cmakelists: Temporarily add UTF-8 fix (REMOVE WHEN UPSTREAM IS FIXED)

Backport 2.16: Remove the sample program aescrypt2

.github/issue_template.md

@@ -1,7 +1,7 @@
 Note: This is just a template, so feel free to use/remove the unnecessary things
 
 ### Description
-- Type: Bug | Enhancement\Feature Request
+- Type: Bug | Enhancement\Feature Request | Question
 - Priority: Blocker | Major | Minor
 
 ---------------------------------------------------------------
@@ -38,4 +38,4 @@ Version:
 
 ## Question
 
-**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb). If you can't find the answer you're looking for then please use the [Mbed TLS mailing list](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls)**
+**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb), and preferably file an issue in the [Mbed TLS support forum](https://forums.mbed.com/c/mbed-tls)**  

.gitignore

@@ -31,20 +31,6 @@ massif-*
 # Python build artifacts:
 *.pyc
 
-# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those:
-*.dir/
-
-# Microsoft CMake extension for Visual Studio Code generates a build directory by default
-/build/
-
-# Visual Studio artifacts
-/visualc/VS2010/.localhistory/
-/visualc/VS2010/.vs/
-/visualc/VS2010/Debug/
-/visualc/VS2010/Release/
-/visualc/VS2010/*.vcxproj.filters
-/visualc/VS2010/*.vcxproj.user
-
 # Generated documentation:
 /apidoc
 

.pylintrc

@@ -23,7 +23,7 @@ module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+)|[a-z][-0-9a-z]+)$
 
 # Some functions don't need docstrings.
 # [missing-docstring]
-no-docstring-rgx=(run_)?main$
+no-docstring-rgx=(run_)main$
 
 # We're ok with short local or global variable names.
 # [invalid-name]

.travis.yml

@@ -28,6 +28,10 @@ jobs:
       script:
         - tests/scripts/all.sh -k test_full_cmake_gcc_asan
 
+    - name: check compilation guards
+      script:
+        - tests/scripts/all.sh -k 'test_depends_*' 'build_key_exchanges'
+
     - name: macOS
       os: osx
       compiler: clang
@@ -36,16 +40,7 @@ jobs:
 
     - name: Windows
       os: windows
-      before_install:
-        - choco install python --version=3.5.4
-      env:
-        # Add the directory where the Choco package goes
-        - PATH=/c/Python35:/c/Python35/Scripts:$PATH
       script:
-        - type python; python --version
-        - python scripts/generate_psa_constants.py
-        # Logs appear out of sequence on Windows. Give time to catch up.
-        - sleep 5
         - scripts/windows_msbuild.bat v141 # Visual Studio 2017
 
 after_failure:

3rdparty/.gitignore

@@ -1 +0,0 @@
-/Makefile

3rdparty/CMakeLists.txt

@@ -1,17 +0,0 @@
-list (APPEND thirdparty_src)
-list (APPEND thirdparty_lib)
-list (APPEND thirdparty_inc_public)
-list (APPEND thirdparty_inc)
-list (APPEND thirdparty_def)
-
-execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
-
-if(${result} EQUAL 0)
-    add_subdirectory(everest)
-endif()
-
-set(thirdparty_src ${thirdparty_src} PARENT_SCOPE)
-set(thirdparty_lib ${thirdparty_lib} PARENT_SCOPE)
-set(thirdparty_inc_public ${thirdparty_inc_public} PARENT_SCOPE)
-set(thirdparty_inc ${thirdparty_inc} PARENT_SCOPE)
-set(thirdparty_def ${thirdparty_def} PARENT_SCOPE)

3rdparty/Makefile.inc

@@ -1,2 +0,0 @@
-THIRDPARTY_DIR = $(dir $(lastword $(MAKEFILE_LIST)))
-include $(THIRDPARTY_DIR)/everest/Makefile.inc

3rdparty/everest/.gitignore

@@ -1,2 +0,0 @@
-*.o
-Makefile

3rdparty/everest/CMakeLists.txt

@@ -1,28 +0,0 @@
-list (APPEND everest_src)
-list (APPEND everest_inc_public)
-list (APPEND everest_inc)
-list (APPEND everest_def)
-
-set(everest_src
-  ${CMAKE_CURRENT_SOURCE_DIR}/library/everest.c
-  ${CMAKE_CURRENT_SOURCE_DIR}/library/x25519.c
-  ${CMAKE_CURRENT_SOURCE_DIR}/library/Hacl_Curve25519_joined.c
-)
-
-list(APPEND everest_inc_public ${CMAKE_CURRENT_SOURCE_DIR}/include)
-list(APPEND everest_inc ${CMAKE_CURRENT_SOURCE_DIR}/include/everest ${CMAKE_CURRENT_SOURCE_DIR}/include/everest/kremlib)
-
-if(INSTALL_MBEDTLS_HEADERS)
-
-  install(DIRECTORY include/everest
-    DESTINATION include
-    FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
-    DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
-    FILES_MATCHING PATTERN "*.h")
-
-endif(INSTALL_MBEDTLS_HEADERS)
-
-set(thirdparty_src ${thirdparty_src} ${everest_src} PARENT_SCOPE)
-set(thirdparty_inc_public ${thirdparty_inc_public} ${everest_inc_public} PARENT_SCOPE)
-set(thirdparty_inc ${thirdparty_inc} ${everest_inc} PARENT_SCOPE)
-set(thirdparty_def ${thirdparty_def} ${everest_def} PARENT_SCOPE)

3rdparty/everest/Makefile.inc

@@ -1,6 +0,0 @@
-THIRDPARTY_INCLUDES+=-I../3rdparty/everest/include -I../3rdparty/everest/include/everest -I../3rdparty/everest/include/everest/kremlib
-
-THIRDPARTY_CRYPTO_OBJECTS+= \
-	../3rdparty/everest/library/everest.o \
-	../3rdparty/everest/library/x25519.o \
-	../3rdparty/everest/library/Hacl_Curve25519_joined.o

3rdparty/everest/README.md

@@ -1,5 +0,0 @@
-The files in this directory stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
-
-This is a formally verified implementation of Curve25519-based handshakes. The C code is automatically derived from the (verified) [original implementation](https://github.com/project-everest/hacl-star/tree/master/code/curve25519) in the [F* language](https://github.com/fstarlang/fstar) by [KreMLin](https://github.com/fstarlang/kremlin). In addition to the improved safety and security of the implementation, it is also significantly faster than the default implementation of Curve25519 in mbedTLS.
-
-The caveat is that not all platforms are supported, although the version in `everest/library/legacy` should work on most systems. The main issue is that some platforms do not provide a 128-bit integer type and KreMLin therefore has to use additional (also verified) code to simulate them, resulting in less of a performance gain overall. Explictly supported platforms are currently `x86` and `x86_64` using gcc or clang, and Visual C (2010 and later).

3rdparty/everest/include/everest/Hacl_Curve25519.h

@@ -1,21 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fbuiltin-uint128 -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-
-#ifndef __Hacl_Curve25519_H
-#define __Hacl_Curve25519_H
-
-
-#include "kremlib.h"
-
-void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
-
-#define __Hacl_Curve25519_H_DEFINED
-#endif

3rdparty/everest/include/everest/everest.h

@@ -1,234 +0,0 @@
-/*
- *  Interface to code from Project Everest
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org).
- */
-
-#ifndef MBEDTLS_EVEREST_H
-#define MBEDTLS_EVEREST_H
-
-#include "everest/x25519.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Defines the source of the imported EC key.
- */
-typedef enum
-{
-    MBEDTLS_EVEREST_ECDH_OURS,   /**< Our key. */
-    MBEDTLS_EVEREST_ECDH_THEIRS, /**< The key of the peer. */
-} mbedtls_everest_ecdh_side;
-
-typedef struct {
-    mbedtls_x25519_context ctx;
-} mbedtls_ecdh_context_everest;
-
-
-/**
- * \brief           This function sets up the ECDH context with the information
- *                  given.
- *
- *                  This function should be called after mbedtls_ecdh_init() but
- *                  before mbedtls_ecdh_make_params(). There is no need to call
- *                  this function before mbedtls_ecdh_read_params().
- *
- *                  This is the first function used by a TLS server for ECDHE
- *                  ciphersuites.
- *
- * \param ctx       The ECDH context to set up.
- * \param grp_id    The group id of the group to set up the context for.
- *
- * \return          \c 0 on success.
- */
-int mbedtls_everest_setup( mbedtls_ecdh_context_everest *ctx, int grp_id );
-
-/**
- * \brief           This function frees a context.
- *
- * \param ctx       The context to free.
- */
-void mbedtls_everest_free( mbedtls_ecdh_context_everest *ctx );
-
-/**
- * \brief           This function generates a public key and a TLS
- *                  ServerKeyExchange payload.
- *
- *                  This is the second function used by a TLS server for ECDHE
- *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
- *
- * \note            This function assumes that the ECP group (grp) of the
- *                  \p ctx context has already been properly set,
- *                  for example, using mbedtls_ecp_group_load().
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context.
- * \param olen      The number of characters written.
- * \param buf       The destination buffer.
- * \param blen      The length of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_everest_make_params( mbedtls_ecdh_context_everest *ctx, size_t *olen,
-                                 unsigned char *buf, size_t blen,
-                                 int( *f_rng )( void *, unsigned char *, size_t ),
-                                 void *p_rng );
-
-/**
- * \brief           This function parses and processes a TLS ServerKeyExhange
- *                  payload.
- *
- *                  This is the first function used by a TLS client for ECDHE
- *                  ciphersuites.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context.
- * \param buf       The pointer to the start of the input buffer.
- * \param end       The address for one Byte past the end of the buffer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_everest_read_params( mbedtls_ecdh_context_everest *ctx,
-                                 const unsigned char **buf, const unsigned char *end );
-
-/**
- * \brief           This function parses and processes a TLS ServerKeyExhange
- *                  payload.
- *
- *                  This is the first function used by a TLS client for ECDHE
- *                  ciphersuites.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context.
- * \param buf       The pointer to the start of the input buffer.
- * \param end       The address for one Byte past the end of the buffer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_everest_read_params( mbedtls_ecdh_context_everest *ctx,
-                                 const unsigned char **buf, const unsigned char *end );
-
-/**
- * \brief           This function sets up an ECDH context from an EC key.
- *
- *                  It is used by clients and servers in place of the
- *                  ServerKeyEchange for static ECDH, and imports ECDH
- *                  parameters from the EC key information of a certificate.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context to set up.
- * \param key       The EC key to use.
- * \param side      Defines the source of the key: 1: Our key, or
- *                  0: The key of the peer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_everest_get_params( mbedtls_ecdh_context_everest *ctx, const mbedtls_ecp_keypair *key,
-                                mbedtls_everest_ecdh_side side );
-
-/**
- * \brief           This function generates a public key and a TLS
- *                  ClientKeyExchange payload.
- *
- *                  This is the second function used by a TLS client for ECDH(E)
- *                  ciphersuites.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context.
- * \param olen      The number of Bytes written.
- * \param buf       The destination buffer.
- * \param blen      The size of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_everest_make_public( mbedtls_ecdh_context_everest *ctx, size_t *olen,
-                                 unsigned char *buf, size_t blen,
-                                 int( *f_rng )( void *, unsigned char *, size_t ),
-                                 void *p_rng );
-
-/**
- * \brief       This function parses and processes a TLS ClientKeyExchange
- *              payload.
- *
- *              This is the third function used by a TLS server for ECDH(E)
- *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
- *              mbedtls_ecdh_make_params().)
- *
- * \see         ecp.h
- *
- * \param ctx   The ECDH context.
- * \param buf   The start of the input buffer.
- * \param blen  The length of the input buffer.
- *
- * \return      \c 0 on success.
- * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_everest_read_public( mbedtls_ecdh_context_everest *ctx,
-                                 const unsigned char *buf, size_t blen );
-
-/**
- * \brief           This function derives and exports the shared secret.
- *
- *                  This is the last function used by both TLS client
- *                  and servers.
- *
- * \note            If \p f_rng is not NULL, it is used to implement
- *                  countermeasures against side-channel attacks.
- *                  For more information, see mbedtls_ecp_mul().
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context.
- * \param olen      The number of Bytes written.
- * \param buf       The destination buffer.
- * \param blen      The length of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_everest_calc_secret( mbedtls_ecdh_context_everest *ctx, size_t *olen,
-                                 unsigned char *buf, size_t blen,
-                                 int( *f_rng )( void *, unsigned char *, size_t ),
-                                 void *p_rng );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_EVEREST_H */

