**
 * \brief          Output = RIPEMD-160( input buffer )
 *
- * \param input    buffer holding the data
+ * \param input    buffer holding the  data
 * \param ilen     length of the input data
 * \param output   RIPEMD-160 checksum result
 *
 * \return         0 if successful
 */
 int mbedtls_ripemd160_ret( const unsigned char *input,
                           size_t ilen,
                           unsigned char output[20] );
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
 #else
 #define MBEDTLS_DEPRECATED
 #endif
 /**
 * \brief          Output = RIPEMD-160( input buffer )
 *
 * \deprecated     Superseded by mbedtls_ripemd160_ret() in 2.7.0
 *
 * \param input    buffer holding the data
 * \param ilen     length of the input data
 * \param output   RIPEMD-160 checksum result
 */
-MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
+void mbedtls_ripemd160( const unsigned char *input, size_t ilen,
-                                           size_t ilen,
+                unsigned char output[20] );
                                           unsigned char output[20] );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_SELF_TEST)
 /**
 * \brief          Checkup routine
@ -253,8 +131,6 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
 */
 int mbedtls_ripemd160_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
--- a/include/mbedtls/rsa_internal.h
+++ b/include/mbedtls/rsa_internal.h
@ -1,251 +0,0 @@
 /**
 * \file rsa_internal.h
 *
 * \brief Context-independent RSA helper functions
 *
 *  This module declares some RSA-related helper functions useful when
 *  implementing the RSA interface. These functions are provided in a separate
 *  compilation unit in order to make it easy for designers of alternative RSA
 *  implementations to use them in their own code, as it is conceived that the
 *  functionality they provide will be necessary for most complete
 *  implementations.
 *
 *  End-users of Mbed TLS who are not providing their own alternative RSA
 *  implementations should not use these functions directly, and should instead
 *  use only the functions declared in rsa.h.
 *
 *  The interface provided by this module will be maintained through LTS (Long
 *  Term Support) branches of Mbed TLS, but may otherwise be subject to change,
 *  and must be considered an internal interface of the library.
 *
 *  There are two classes of helper functions:
 *
 *  (1) Parameter-generating helpers. These are:
 *      - mbedtls_rsa_deduce_primes
 *      - mbedtls_rsa_deduce_private_exponent
 *      - mbedtls_rsa_deduce_crt
 *       Each of these functions takes a set of core RSA parameters and
 *       generates some other, or CRT related parameters.
 *
 *  (2) Parameter-checking helpers. These are:
 *      - mbedtls_rsa_validate_params
 *      - mbedtls_rsa_validate_crt
 *      They take a set of core or CRT related RSA parameters and check their
 *      validity.
 *
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 *
 *  This file is provided under the Apache License 2.0, or the
 *  GNU General Public License v2.0 or later.
 *
 *  **********
 *  Apache License 2.0:
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  **********
 *
 *  **********
 *  GNU General Public License v2.0 or later:
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 *  **********
 *
 */
 #ifndef MBEDTLS_RSA_INTERNAL_H
 #define MBEDTLS_RSA_INTERNAL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "bignum.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * \brief          Compute RSA prime moduli P, Q from public modulus N=PQ
 *                 and a pair of private and public key.
 *
 * \note           This is a 'static' helper function not operating on
 *                 an RSA context. Alternative implementations need not
 *                 overwrite it.
 *
 * \param N        RSA modulus N = PQ, with P, Q to be found
 * \param E        RSA public exponent
 * \param D        RSA private exponent
 * \param P        Pointer to MPI holding first prime factor of N on success
 * \param Q        Pointer to MPI holding second prime factor of N on success
 *
 * \return
 *                 - 0 if successful. In this case, P and Q constitute a
 *                   factorization of N.
 *                 - A non-zero error code otherwise.
 *
 * \note           It is neither checked that P, Q are prime nor that
 *                 D, E are modular inverses wrt. P-1 and Q-1. For that,
 *                 use the helper function \c mbedtls_rsa_validate_params.
 *
 */
 int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N, mbedtls_mpi const *E,
                               mbedtls_mpi const *D,
                               mbedtls_mpi *P, mbedtls_mpi *Q );
 /**
 * \brief          Compute RSA private exponent from
 *                 prime moduli and public key.
 *
 * \note           This is a 'static' helper function not operating on
 *                 an RSA context. Alternative implementations need not
 *                 overwrite it.