3rdparty/everest/include/everest/kremlib.h

@@ -1,29 +0,0 @@
-/*
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org) and
- *  originated from Project Everest (https://project-everest.github.io/)
- */
-
-#ifndef __KREMLIB_H
-#define __KREMLIB_H
-
-#include "kremlin/internal/target.h"
-#include "kremlin/internal/types.h"
-#include "kremlin/c_endianness.h"
-
-#endif     /* __KREMLIB_H */

3rdparty/everest/include/everest/kremlib/FStar_UInt128.h

@@ -1,124 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir dist/uint128 -skip-compilation -extract-uints -add-include <inttypes.h> -add-include <stdbool.h> -add-include "kremlin/internal/types.h" -bundle FStar.UInt128=* extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-
-#ifndef __FStar_UInt128_H
-#define __FStar_UInt128_H
-
-
-#include <inttypes.h>
-#include <stdbool.h>
-#include "kremlin/internal/types.h"
-
-uint64_t FStar_UInt128___proj__Mkuint128__item__low(FStar_UInt128_uint128 projectee);
-
-uint64_t FStar_UInt128___proj__Mkuint128__item__high(FStar_UInt128_uint128 projectee);
-
-typedef FStar_UInt128_uint128 FStar_UInt128_t;
-
-FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128
-FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128
-FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a);
-
-FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s);
-
-FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
-
-bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
-
-uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Plus_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Plus_Question_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Plus_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Subtraction_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Subtraction_Question_Hat)(
-  FStar_UInt128_uint128 x0,
-  FStar_UInt128_uint128 x1
-);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Subtraction_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Amp_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Hat_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Bar_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Less_Less_Hat)(FStar_UInt128_uint128 x0, uint32_t x1);
-
-extern FStar_UInt128_uint128
-(*FStar_UInt128_op_Greater_Greater_Hat)(FStar_UInt128_uint128 x0, uint32_t x1);
-
-extern bool (*FStar_UInt128_op_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern bool
-(*FStar_UInt128_op_Greater_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern bool (*FStar_UInt128_op_Less_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern bool
-(*FStar_UInt128_op_Greater_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern bool
-(*FStar_UInt128_op_Less_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y);
-
-FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
-
-#define __FStar_UInt128_H_DEFINED
-#endif

3rdparty/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h

@@ -1,280 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir dist/minimal -skip-compilation -extract-uints -add-include <inttypes.h> -add-include <stdbool.h> -add-include "kremlin/internal/compat.h" -add-include "kremlin/internal/types.h" -bundle FStar.UInt64+FStar.UInt32+FStar.UInt16+FStar.UInt8=* extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-
-#ifndef __FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8_H
-#define __FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8_H
-
-
-#include <inttypes.h>
-#include <stdbool.h>
-#include "kremlin/internal/compat.h"
-#include "kremlin/internal/types.h"
-
-extern Prims_int FStar_UInt64_n;
-
-extern Prims_int FStar_UInt64_v(uint64_t x0);
-
-extern uint64_t FStar_UInt64_uint_to_t(Prims_int x0);
-
-extern uint64_t FStar_UInt64_add(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_add_underspec(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_add_mod(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_sub(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_sub_underspec(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_sub_mod(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_mul(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_mul_underspec(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_mul_mod(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_mul_div(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_div(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_rem(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_logand(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_logxor(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_logor(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_lognot(uint64_t x0);
-
-extern uint64_t FStar_UInt64_shift_right(uint64_t x0, uint32_t x1);
-
-extern uint64_t FStar_UInt64_shift_left(uint64_t x0, uint32_t x1);
-
-extern bool FStar_UInt64_eq(uint64_t x0, uint64_t x1);
-
-extern bool FStar_UInt64_gt(uint64_t x0, uint64_t x1);
-
-extern bool FStar_UInt64_gte(uint64_t x0, uint64_t x1);
-
-extern bool FStar_UInt64_lt(uint64_t x0, uint64_t x1);
-
-extern bool FStar_UInt64_lte(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_minus(uint64_t x0);
-
-extern uint32_t FStar_UInt64_n_minus_one;
-
-uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b);
-
-uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b);
-
-extern Prims_string FStar_UInt64_to_string(uint64_t x0);
-
-extern uint64_t FStar_UInt64_of_string(Prims_string x0);
-
-extern Prims_int FStar_UInt32_n;
-
-extern Prims_int FStar_UInt32_v(uint32_t x0);
-
-extern uint32_t FStar_UInt32_uint_to_t(Prims_int x0);
-
-extern uint32_t FStar_UInt32_add(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_add_underspec(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_add_mod(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_sub(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_sub_underspec(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_sub_mod(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_mul(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_mul_underspec(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_mul_mod(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_mul_div(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_div(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_rem(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_logand(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_logxor(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_logor(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_lognot(uint32_t x0);
-
-extern uint32_t FStar_UInt32_shift_right(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_shift_left(uint32_t x0, uint32_t x1);
-
-extern bool FStar_UInt32_eq(uint32_t x0, uint32_t x1);
-
-extern bool FStar_UInt32_gt(uint32_t x0, uint32_t x1);
-
-extern bool FStar_UInt32_gte(uint32_t x0, uint32_t x1);
-
-extern bool FStar_UInt32_lt(uint32_t x0, uint32_t x1);
-
-extern bool FStar_UInt32_lte(uint32_t x0, uint32_t x1);
-
-extern uint32_t FStar_UInt32_minus(uint32_t x0);
-
-extern uint32_t FStar_UInt32_n_minus_one;
-
-uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b);
-
-uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b);
-
-extern Prims_string FStar_UInt32_to_string(uint32_t x0);
-
-extern uint32_t FStar_UInt32_of_string(Prims_string x0);
-
-extern Prims_int FStar_UInt16_n;
-
-extern Prims_int FStar_UInt16_v(uint16_t x0);
-
-extern uint16_t FStar_UInt16_uint_to_t(Prims_int x0);
-
-extern uint16_t FStar_UInt16_add(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_add_underspec(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_add_mod(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_sub(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_sub_underspec(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_sub_mod(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_mul(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_mul_underspec(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_mul_mod(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_mul_div(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_div(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_rem(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_logand(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_logxor(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_logor(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_lognot(uint16_t x0);
-
-extern uint16_t FStar_UInt16_shift_right(uint16_t x0, uint32_t x1);
-
-extern uint16_t FStar_UInt16_shift_left(uint16_t x0, uint32_t x1);
-
-extern bool FStar_UInt16_eq(uint16_t x0, uint16_t x1);
-
-extern bool FStar_UInt16_gt(uint16_t x0, uint16_t x1);
-
-extern bool FStar_UInt16_gte(uint16_t x0, uint16_t x1);
-
-extern bool FStar_UInt16_lt(uint16_t x0, uint16_t x1);
-
-extern bool FStar_UInt16_lte(uint16_t x0, uint16_t x1);
-
-extern uint16_t FStar_UInt16_minus(uint16_t x0);
-
-extern uint32_t FStar_UInt16_n_minus_one;
-
-uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b);
-
-uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b);
-
-extern Prims_string FStar_UInt16_to_string(uint16_t x0);
-
-extern uint16_t FStar_UInt16_of_string(Prims_string x0);
-
-extern Prims_int FStar_UInt8_n;
-
-extern Prims_int FStar_UInt8_v(uint8_t x0);
-
-extern uint8_t FStar_UInt8_uint_to_t(Prims_int x0);
-
-extern uint8_t FStar_UInt8_add(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_add_underspec(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_add_mod(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_sub(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_sub_underspec(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_sub_mod(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_mul(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_mul_underspec(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_mul_mod(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_mul_div(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_div(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_rem(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_logand(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_logxor(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_logor(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_lognot(uint8_t x0);
-
-extern uint8_t FStar_UInt8_shift_right(uint8_t x0, uint32_t x1);
-
-extern uint8_t FStar_UInt8_shift_left(uint8_t x0, uint32_t x1);
-
-extern bool FStar_UInt8_eq(uint8_t x0, uint8_t x1);
-
-extern bool FStar_UInt8_gt(uint8_t x0, uint8_t x1);
-
-extern bool FStar_UInt8_gte(uint8_t x0, uint8_t x1);
-
-extern bool FStar_UInt8_lt(uint8_t x0, uint8_t x1);
-
-extern bool FStar_UInt8_lte(uint8_t x0, uint8_t x1);
-
-extern uint8_t FStar_UInt8_minus(uint8_t x0);
-
-extern uint32_t FStar_UInt8_n_minus_one;
-
-uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b);
-
-uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b);
-
-extern Prims_string FStar_UInt8_to_string(uint8_t x0);
-
-extern uint8_t FStar_UInt8_of_string(Prims_string x0);
-
-typedef uint8_t FStar_UInt8_byte;
-
-#define __FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8_H_DEFINED
-#endif

3rdparty/everest/include/everest/kremlin/c_endianness.h

@@ -1,204 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef __KREMLIN_ENDIAN_H
-#define __KREMLIN_ENDIAN_H
-
-#include <string.h>
-#include <inttypes.h>
-
-/******************************************************************************/
-/* Implementing C.fst (part 2: endian-ness macros)                            */
-/******************************************************************************/
-
-/* ... for Linux */
-#if defined(__linux__) || defined(__CYGWIN__)
-#  include <endian.h>
-
-/* ... for OSX */
-#elif defined(__APPLE__)
-#  include <libkern/OSByteOrder.h>
-#  define htole64(x) OSSwapHostToLittleInt64(x)
-#  define le64toh(x) OSSwapLittleToHostInt64(x)
-#  define htobe64(x) OSSwapHostToBigInt64(x)
-#  define be64toh(x) OSSwapBigToHostInt64(x)
-
-#  define htole16(x) OSSwapHostToLittleInt16(x)
-#  define le16toh(x) OSSwapLittleToHostInt16(x)
-#  define htobe16(x) OSSwapHostToBigInt16(x)
-#  define be16toh(x) OSSwapBigToHostInt16(x)
-
-#  define htole32(x) OSSwapHostToLittleInt32(x)
-#  define le32toh(x) OSSwapLittleToHostInt32(x)
-#  define htobe32(x) OSSwapHostToBigInt32(x)
-#  define be32toh(x) OSSwapBigToHostInt32(x)
-
-/* ... for Solaris */
-#elif defined(__sun__)
-#  include <sys/byteorder.h>
-#  define htole64(x) LE_64(x)
-#  define le64toh(x) LE_64(x)
-#  define htobe64(x) BE_64(x)
-#  define be64toh(x) BE_64(x)
-
-#  define htole16(x) LE_16(x)
-#  define le16toh(x) LE_16(x)
-#  define htobe16(x) BE_16(x)
-#  define be16toh(x) BE_16(x)
-
-#  define htole32(x) LE_32(x)
-#  define le32toh(x) LE_32(x)
-#  define htobe32(x) BE_32(x)
-#  define be32toh(x) BE_32(x)
-
-/* ... for the BSDs */
-#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
-#  include <sys/endian.h>
-#elif defined(__OpenBSD__)
-#  include <endian.h>
-
-/* ... for Windows (MSVC)... not targeting XBOX 360! */
-#elif defined(_MSC_VER)
-
-#  include <stdlib.h>
-#  define htobe16(x) _byteswap_ushort(x)
-#  define htole16(x) (x)
-#  define be16toh(x) _byteswap_ushort(x)
-#  define le16toh(x) (x)
-
-#  define htobe32(x) _byteswap_ulong(x)
-#  define htole32(x) (x)
-#  define be32toh(x) _byteswap_ulong(x)
-#  define le32toh(x) (x)
-
-#  define htobe64(x) _byteswap_uint64(x)
-#  define htole64(x) (x)
-#  define be64toh(x) _byteswap_uint64(x)
-#  define le64toh(x) (x)
-
-/* ... for Windows (GCC-like, e.g. mingw or clang) */
-#elif (defined(_WIN32) || defined(_WIN64)) &&                                  \
-    (defined(__GNUC__) || defined(__clang__))
-
-#  define htobe16(x) __builtin_bswap16(x)
-#  define htole16(x) (x)
-#  define be16toh(x) __builtin_bswap16(x)
-#  define le16toh(x) (x)
-
-#  define htobe32(x) __builtin_bswap32(x)
-#  define htole32(x) (x)
-#  define be32toh(x) __builtin_bswap32(x)
-#  define le32toh(x) (x)
-
-#  define htobe64(x) __builtin_bswap64(x)
-#  define htole64(x) (x)
-#  define be64toh(x) __builtin_bswap64(x)
-#  define le64toh(x) (x)
-
-/* ... generic big-endian fallback code */
-#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
-
-/* byte swapping code inspired by:
- * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h
- * */
-
-#  define htobe32(x) (x)
-#  define be32toh(x) (x)
-#  define htole32(x)                                                           \
-    (__extension__({                                                           \
-      uint32_t _temp = (x);                                                    \
-      ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) |             \
-          ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000);          \
-    }))
-#  define le32toh(x) (htole32((x)))
-
-#  define htobe64(x) (x)
-#  define be64toh(x) (x)
-#  define htole64(x)                                                           \
-    (__extension__({                                                           \
-      uint64_t __temp = (x);                                                   \
-      uint32_t __low = htobe32((uint32_t)__temp);                              \
-      uint32_t __high = htobe32((uint32_t)(__temp >> 32));                     \
-      (((uint64_t)__low) << 32) | __high;                                      \
-    }))
-#  define le64toh(x) (htole64((x)))
-
-/* ... generic little-endian fallback code */
-#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
-
-#  define htole32(x) (x)
-#  define le32toh(x) (x)
-#  define htobe32(x)                                                           \
-    (__extension__({                                                           \
-      uint32_t _temp = (x);                                                    \
-      ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) |             \
-          ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000);          \
-    }))
-#  define be32toh(x) (htobe32((x)))
-
-#  define htole64(x) (x)
-#  define le64toh(x) (x)
-#  define htobe64(x)                                                           \
-    (__extension__({                                                           \
-      uint64_t __temp = (x);                                                   \
-      uint32_t __low = htobe32((uint32_t)__temp);                              \
-      uint32_t __high = htobe32((uint32_t)(__temp >> 32));                     \
-      (((uint64_t)__low) << 32) | __high;                                      \
-    }))
-#  define be64toh(x) (htobe64((x)))
-
-/* ... couldn't determine endian-ness of the target platform */
-#else
-#  error "Please define __BYTE_ORDER__!"
-
-#endif /* defined(__linux__) || ... */
-
-/* Loads and stores. These avoid undefined behavior due to unaligned memory
- * accesses, via memcpy. */
-
-inline static uint16_t load16(uint8_t *b) {
-  uint16_t x;
-  memcpy(&x, b, 2);
-  return x;
-}
-
-inline static uint32_t load32(uint8_t *b) {
-  uint32_t x;
-  memcpy(&x, b, 4);
-  return x;
-}
-
-inline static uint64_t load64(uint8_t *b) {
-  uint64_t x;
-  memcpy(&x, b, 8);
-  return x;
-}
-
-inline static void store16(uint8_t *b, uint16_t i) {
-  memcpy(b, &i, 2);
-}
-
-inline static void store32(uint8_t *b, uint32_t i) {
-  memcpy(b, &i, 4);
-}
-
-inline static void store64(uint8_t *b, uint64_t i) {
-  memcpy(b, &i, 8);
-}
-
-#define load16_le(b) (le16toh(load16(b)))
-#define store16_le(b, i) (store16(b, htole16(i)))
-#define load16_be(b) (be16toh(load16(b)))
-#define store16_be(b, i) (store16(b, htobe16(i)))
-
-#define load32_le(b) (le32toh(load32(b)))
-#define store32_le(b, i) (store32(b, htole32(i)))
-#define load32_be(b) (be32toh(load32(b)))
-#define store32_be(b, i) (store32(b, htobe32(i)))
-
-#define load64_le(b) (le64toh(load64(b)))
-#define store64_le(b, i) (store64(b, htole64(i)))
-#define load64_be(b) (be64toh(load64(b)))
-#define store64_be(b, i) (store64(b, htobe64(i)))
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/builtin.h

@@ -1,16 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef __KREMLIN_BUILTIN_H
-#define __KREMLIN_BUILTIN_H
-
-/* For alloca, when using KreMLin's -falloca */
-#if (defined(_WIN32) || defined(_WIN64))
-#  include <malloc.h>
-#endif
-
-/* If some globals need to be initialized before the main, then kremlin will
- * generate and try to link last a function with this type: */
-void kremlinit_globals(void);
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/callconv.h

@@ -1,46 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef __KREMLIN_CALLCONV_H
-#define __KREMLIN_CALLCONV_H
-
-/******************************************************************************/
-/* Some macros to ease compatibility                                          */
-/******************************************************************************/
-
-/* We want to generate __cdecl safely without worrying about it being undefined.
- * When using MSVC, these are always defined. When using MinGW, these are
- * defined too. They have no meaning for other platforms, so we define them to
- * be empty macros in other situations. */
-#ifndef _MSC_VER
-#ifndef __cdecl
-#define __cdecl
-#endif
-#ifndef __stdcall
-#define __stdcall
-#endif
-#ifndef __fastcall
-#define __fastcall
-#endif
-#endif
-
-/* Since KreMLin emits the inline keyword unconditionally, we follow the
- * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this
- * __inline__ to ensure the code compiles with -std=c90 and earlier. */
-#ifdef __GNUC__
-#  define inline __inline__
-#endif
-
-/* GCC-specific attribute syntax; everyone else gets the standard C inline
- * attribute. */
-#ifdef __GNU_C__
-#  ifndef __clang__
-#    define force_inline inline __attribute__((always_inline))
-#  else
-#    define force_inline inline
-#  endif
-#else
-#  define force_inline inline
-#endif
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/compat.h

@@ -1,34 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef KRML_COMPAT_H
-#define KRML_COMPAT_H
-
-#include <inttypes.h>
-
-/* A series of macros that define C implementations of types that are not Low*,
- * to facilitate porting programs to Low*. */
-
-typedef const char *Prims_string;
-
-typedef struct {
-  uint32_t length;
-  const char *data;
-} FStar_Bytes_bytes;
-
-typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int,
-    krml_checked_int_t;
-
-#define RETURN_OR(x)                                                           \
-  do {                                                                         \
-    int64_t __ret = x;                                                         \
-    if (__ret < INT32_MIN || INT32_MAX < __ret) {                              \
-      KRML_HOST_PRINTF(                                                        \
-          "Prims.{int,nat,pos} integer overflow at %s:%d\n", __FILE__,         \
-          __LINE__);                                                           \
-      KRML_HOST_EXIT(252);                                                     \
-    }                                                                          \
-    return (int32_t)__ret;                                                     \
-  } while (0)
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/debug.h