 *
 * \param P        First prime factor of RSA modulus
 * \param Q        Second prime factor of RSA modulus
 * \param E        RSA public exponent
 * \param D        Pointer to MPI holding the private exponent on success.
 *
 * \return
 *                 - 0 if successful. In this case, D is set to a simultaneous
 *                   modular inverse of E modulo both P-1 and Q-1.
 *                 - A non-zero error code otherwise.
 *
 * \note           This function does not check whether P and Q are primes.
 *
 */
 int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
                                         mbedtls_mpi const *Q,
                                         mbedtls_mpi const *E,
                                         mbedtls_mpi *D );
 /**
 * \brief          Generate RSA-CRT parameters
 *
 * \note           This is a 'static' helper function not operating on
 *                 an RSA context. Alternative implementations need not
 *                 overwrite it.
 *
 * \param P        First prime factor of N
 * \param Q        Second prime factor of N
 * \param D        RSA private exponent
 * \param DP       Output variable for D modulo P-1
 * \param DQ       Output variable for D modulo Q-1
 * \param QP       Output variable for the modular inverse of Q modulo P.
 *
 * \return         0 on success, non-zero error code otherwise.
 *
 * \note           This function does not check whether P, Q are
 *                 prime and whether D is a valid private exponent.
 *
 */
 int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
                            const mbedtls_mpi *D, mbedtls_mpi *DP,
                            mbedtls_mpi *DQ, mbedtls_mpi *QP );
 /**
 * \brief          Check validity of core RSA parameters
 *
 * \note           This is a 'static' helper function not operating on
 *                 an RSA context. Alternative implementations need not
 *                 overwrite it.
 *
 * \param N        RSA modulus N = PQ
 * \param P        First prime factor of N
 * \param Q        Second prime factor of N
 * \param D        RSA private exponent
 * \param E        RSA public exponent
 * \param f_rng    PRNG to be used for primality check, or NULL
 * \param p_rng    PRNG context for f_rng, or NULL
 *
 * \return
 *                 - 0 if the following conditions are satisfied
 *                   if all relevant parameters are provided:
 *                    - P prime if f_rng != NULL (%)
 *                    - Q prime if f_rng != NULL (%)
 *                    - 1 < N = P * Q
 *                    - 1 < D, E < N
 *                    - D and E are modular inverses modulo P-1 and Q-1
 *                   (%) This is only done if MBEDTLS_GENPRIME is defined.
 *                 - A non-zero error code otherwise.
 *
 * \note           The function can be used with a restricted set of arguments
 *                 to perform specific checks only. E.g., calling it with
 *                 (-,P,-,-,-) and a PRNG amounts to a primality check for P.
 */
 int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
                                 const mbedtls_mpi *E,
                                 int (*f_rng)(void *, unsigned char *, size_t),
                                 void *p_rng );
 /**
 * \brief          Check validity of RSA CRT parameters
 *
 * \note           This is a 'static' helper function not operating on
 *                 an RSA context. Alternative implementations need not
 *                 overwrite it.
 *
 * \param P        First prime factor of RSA modulus
 * \param Q        Second prime factor of RSA modulus
 * \param D        RSA private exponent
 * \param DP       MPI to check for D modulo P-1
 * \param DQ       MPI to check for D modulo P-1
 * \param QP       MPI to check for the modular inverse of Q modulo P.
 *
 * \return
 *                 - 0 if the following conditions are satisfied:
 *                    - D = DP mod P-1 if P, D, DP != NULL
 *                    - Q = DQ mod P-1 if P, D, DQ != NULL
 *                    - QP = Q^-1 mod P if P, Q, QP != NULL
 *                 - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
 *                   potentially including \c MBEDTLS_ERR_MPI_XXX if some
 *                   MPI calculations failed.
 *                 - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
 *                   data was provided to check DP, DQ or QP.
 *
 * \note           The function can be used with a restricted set of arguments
 *                 to perform specific checks only. E.g., calling it with the
 *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
 */
 int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP );
 #ifdef __cplusplus
 }
 #endif
 #endif /* rsa_internal.h */
--- a/Show more
+++ b/Show more
		`@ -1,2 +0,0 @@`
			`Changes`
			`* Fix the setting of the read timeout in the DTLS sample programs.`
		`@ -1,2 +0,0 @@`
			`Bugfix`
			`* Fix an incorrect error code when parsing a PKCS#8 private key.`