@@ -1,57 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef __KREMLIN_DEBUG_H
-#define __KREMLIN_DEBUG_H
-
-#include <inttypes.h>
-
-#include "kremlin/internal/target.h"
-
-/******************************************************************************/
-/* Debugging helpers - intended only for KreMLin developers                   */
-/******************************************************************************/
-
-/* In support of "-wasm -d force-c": we might need this function to be
- * forward-declared, because the dependency on WasmSupport appears very late,
- * after SimplifyWasm, and sadly, after the topological order has been done. */
-void WasmSupport_check_buffer_size(uint32_t s);
-
-/* A series of GCC atrocities to trace function calls (kremlin's [-d c-calls]
- * option). Useful when trying to debug, say, Wasm, to compare traces. */
-/* clang-format off */
-#ifdef __GNUC__
-#define KRML_FORMAT(X) _Generic((X),                                           \
-  uint8_t : "0x%08" PRIx8,                                                     \
-  uint16_t: "0x%08" PRIx16,                                                    \
-  uint32_t: "0x%08" PRIx32,                                                    \
-  uint64_t: "0x%08" PRIx64,                                                    \
-  int8_t  : "0x%08" PRIx8,                                                     \
-  int16_t : "0x%08" PRIx16,                                                    \
-  int32_t : "0x%08" PRIx32,                                                    \
-  int64_t : "0x%08" PRIx64,                                                    \
-  default : "%s")
-
-#define KRML_FORMAT_ARG(X) _Generic((X),                                       \
-  uint8_t : X,                                                                 \
-  uint16_t: X,                                                                 \
-  uint32_t: X,                                                                 \
-  uint64_t: X,                                                                 \
-  int8_t  : X,                                                                 \
-  int16_t : X,                                                                 \
-  int32_t : X,                                                                 \
-  int64_t : X,                                                                 \
-  default : "unknown")
-/* clang-format on */
-
-#  define KRML_DEBUG_RETURN(X)                                                 \
-    ({                                                                         \
-      __auto_type _ret = (X);                                                  \
-      KRML_HOST_PRINTF("returning: ");                                         \
-      KRML_HOST_PRINTF(KRML_FORMAT(_ret), KRML_FORMAT_ARG(_ret));              \
-      KRML_HOST_PRINTF(" \n");                                                 \
-      _ret;                                                                    \
-    })
-#endif
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/target.h

@@ -1,102 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef __KREMLIN_TARGET_H
-#define __KREMLIN_TARGET_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdbool.h>
-#include <inttypes.h>
-#include <limits.h>
-
-#include "kremlin/internal/callconv.h"
-
-/******************************************************************************/
-/* Macros that KreMLin will generate.                                         */
-/******************************************************************************/
-
-/* For "bare" targets that do not have a C stdlib, the user might want to use
- * [-add-early-include '"mydefinitions.h"'] and override these. */
-#ifndef KRML_HOST_PRINTF
-#  define KRML_HOST_PRINTF printf
-#endif
-
-#if (                                                                          \
-    (defined __STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) &&             \
-    (!(defined KRML_HOST_EPRINTF)))
-#  define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
-#endif
-
-#ifndef KRML_HOST_EXIT
-#  define KRML_HOST_EXIT exit
-#endif
-
-#ifndef KRML_HOST_MALLOC
-#  define KRML_HOST_MALLOC malloc
-#endif
-
-#ifndef KRML_HOST_CALLOC
-#  define KRML_HOST_CALLOC calloc
-#endif
-
-#ifndef KRML_HOST_FREE
-#  define KRML_HOST_FREE free
-#endif
-
-#ifndef KRML_HOST_TIME
-
-#  include <time.h>
-
-/* Prims_nat not yet in scope */
-inline static int32_t krml_time() {
-  return (int32_t)time(NULL);
-}
-
-#  define KRML_HOST_TIME krml_time
-#endif
-
-/* In statement position, exiting is easy. */
-#define KRML_EXIT                                                              \
-  do {                                                                         \
-    KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \
-    KRML_HOST_EXIT(254);                                                       \
-  } while (0)
-
-/* In expression position, use the comma-operator and a malloc to return an
- * expression of the right size. KreMLin passes t as the parameter to the macro.
- */
-#define KRML_EABORT(t, msg)                                                    \
-  (KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, msg),  \
-   KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t))))
-
-/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of
- * *elements*. Do an ugly, run-time check (some of which KreMLin can eliminate).
- */
-
-#ifdef __GNUC__
-#  define _KRML_CHECK_SIZE_PRAGMA                                              \
-    _Pragma("GCC diagnostic ignored \"-Wtype-limits\"")
-#else
-#  define _KRML_CHECK_SIZE_PRAGMA
-#endif
-
-#define KRML_CHECK_SIZE(size_elt, sz)                                          \
-  do {                                                                         \
-    _KRML_CHECK_SIZE_PRAGMA                                                    \
-    if (((size_t)(sz)) > ((size_t)(SIZE_MAX / (size_elt)))) {                  \
-      KRML_HOST_PRINTF(                                                        \
-          "Maximum allocatable size exceeded, aborting before overflow at "    \
-          "%s:%d\n",                                                           \
-          __FILE__, __LINE__);                                                 \
-      KRML_HOST_EXIT(253);                                                     \
-    }                                                                          \
-  } while (0)
-
-#if defined(_MSC_VER) && _MSC_VER < 1900
-#  define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg)
-#else
-#  define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg)
-#endif
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/types.h

@@ -1,61 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-#ifndef KRML_TYPES_H
-#define KRML_TYPES_H
-
-#include <inttypes.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-/* Types which are either abstract, meaning that have to be implemented in C, or
- * which are models, meaning that they are swapped out at compile-time for
- * hand-written C types (in which case they're marked as noextract). */
-
-typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_;
-typedef int64_t FStar_Int64_t, FStar_Int64_t_;
-typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_;
-typedef int32_t FStar_Int32_t, FStar_Int32_t_;
-typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_;
-typedef int16_t FStar_Int16_t, FStar_Int16_t_;
-typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_;
-typedef int8_t FStar_Int8_t, FStar_Int8_t_;
-
-/* Only useful when building Kremlib, because it's in the dependency graph of
- * FStar.Int.Cast. */
-typedef uint64_t FStar_UInt63_t, FStar_UInt63_t_;
-typedef int64_t FStar_Int63_t, FStar_Int63_t_;
-
-typedef double FStar_Float_float;
-typedef uint32_t FStar_Char_char;
-typedef FILE *FStar_IO_fd_read, *FStar_IO_fd_write;
-
-typedef void *FStar_Dyn_dyn;
-
-typedef const char *C_String_t, *C_String_t_;
-
-typedef int exit_code;
-typedef FILE *channel;
-
-typedef unsigned long long TestLib_cycles;
-
-typedef uint64_t FStar_Date_dateTime, FStar_Date_timeSpan;
-
-/* The uint128 type is a special case since we offer several implementations of
- * it, depending on the compiler and whether the user wants the verified
- * implementation or not. */
-#if !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(_M_X64)
-#  include <emmintrin.h>
-typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER)
-typedef unsigned __int128 FStar_UInt128_uint128;
-#else
-typedef struct FStar_UInt128_uint128_s {
-  uint64_t low;
-  uint64_t high;
-} FStar_UInt128_uint128;
-#endif
-
-typedef FStar_UInt128_uint128 FStar_UInt128_t, FStar_UInt128_t_, uint128_t;
-
-#endif

3rdparty/everest/include/everest/kremlin/internal/wasmsupport.h

@@ -1,5 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file is automatically included when compiling with -wasm -d force-c */
-#define WasmSupport_check_buffer_size(X)

3rdparty/everest/include/everest/vs2010/Hacl_Curve25519.h

@@ -1,21 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-
-#ifndef __Hacl_Curve25519_H
-#define __Hacl_Curve25519_H
-
-
-#include "kremlib.h"
-
-void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
-
-#define __Hacl_Curve25519_H_DEFINED
-#endif

3rdparty/everest/include/everest/vs2010/inttypes.h

@@ -1,36 +0,0 @@
-/*
- *  Custom inttypes.h for VS2010 KreMLin requires these definitions,
- *  but VS2010 doesn't provide them.
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef _INTTYPES_H_VS2010
-#define _INTTYPES_H_VS2010
-
-#include <stdint.h>
-
-#ifdef _MSC_VER
-#define inline __inline
-#endif
-
-/* VS2010 unsigned long == 8 bytes */
-
-#define PRIu64 "I64u"
-
-#endif

3rdparty/everest/include/everest/vs2010/stdbool.h

@@ -1,31 +0,0 @@
-/*
- *  Custom stdbool.h for VS2010 KreMLin requires these definitions,
- *  but VS2010 doesn't provide them.
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef _STDBOOL_H_VS2010
-#define _STDBOOL_H_VS2010
-
-typedef int bool;
-
-static bool true = 1;
-static bool false = 0;
-
-#endif

3rdparty/everest/include/everest/x25519.h

@@ -1,190 +0,0 @@
-/*
- *  ECDH with curve-optimized implementation multiplexing
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef MBEDTLS_X25519_H
-#define MBEDTLS_X25519_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define MBEDTLS_ECP_TLS_CURVE25519 0x1d
-#define MBEDTLS_X25519_KEY_SIZE_BYTES 32
-
-/**
- * Defines the source of the imported EC key.
- */
-typedef enum
-{
-    MBEDTLS_X25519_ECDH_OURS,   /**< Our key. */
-    MBEDTLS_X25519_ECDH_THEIRS, /**< The key of the peer. */
-} mbedtls_x25519_ecdh_side;
-
-/**
- * \brief           The x25519 context structure.
- */
-typedef struct
-{
-  unsigned char our_secret[MBEDTLS_X25519_KEY_SIZE_BYTES];
-  unsigned char peer_point[MBEDTLS_X25519_KEY_SIZE_BYTES];
-} mbedtls_x25519_context;
-
-/**
- * \brief           This function initializes an x25519 context.
- *
- * \param ctx       The x25519 context to initialize.
- */
-void mbedtls_x25519_init( mbedtls_x25519_context *ctx );
-
-/**
- * \brief           This function frees a context.
- *
- * \param ctx       The context to free.
- */
-void mbedtls_x25519_free( mbedtls_x25519_context *ctx );
-
-/**
- * \brief           This function generates a public key and a TLS
- *                  ServerKeyExchange payload.
- *
- *                  This is the first function used by a TLS server for x25519.
- *
- *
- * \param ctx       The x25519 context.
- * \param olen      The number of characters written.
- * \param buf       The destination buffer.
- * \param blen      The length of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_x25519_make_params( mbedtls_x25519_context *ctx, size_t *olen,
-                        unsigned char *buf, size_t blen,
-                        int( *f_rng )(void *, unsigned char *, size_t),
-                        void *p_rng );
-
-/**
- * \brief           This function parses and processes a TLS ServerKeyExchange
- *                  payload.
- *
- *
- * \param ctx       The x25519 context.
- * \param buf       The pointer to the start of the input buffer.
- * \param end       The address for one Byte past the end of the buffer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_x25519_read_params( mbedtls_x25519_context *ctx,
-                        const unsigned char **buf, const unsigned char *end );
-
-/**
- * \brief           This function sets up an x25519 context from an EC key.
- *
- *                  It is used by clients and servers in place of the
- *                  ServerKeyEchange for static ECDH, and imports ECDH
- *                  parameters from the EC key information of a certificate.
- *
- * \see             ecp.h
- *
- * \param ctx       The x25519 context to set up.
- * \param key       The EC key to use.
- * \param side      Defines the source of the key: 1: Our key, or
- *                  0: The key of the peer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_x25519_get_params( mbedtls_x25519_context *ctx, const mbedtls_ecp_keypair *key,
-                               mbedtls_x25519_ecdh_side side );
-
-/**
- * \brief           This function derives and exports the shared secret.
- *
- *                  This is the last function used by both TLS client
- *                  and servers.
- *
- *
- * \param ctx       The x25519 context.
- * \param olen      The number of Bytes written.
- * \param buf       The destination buffer.
- * \param blen      The length of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_x25519_calc_secret( mbedtls_x25519_context *ctx, size_t *olen,
-                        unsigned char *buf, size_t blen,
-                        int( *f_rng )(void *, unsigned char *, size_t),
-                        void *p_rng );
-
-/**
- * \brief           This function generates a public key and a TLS
- *                  ClientKeyExchange payload.
- *
- *                  This is the second function used by a TLS client for x25519.
- *
- * \see             ecp.h
- *
- * \param ctx       The x25519 context.
- * \param olen      The number of Bytes written.
- * \param buf       The destination buffer.
- * \param blen      The size of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_x25519_make_public( mbedtls_x25519_context *ctx, size_t *olen,
-                        unsigned char *buf, size_t blen,
-                        int( *f_rng )(void *, unsigned char *, size_t),
-                        void *p_rng );
-
-/**
- * \brief       This function parses and processes a TLS ClientKeyExchange
- *              payload.
- *
- *              This is the second function used by a TLS server for x25519.
- *
- * \see         ecp.h
- *
- * \param ctx   The x25519 context.
- * \param buf   The start of the input buffer.
- * \param blen  The length of the input buffer.
- *
- * \return      \c 0 on success.
- * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_x25519_read_public( mbedtls_x25519_context *ctx,
-                        const unsigned char *buf, size_t blen );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* x25519.h */

3rdparty/everest/library/Hacl_Curve25519.c

@@ -1,760 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fbuiltin-uint128 -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-#include "Hacl_Curve25519.h"
-
-extern uint64_t FStar_UInt64_eq_mask(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_gte_mask(uint64_t x0, uint64_t x1);
-
-extern uint128_t FStar_UInt128_add(uint128_t x0, uint128_t x1);
-
-extern uint128_t FStar_UInt128_add_mod(uint128_t x0, uint128_t x1);
-
-extern uint128_t FStar_UInt128_logand(uint128_t x0, uint128_t x1);
-
-extern uint128_t FStar_UInt128_shift_right(uint128_t x0, uint32_t x1);
-
-extern uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x0);
-
-extern uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x0);
-
-extern uint128_t FStar_UInt128_mul_wide(uint64_t x0, uint64_t x1);
-
-static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
-{
-  uint64_t b4 = b[4U];
-  uint64_t b0 = b[0U];
-  uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
-  uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
-  b[4U] = b4_;
-  b[0U] = b0_;
-}
-
-inline static void Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, uint128_t *input)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-  {
-    uint128_t xi = input[i];
-    output[i] = (uint64_t)xi;
-  }
-}
-
-inline static void
-Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint128_t *output, uint64_t *input, uint64_t s)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-  {
-    uint128_t xi = output[i];
-    uint64_t yi = input[i];
-    output[i] = xi + (uint128_t)yi * s;
-  }
-}
-
-inline static void Hacl_Bignum_Fproduct_carry_wide_(uint128_t *tmp)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
-  {
-    uint32_t ctr = i;
-    uint128_t tctr = tmp[ctr];
-    uint128_t tctrp1 = tmp[ctr + (uint32_t)1U];
-    uint64_t r0 = (uint64_t)tctr & (uint64_t)0x7ffffffffffffU;
-    uint128_t c = tctr >> (uint32_t)51U;
-    tmp[ctr] = (uint128_t)r0;
-    tmp[ctr + (uint32_t)1U] = tctrp1 + c;
-  }
-}
-
-inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
-{
-  uint64_t tmp = output[4U];
-  uint64_t b0;
-  {
-    uint32_t i;
-    for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
-    {
-      uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U;
-      uint64_t z = output[ctr - (uint32_t)1U];
-      output[ctr] = z;
-    }
-  }
-  output[0U] = tmp;
-  b0 = output[0U];
-  output[0U] = (uint64_t)19U * b0;
-}
-
-static void
-Hacl_Bignum_Fmul_mul_shift_reduce_(uint128_t *output, uint64_t *input, uint64_t *input2)
-{
-  uint32_t i;
-  uint64_t input2i;
-  {
-    uint32_t i0;
-    for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U)
-    {
-      uint64_t input2i0 = input2[i0];
-      Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i0);
-      Hacl_Bignum_Fmul_shift_reduce(input);
-    }
-  }
-  i = (uint32_t)4U;
-  input2i = input2[i];
-  Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
-}
-
-inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2)
-{
-  uint64_t tmp[5U] = { 0U };
-  memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
-  KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
-  {
-    uint128_t t[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        t[_i] = (uint128_t)(uint64_t)0U;
-    }
-    {
-      uint128_t b4;
-      uint128_t b0;
-      uint128_t b4_;
-      uint128_t b0_;
-      uint64_t i0;
-      uint64_t i1;
-      uint64_t i0_;
-      uint64_t i1_;
-      Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
-      Hacl_Bignum_Fproduct_carry_wide_(t);
-      b4 = t[4U];
-      b0 = t[0U];
-      b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU;
-      b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U);
-      t[4U] = b4_;
-      t[0U] = b0_;
-      Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
-      i0 = output[0U];
-      i1 = output[1U];
-      i0_ = i0 & (uint64_t)0x7ffffffffffffU;
-      i1_ = i1 + (i0 >> (uint32_t)51U);
-      output[0U] = i0_;
-      output[1U] = i1_;
-    }
-  }
-}
-
-inline static void Hacl_Bignum_Fsquare_fsquare__(uint128_t *tmp, uint64_t *output)
-{
-  uint64_t r0 = output[0U];
-  uint64_t r1 = output[1U];
-  uint64_t r2 = output[2U];
-  uint64_t r3 = output[3U];
-  uint64_t r4 = output[4U];
-  uint64_t d0 = r0 * (uint64_t)2U;
-  uint64_t d1 = r1 * (uint64_t)2U;
-  uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
-  uint64_t d419 = r4 * (uint64_t)19U;
-  uint64_t d4 = d419 * (uint64_t)2U;
-  uint128_t s0 = (uint128_t)r0 * r0 + (uint128_t)d4 * r1 + (uint128_t)d2 * r3;
-  uint128_t s1 = (uint128_t)d0 * r1 + (uint128_t)d4 * r2 + (uint128_t)(r3 * (uint64_t)19U) * r3;
-  uint128_t s2 = (uint128_t)d0 * r2 + (uint128_t)r1 * r1 + (uint128_t)d4 * r3;
-  uint128_t s3 = (uint128_t)d0 * r3 + (uint128_t)d1 * r2 + (uint128_t)r4 * d419;
-  uint128_t s4 = (uint128_t)d0 * r4 + (uint128_t)d1 * r3 + (uint128_t)r2 * r2;
-  tmp[0U] = s0;
-  tmp[1U] = s1;
-  tmp[2U] = s2;
-  tmp[3U] = s3;
-  tmp[4U] = s4;
-}
-
-inline static void Hacl_Bignum_Fsquare_fsquare_(uint128_t *tmp, uint64_t *output)
-{
-  uint128_t b4;
-  uint128_t b0;
-  uint128_t b4_;
-  uint128_t b0_;
-  uint64_t i0;
-  uint64_t i1;
-  uint64_t i0_;
-  uint64_t i1_;
-  Hacl_Bignum_Fsquare_fsquare__(tmp, output);
-  Hacl_Bignum_Fproduct_carry_wide_(tmp);
-  b4 = tmp[4U];
-  b0 = tmp[0U];
-  b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU;
-  b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U);
-  tmp[4U] = b4_;
-  tmp[0U] = b0_;
-  Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
-  i0 = output[0U];
-  i1 = output[1U];
-  i0_ = i0 & (uint64_t)0x7ffffffffffffU;
-  i1_ = i1 + (i0 >> (uint32_t)51U);
-  output[0U] = i0_;
-  output[1U] = i1_;
-}
-
-static void
-Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, uint128_t *tmp, uint32_t count1)
-{
-  uint32_t i;
-  Hacl_Bignum_Fsquare_fsquare_(tmp, input);
-  for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
-    Hacl_Bignum_Fsquare_fsquare_(tmp, input);
-}
-
-inline static void
-Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
-{
-  KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
-  {
-    uint128_t t[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        t[_i] = (uint128_t)(uint64_t)0U;
-    }
-    memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
-    Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
-  }
-}
-
-inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
-{
-  KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
-  {
-    uint128_t t[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        t[_i] = (uint128_t)(uint64_t)0U;
-    }
-    Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
-  }
-}
-
-inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
-{
-  uint64_t buf[20U] = { 0U };
-  uint64_t *a0 = buf;
-  uint64_t *t00 = buf + (uint32_t)5U;
-  uint64_t *b0 = buf + (uint32_t)10U;
-  uint64_t *t01;
-  uint64_t *b1;
-  uint64_t *c0;
-  uint64_t *a;
-  uint64_t *t0;
-  uint64_t *b;
-  uint64_t *c;
-  Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U);
-  Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)2U);
-  Hacl_Bignum_Fmul_fmul(b0, t00, z);
-  Hacl_Bignum_Fmul_fmul(a0, b0, a0);
-  Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)1U);
-  Hacl_Bignum_Fmul_fmul(b0, t00, b0);
-  Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
-  t01 = buf + (uint32_t)5U;
-  b1 = buf + (uint32_t)10U;
-  c0 = buf + (uint32_t)15U;
-  Hacl_Bignum_Fmul_fmul(b1, t01, b1);
-  Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
-  Hacl_Bignum_Fmul_fmul(c0, t01, b1);
-  Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
-  Hacl_Bignum_Fmul_fmul(t01, t01, c0);
-  Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
-  Hacl_Bignum_Fmul_fmul(b1, t01, b1);
-  Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
-  a = buf;
-  t0 = buf + (uint32_t)5U;
-  b = buf + (uint32_t)10U;
-  c = buf + (uint32_t)15U;
-  Hacl_Bignum_Fmul_fmul(c, t0, b);
-  Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
-  Hacl_Bignum_Fmul_fmul(t0, t0, c);
-  Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
-  Hacl_Bignum_Fmul_fmul(t0, t0, b);
-  Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
-  Hacl_Bignum_Fmul_fmul(out, t0, a);
-}
-
-inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-  {
-    uint64_t xi = a[i];
-    uint64_t yi = b[i];
-    a[i] = xi + yi;
-  }
-}
-
-inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
-{
-  uint64_t tmp[5U] = { 0U };
-  uint64_t b0;
-  uint64_t b1;
-  uint64_t b2;
-  uint64_t b3;
-  uint64_t b4;
-  memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
-  b0 = tmp[0U];
-  b1 = tmp[1U];
-  b2 = tmp[2U];
-  b3 = tmp[3U];
-  b4 = tmp[4U];
-  tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
-  tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
-  tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
-  tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
-  tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
-  {
-    uint32_t i;
-    for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-    {
-      uint64_t xi = a[i];
-      uint64_t yi = tmp[i];
-      a[i] = yi - xi;
-    }
-  }
-}
-
-inline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
-{
-  KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
-  {
-    uint128_t tmp[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        tmp[_i] = (uint128_t)(uint64_t)0U;
-    }
-    {
-      uint128_t b4;
-      uint128_t b0;
-      uint128_t b4_;
-      uint128_t b0_;
-      {
-        uint32_t i;
-        for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-        {
-          uint64_t xi = b[i];
-          tmp[i] = (uint128_t)xi * s;
-        }
-      }
-      Hacl_Bignum_Fproduct_carry_wide_(tmp);
-      b4 = tmp[4U];
-      b0 = tmp[0U];
-      b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU;
-      b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U);
-      tmp[4U] = b4_;
-      tmp[0U] = b0_;
-      Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
-    }
-  }
-}
-
-inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
-{
-  Hacl_Bignum_Fmul_fmul(output, a, b);
-}
-
-inline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
-{
-  Hacl_Bignum_Crecip_crecip(output, input);
-}
-
-static void
-Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
-{
-  uint32_t i = ctr - (uint32_t)1U;
-  uint64_t ai = a[i];
-  uint64_t bi = b[i];
-  uint64_t x = swap1 & (ai ^ bi);
-  uint64_t ai1 = ai ^ x;
-  uint64_t bi1 = bi ^ x;
-  a[i] = ai1;
-  b[i] = bi1;
-}
-
-static void
-Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
-{
-  if (!(ctr == (uint32_t)0U))
-  {
-    uint32_t i;
-    Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
-    i = ctr - (uint32_t)1U;
-    Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
-  }
-}
-
-static void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
-{
-  uint64_t swap1 = (uint64_t)0U - iswap;
-  Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
-  Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
-}
-
-static void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
-{
-  memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
-  memcpy(output + (uint32_t)5U,
-    input + (uint32_t)5U,
-    (uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]);
-}
-
-static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
-{
-  uint64_t i0 = load64_le(input);
-  uint8_t *x00 = input + (uint32_t)6U;
-  uint64_t i1 = load64_le(x00);
-  uint8_t *x01 = input + (uint32_t)12U;
-  uint64_t i2 = load64_le(x01);
-  uint8_t *x02 = input + (uint32_t)19U;
-  uint64_t i3 = load64_le(x02);
-  uint8_t *x0 = input + (uint32_t)24U;
-  uint64_t i4 = load64_le(x0);
-  uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
-  uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
-  uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
-  uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
-  uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
-  output[0U] = output0;
-  output[1U] = output1;
-  output[2U] = output2;
-  output[3U] = output3;
-  output[4U] = output4;
-}
-
-static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
-{
-  uint64_t t0 = input[0U];
-  uint64_t t1 = input[1U];
-  uint64_t t2 = input[2U];
-  uint64_t t3 = input[3U];
-  uint64_t t4 = input[4U];
-  uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
-  uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
-  uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
-  uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
-  uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
-  uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
-  input[0U] = t0_;
-  input[1U] = t1__;
-  input[2U] = t2__;
-  input[3U] = t3__;
-  input[4U] = t4_;
-}
-
-static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
-{
-  Hacl_EC_Format_fcontract_first_carry_pass(input);
-  Hacl_Bignum_Modulo_carry_top(input);
-}
-
-static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
-{
-  uint64_t t0 = input[0U];
-  uint64_t t1 = input[1U];
-  uint64_t t2 = input[2U];
-  uint64_t t3 = input[3U];
-  uint64_t t4 = input[4U];
-  uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
-  uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
-  uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
-  uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
-  uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
-  uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
-  input[0U] = t0_;
-  input[1U] = t1__;
-  input[2U] = t2__;
-  input[3U] = t3__;
-  input[4U] = t4_;
-}
-
-static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
-{
-  uint64_t i0;
-  uint64_t i1;
-  uint64_t i0_;
-  uint64_t i1_;
-  Hacl_EC_Format_fcontract_second_carry_pass(input);
-  Hacl_Bignum_Modulo_carry_top(input);
-  i0 = input[0U];
-  i1 = input[1U];
-  i0_ = i0 & (uint64_t)0x7ffffffffffffU;
-  i1_ = i1 + (i0 >> (uint32_t)51U);
-  input[0U] = i0_;
-  input[1U] = i1_;
-}
-
-static void Hacl_EC_Format_fcontract_trim(uint64_t *input)
-{
-  uint64_t a0 = input[0U];
-  uint64_t a1 = input[1U];
-  uint64_t a2 = input[2U];
-  uint64_t a3 = input[3U];
-  uint64_t a4 = input[4U];
-  uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
-  uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
-  uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
-  uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
-  uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
-  uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
-  uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
-  input[0U] = a0_;
-  input[1U] = a1_;
-  input[2U] = a2_;
-  input[3U] = a3_;
-  input[4U] = a4_;
-}
-
-static void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
-{
-  uint64_t t0 = input[0U];
-  uint64_t t1 = input[1U];
-  uint64_t t2 = input[2U];
-  uint64_t t3 = input[3U];
-  uint64_t t4 = input[4U];
-  uint64_t o0 = t1 << (uint32_t)51U | t0;
-  uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
-  uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
-  uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
-  uint8_t *b0 = output;
-  uint8_t *b1 = output + (uint32_t)8U;
-  uint8_t *b2 = output + (uint32_t)16U;
-  uint8_t *b3 = output + (uint32_t)24U;
-  store64_le(b0, o0);
-  store64_le(b1, o1);
-  store64_le(b2, o2);
-  store64_le(b3, o3);
-}
-
-static void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
-{
-  Hacl_EC_Format_fcontract_first_carry_full(input);
-  Hacl_EC_Format_fcontract_second_carry_full(input);
-  Hacl_EC_Format_fcontract_trim(input);
-  Hacl_EC_Format_fcontract_store(output, input);
-}
-
-static void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
-{
-  uint64_t *x = point;
-  uint64_t *z = point + (uint32_t)5U;
-  uint64_t buf[10U] = { 0U };
-  uint64_t *zmone = buf;
-  uint64_t *sc = buf + (uint32_t)5U;
-  Hacl_Bignum_crecip(zmone, z);
-  Hacl_Bignum_fmul(sc, x, zmone);
-  Hacl_EC_Format_fcontract(scalar, sc);
-}
-
-static void
-Hacl_EC_AddAndDouble_fmonty(
-  uint64_t *pp,
-  uint64_t *ppq,
-  uint64_t *p,
-  uint64_t *pq,
-  uint64_t *qmqp
-)
-{
-  uint64_t *qx = qmqp;
-  uint64_t *x2 = pp;
-  uint64_t *z2 = pp + (uint32_t)5U;
-  uint64_t *x3 = ppq;
-  uint64_t *z3 = ppq + (uint32_t)5U;
-  uint64_t *x = p;
-  uint64_t *z = p + (uint32_t)5U;
-  uint64_t *xprime = pq;
-  uint64_t *zprime = pq + (uint32_t)5U;
-  uint64_t buf[40U] = { 0U };
-  uint64_t *origx = buf;
-  uint64_t *origxprime0 = buf + (uint32_t)5U;
-  uint64_t *xxprime0 = buf + (uint32_t)25U;
-  uint64_t *zzprime0 = buf + (uint32_t)30U;
-  uint64_t *origxprime;
-  uint64_t *xx0;
-  uint64_t *zz0;
-  uint64_t *xxprime;
-  uint64_t *zzprime;
-  uint64_t *zzzprime;
-  uint64_t *zzz;
-  uint64_t *xx;
-  uint64_t *zz;
-  uint64_t scalar;
-  memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
-  Hacl_Bignum_fsum(x, z);
-  Hacl_Bignum_fdifference(z, origx);
-  memcpy(origxprime0, xprime, (uint32_t)5U * sizeof xprime[0U]);
-  Hacl_Bignum_fsum(xprime, zprime);
-  Hacl_Bignum_fdifference(zprime, origxprime0);
-  Hacl_Bignum_fmul(xxprime0, xprime, z);
-  Hacl_Bignum_fmul(zzprime0, x, zprime);
-  origxprime = buf + (uint32_t)5U;
-  xx0 = buf + (uint32_t)15U;
-  zz0 = buf + (uint32_t)20U;
-  xxprime = buf + (uint32_t)25U;
-  zzprime = buf + (uint32_t)30U;
-  zzzprime = buf + (uint32_t)35U;
-  memcpy(origxprime, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
-  Hacl_Bignum_fsum(xxprime, zzprime);
-  Hacl_Bignum_fdifference(zzprime, origxprime);
-  Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
-  Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
-  Hacl_Bignum_fmul(z3, zzzprime, qx);
-  Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
-  Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
-  zzz = buf + (uint32_t)10U;
-  xx = buf + (uint32_t)15U;
-  zz = buf + (uint32_t)20U;
-  Hacl_Bignum_fmul(x2, xx, zz);
-  Hacl_Bignum_fdifference(zz, xx);
-  scalar = (uint64_t)121665U;
-  Hacl_Bignum_fscalar(zzz, zz, scalar);
-  Hacl_Bignum_fsum(zzz, xx);
-  Hacl_Bignum_fmul(z2, zzz, zz);
-}
-
-static void
-Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint8_t byt
-)
-{
-  uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
-  uint64_t bit;
-  Hacl_EC_Point_swap_conditional(nq, nqpq, bit0);
-  Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
-  bit = (uint64_t)(byt >> (uint32_t)7U);
-  Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit);
-}
-
-static void
-Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint8_t byt
-)
-{
-  uint8_t byt1;
-  Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
-  byt1 = byt << (uint32_t)1U;
-  Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
-}
-
-static void
-Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint8_t byt,
-  uint32_t i
-)
-{
-  if (!(i == (uint32_t)0U))
-  {
-    uint32_t i_ = i - (uint32_t)1U;
-    uint8_t byt_;
-    Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
-    byt_ = byt << (uint32_t)2U;
-    Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
-  }
-}
-
-static void
-Hacl_EC_Ladder_BigLoop_cmult_big_loop(
-  uint8_t *n1,
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint32_t i
-)
-{
-  if (!(i == (uint32_t)0U))
-  {
-    uint32_t i1 = i - (uint32_t)1U;
-    uint8_t byte = n1[i1];
-    Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
-    Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
-  }
-}
-
-static void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
-{
-  uint64_t point_buf[40U] = { 0U };
-  uint64_t *nq = point_buf;
-  uint64_t *nqpq = point_buf + (uint32_t)10U;
-  uint64_t *nq2 = point_buf + (uint32_t)20U;
-  uint64_t *nqpq2 = point_buf + (uint32_t)30U;
-  Hacl_EC_Point_copy(nqpq, q);
-  nq[0U] = (uint64_t)1U;
-  Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
-  Hacl_EC_Point_copy(result, nq);
-}
-
-void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
-{
-  uint64_t buf0[10U] = { 0U };
-  uint64_t *x0 = buf0;
-  uint64_t *z = buf0 + (uint32_t)5U;
-  uint64_t *q;
-  Hacl_EC_Format_fexpand(x0, basepoint);
-  z[0U] = (uint64_t)1U;
-  q = buf0;
-  {
-    uint8_t e[32U] = { 0U };
-    uint8_t e0;
-    uint8_t e31;
-    uint8_t e01;
-    uint8_t e311;
-    uint8_t e312;
-    uint8_t *scalar;
-    memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
-    e0 = e[0U];
-    e31 = e[31U];
-    e01 = e0 & (uint8_t)248U;
-    e311 = e31 & (uint8_t)127U;
-    e312 = e311 | (uint8_t)64U;
-    e[0U] = e01;
-    e[31U] = e312;
-    scalar = e;
-    {
-      uint64_t buf[15U] = { 0U };
-      uint64_t *nq = buf;
-      uint64_t *x = nq;
-      x[0U] = (uint64_t)1U;
-      Hacl_EC_Ladder_cmult(nq, scalar, q);
-      Hacl_EC_Format_scalar_of_point(mypublic, nq);
-    }
-  }
-}
-

3rdparty/everest/library/Hacl_Curve25519_joined.c

@@ -1,41 +0,0 @@
-/*
- *  Interface to code from Project Everest
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-
-#if defined(__SIZEOF_INT128__) && (__SIZEOF_INT128__ == 16)
-#define MBEDTLS_HAVE_INT128
-#endif
-
-#if defined(MBEDTLS_HAVE_INT128)
-#include "Hacl_Curve25519.c"
-#else
-#define KRML_VERIFIED_UINT128
-#include "kremlib/FStar_UInt128_extracted.c"
-#include "legacy/Hacl_Curve25519.c"
-#endif
-
-#include "kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c"
-
-#endif /* defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) */
-

3rdparty/everest/library/everest.c

@@ -1,107 +0,0 @@
-/*
- *  Interface to code from Project Everest
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org).
- */
-
-#include "common.h"
-
-#include <string.h>
-
-#include "mbedtls/ecdh.h"
-
-#include "everest/x25519.h"
-#include "everest/everest.h"
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#define mbedtls_calloc calloc
-#define mbedtls_free   free
-#endif
-
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-
-int mbedtls_everest_setup( mbedtls_ecdh_context_everest *ctx, int grp_id )
-{
-    if( grp_id != MBEDTLS_ECP_DP_CURVE25519 )
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    mbedtls_x25519_init( &ctx->ctx );
-    return 0;
-}
-
-void mbedtls_everest_free( mbedtls_ecdh_context_everest *ctx )
-{
-    mbedtls_x25519_free( &ctx->ctx );
-}
-
-int mbedtls_everest_make_params( mbedtls_ecdh_context_everest *ctx, size_t *olen,
-                                 unsigned char *buf, size_t blen,
-                                 int( *f_rng )( void *, unsigned char *, size_t ),
-                                 void *p_rng )
-{
-    mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
-    return mbedtls_x25519_make_params( x25519_ctx, olen, buf, blen, f_rng, p_rng );
-}
-
-int mbedtls_everest_read_params( mbedtls_ecdh_context_everest *ctx,
-                                 const unsigned char **buf,
-                                 const unsigned char *end )
-{
-    mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
-    return mbedtls_x25519_read_params( x25519_ctx, buf, end );
-}
-
-int mbedtls_everest_get_params( mbedtls_ecdh_context_everest *ctx,
-                                const mbedtls_ecp_keypair *key,
-                                mbedtls_everest_ecdh_side side )
-{
-    mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
-    mbedtls_x25519_ecdh_side s = side == MBEDTLS_EVEREST_ECDH_OURS ?
-                                            MBEDTLS_X25519_ECDH_OURS :
-                                            MBEDTLS_X25519_ECDH_THEIRS;
-    return mbedtls_x25519_get_params( x25519_ctx, key, s );
-}
-
-int mbedtls_everest_make_public( mbedtls_ecdh_context_everest *ctx, size_t *olen,
-                                 unsigned char *buf, size_t blen,
-                                 int( *f_rng )( void *, unsigned char *, size_t ),
-                                 void *p_rng )
-{
-    mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
-    return mbedtls_x25519_make_public( x25519_ctx, olen, buf, blen, f_rng, p_rng );
-}
-
-int mbedtls_everest_read_public( mbedtls_ecdh_context_everest *ctx,
-                                 const unsigned char *buf, size_t blen )
-{
-    mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
-    return mbedtls_x25519_read_public ( x25519_ctx, buf, blen );
-}
-
-int mbedtls_everest_calc_secret( mbedtls_ecdh_context_everest *ctx, size_t *olen,
-                                 unsigned char *buf, size_t blen,
-                                 int( *f_rng )( void *, unsigned char *, size_t ),
-                                 void *p_rng )
-{
-    mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
-    return mbedtls_x25519_calc_secret( x25519_ctx, olen, buf, blen, f_rng, p_rng );
-}
-
-#endif /* MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */
-

3rdparty/everest/library/kremlib/FStar_UInt128_extracted.c

@@ -1,413 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir extracted -warn-error +9+11 -skip-compilation -extract-uints -add-include <inttypes.h> -add-include "kremlib.h" -add-include "kremlin/internal/compat.h" extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-#include "FStar_UInt128.h"
-#include "kremlin/c_endianness.h"
-#include "FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h"
-
-uint64_t FStar_UInt128___proj__Mkuint128__item__low(FStar_UInt128_uint128 projectee)
-{
-  return projectee.low;
-}
-
-uint64_t FStar_UInt128___proj__Mkuint128__item__high(FStar_UInt128_uint128 projectee)
-{
-  return projectee.high;
-}
-
-static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
-{
-  return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U;
-}
-
-static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b)
-{
-  return FStar_UInt128_constant_time_carry(a, b);
-}
-
-FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat = { a.low + b.low, a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) };
-  return flat;
-}
-
-FStar_UInt128_uint128
-FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat = { a.low + b.low, a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat = { a.low + b.low, a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat = { a.low - b.low, a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) };
-  return flat;
-}
-
-FStar_UInt128_uint128
-FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat = { a.low - b.low, a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) };
-  return flat;
-}
-
-static FStar_UInt128_uint128
-FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat = { a.low - b.low, a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  return FStar_UInt128_sub_mod_impl(a, b);
-}
-
-FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128 flat = { a.low & b.low, a.high & b.high };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128 flat = { a.low ^ b.low, a.high ^ b.high };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128 flat = { a.low | b.low, a.high | b.high };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a)
-{
-  FStar_UInt128_uint128 flat = { ~a.low, ~a.high };
-  return flat;
-}
-
-static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
-
-static uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
-{
-  return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
-}
-
-static uint64_t FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
-{
-  return FStar_UInt128_add_u64_shift_left(hi, lo, s);
-}
-
-static FStar_UInt128_uint128
-FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
-{
-  if (s == (uint32_t)0U)
-  {
-    return a;
-  }
-  else
-  {
-    FStar_UInt128_uint128
-    flat = { a.low << s, FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) };
-    return flat;
-  }
-}
-
-static FStar_UInt128_uint128
-FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
-{
-  FStar_UInt128_uint128 flat = { (uint64_t)0U, a.low << (s - FStar_UInt128_u32_64) };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
-{
-  if (s < FStar_UInt128_u32_64)
-  {
-    return FStar_UInt128_shift_left_small(a, s);
-  }
-  else
-  {
-    return FStar_UInt128_shift_left_large(a, s);
-  }
-}
-
-static uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
-{
-  return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
-}
-
-static uint64_t FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
-{
-  return FStar_UInt128_add_u64_shift_right(hi, lo, s);
-}
-
-static FStar_UInt128_uint128
-FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
-{
-  if (s == (uint32_t)0U)
-  {
-    return a;
-  }
-  else
-  {
-    FStar_UInt128_uint128
-    flat = { FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s), a.high >> s };
-    return flat;
-  }
-}
-
-static FStar_UInt128_uint128
-FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
-{
-  FStar_UInt128_uint128 flat = { a.high >> (s - FStar_UInt128_u32_64), (uint64_t)0U };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
-{
-  if (s < FStar_UInt128_u32_64)
-  {
-    return FStar_UInt128_shift_right_small(a, s);
-  }
-  else
-  {
-    return FStar_UInt128_shift_right_large(a, s);
-  }
-}
-
-bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  return a.low == b.low && a.high == b.high;
-}
-
-bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  return a.high > b.high || (a.high == b.high && a.low > b.low);
-}
-
-bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  return a.high < b.high || (a.high == b.high && a.low < b.low);
-}
-
-bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  return a.high > b.high || (a.high == b.high && a.low >= b.low);
-}
-
-bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  return a.high < b.high || (a.high == b.high && a.low <= b.low);
-}
-
-FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat =
-    {
-      FStar_UInt64_eq_mask(a.low,
-        b.low)
-      & FStar_UInt64_eq_mask(a.high, b.high),
-      FStar_UInt64_eq_mask(a.low,
-        b.low)
-      & FStar_UInt64_eq_mask(a.high, b.high)
-    };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
-{
-  FStar_UInt128_uint128
-  flat =
-    {
-      (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high))
-      | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)),
-      (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high))
-      | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low))
-    };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a)
-{
-  FStar_UInt128_uint128 flat = { a, (uint64_t)0U };
-  return flat;
-}
-
-uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
-{
-  return a.low;
-}
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Plus_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_add;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Plus_Question_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_add_underspec;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Plus_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_add_mod;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Subtraction_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_sub;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Subtraction_Question_Hat)(
-  FStar_UInt128_uint128 x0,
-  FStar_UInt128_uint128 x1
-) = FStar_UInt128_sub_underspec;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Subtraction_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_sub_mod;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Amp_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_logand;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Hat_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_logxor;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Bar_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_logor;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Less_Less_Hat)(FStar_UInt128_uint128 x0, uint32_t x1) =
-  FStar_UInt128_shift_left;
-
-FStar_UInt128_uint128
-(*FStar_UInt128_op_Greater_Greater_Hat)(FStar_UInt128_uint128 x0, uint32_t x1) =
-  FStar_UInt128_shift_right;
-
-bool
-(*FStar_UInt128_op_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_eq;
-
-bool
-(*FStar_UInt128_op_Greater_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_gt;
-
-bool
-(*FStar_UInt128_op_Less_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_lt;
-
-bool
-(*FStar_UInt128_op_Greater_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_gte;
-
-bool
-(*FStar_UInt128_op_Less_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
-  FStar_UInt128_lte;
-
-static uint64_t FStar_UInt128_u64_mod_32(uint64_t a)
-{
-  return a & (uint64_t)0xffffffffU;
-}
-
-static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U;
-
-static uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo)
-{
-  return lo + (hi << FStar_UInt128_u32_32);
-}
-
-FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y)
-{
-  FStar_UInt128_uint128
-  flat =
-    {
-      FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32)
-        * (uint64_t)y
-        + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32),
-        FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)),
-      ((x >> FStar_UInt128_u32_32)
-      * (uint64_t)y
-      + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32))
-      >> FStar_UInt128_u32_32
-    };
-  return flat;
-}
-
-typedef struct K___uint64_t_uint64_t_uint64_t_uint64_t_s
-{
-  uint64_t fst;
-  uint64_t snd;
-  uint64_t thd;
-  uint64_t f3;
-}
-K___uint64_t_uint64_t_uint64_t_uint64_t;
-
-static K___uint64_t_uint64_t_uint64_t_uint64_t
-FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
-{
-  K___uint64_t_uint64_t_uint64_t_uint64_t
-  flat =
-    {
-      FStar_UInt128_u64_mod_32(x),
-      FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)),
-      x
-      >> FStar_UInt128_u32_32,
-      (x >> FStar_UInt128_u32_32)
-      * FStar_UInt128_u64_mod_32(y)
-      + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)
-    };
-  return flat;
-}
-
-static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
-{
-  return lo + (hi << FStar_UInt128_u32_32);
-}
-
-static FStar_UInt128_uint128 FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
-{
-  K___uint64_t_uint64_t_uint64_t_uint64_t scrut = FStar_UInt128_mul_wide_impl_t_(x, y);
-  uint64_t u1 = scrut.fst;
-  uint64_t w3 = scrut.snd;
-  uint64_t x_ = scrut.thd;
-  uint64_t t_ = scrut.f3;
-  FStar_UInt128_uint128
-  flat =
-    {
-      FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_),
-        w3),
-      x_
-      * (y >> FStar_UInt128_u32_32)
-      + (t_ >> FStar_UInt128_u32_32)
-      + ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32)
-    };
-  return flat;
-}
-
-FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
-{
-  return FStar_UInt128_mul_wide_impl(x, y);
-}
-

3rdparty/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c

@@ -1,100 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir dist/minimal -skip-compilation -extract-uints -add-include <inttypes.h> -add-include <stdbool.h> -add-include "kremlin/internal/compat.h" -add-include "kremlin/internal/types.h" -bundle FStar.UInt64+FStar.UInt32+FStar.UInt16+FStar.UInt8=* extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-#include "FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h"
-
-uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b)
-{
-  uint64_t x = a ^ b;
-  uint64_t minus_x = ~x + (uint64_t)1U;
-  uint64_t x_or_minus_x = x | minus_x;
-  uint64_t xnx = x_or_minus_x >> (uint32_t)63U;
-  return xnx - (uint64_t)1U;
-}
-
-uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b)
-{
-  uint64_t x = a;
-  uint64_t y = b;
-  uint64_t x_xor_y = x ^ y;
-  uint64_t x_sub_y = x - y;
-  uint64_t x_sub_y_xor_y = x_sub_y ^ y;
-  uint64_t q = x_xor_y | x_sub_y_xor_y;
-  uint64_t x_xor_q = x ^ q;
-  uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U;
-  return x_xor_q_ - (uint64_t)1U;
-}
-
-uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b)
-{
-  uint32_t x = a ^ b;
-  uint32_t minus_x = ~x + (uint32_t)1U;
-  uint32_t x_or_minus_x = x | minus_x;
-  uint32_t xnx = x_or_minus_x >> (uint32_t)31U;
-  return xnx - (uint32_t)1U;
-}
-
-uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b)
-{
-  uint32_t x = a;
-  uint32_t y = b;
-  uint32_t x_xor_y = x ^ y;
-  uint32_t x_sub_y = x - y;
-  uint32_t x_sub_y_xor_y = x_sub_y ^ y;
-  uint32_t q = x_xor_y | x_sub_y_xor_y;
-  uint32_t x_xor_q = x ^ q;
-  uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U;
-  return x_xor_q_ - (uint32_t)1U;
-}
-
-uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b)
-{
-  uint16_t x = a ^ b;
-  uint16_t minus_x = ~x + (uint16_t)1U;
-  uint16_t x_or_minus_x = x | minus_x;
-  uint16_t xnx = x_or_minus_x >> (uint32_t)15U;
-  return xnx - (uint16_t)1U;
-}
-
-uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b)
-{
-  uint16_t x = a;
-  uint16_t y = b;
-  uint16_t x_xor_y = x ^ y;
-  uint16_t x_sub_y = x - y;
-  uint16_t x_sub_y_xor_y = x_sub_y ^ y;
-  uint16_t q = x_xor_y | x_sub_y_xor_y;
-  uint16_t x_xor_q = x ^ q;
-  uint16_t x_xor_q_ = x_xor_q >> (uint32_t)15U;
-  return x_xor_q_ - (uint16_t)1U;
-}
-
-uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b)
-{
-  uint8_t x = a ^ b;
-  uint8_t minus_x = ~x + (uint8_t)1U;
-  uint8_t x_or_minus_x = x | minus_x;
-  uint8_t xnx = x_or_minus_x >> (uint32_t)7U;
-  return xnx - (uint8_t)1U;
-}
-
-uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b)
-{
-  uint8_t x = a;
-  uint8_t y = b;
-  uint8_t x_xor_y = x ^ y;
-  uint8_t x_sub_y = x - y;
-  uint8_t x_sub_y_xor_y = x_sub_y ^ y;
-  uint8_t q = x_xor_y | x_sub_y_xor_y;
-  uint8_t x_xor_q = x ^ q;
-  uint8_t x_xor_q_ = x_xor_q >> (uint32_t)7U;
-  return x_xor_q_ - (uint8_t)1U;
-}
-

3rdparty/everest/library/legacy/Hacl_Curve25519.c

@@ -1,805 +0,0 @@
-/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
-   Licensed under the Apache 2.0 License. */
-
-/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
- * KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
- * F* version: 059db0c8
- * KreMLin version: 916c37ac
- */
-
-
-#include "Hacl_Curve25519.h"
-
-extern uint64_t FStar_UInt64_eq_mask(uint64_t x0, uint64_t x1);
-
-extern uint64_t FStar_UInt64_gte_mask(uint64_t x0, uint64_t x1);
-
-extern FStar_UInt128_uint128
-FStar_UInt128_add(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-FStar_UInt128_add_mod(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128
-FStar_UInt128_logand(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
-
-extern FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 x0, uint32_t x1);
-
-extern FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t x0);
-
-extern uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 x0);
-
-extern FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x0, uint64_t x1);
-
-static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
-{
-  uint64_t b4 = b[4U];
-  uint64_t b0 = b[0U];
-  uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
-  uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
-  b[4U] = b4_;
-  b[0U] = b0_;
-}
-
-inline static void
-Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_uint128 *input)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-  {
-    FStar_UInt128_uint128 xi = input[i];
-    output[i] = FStar_UInt128_uint128_to_uint64(xi);
-  }
-}
-
-inline static void
-Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
-  FStar_UInt128_uint128 *output,
-  uint64_t *input,
-  uint64_t s
-)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-  {
-    FStar_UInt128_uint128 xi = output[i];
-    uint64_t yi = input[i];
-    output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
-  }
-}
-
-inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_uint128 *tmp)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
-  {
-    uint32_t ctr = i;
-    FStar_UInt128_uint128 tctr = tmp[ctr];
-    FStar_UInt128_uint128 tctrp1 = tmp[ctr + (uint32_t)1U];
-    uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
-    FStar_UInt128_uint128 c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
-    tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
-    tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
-  }
-}
-
-inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
-{
-  uint64_t tmp = output[4U];
-  uint64_t b0;
-  {
-    uint32_t i;
-    for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
-    {
-      uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U;
-      uint64_t z = output[ctr - (uint32_t)1U];
-      output[ctr] = z;
-    }
-  }
-  output[0U] = tmp;
-  b0 = output[0U];
-  output[0U] = (uint64_t)19U * b0;
-}
-
-static void
-Hacl_Bignum_Fmul_mul_shift_reduce_(
-  FStar_UInt128_uint128 *output,
-  uint64_t *input,
-  uint64_t *input2
-)
-{
-  uint32_t i;
-  uint64_t input2i;
-  {
-    uint32_t i0;
-    for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U)
-    {
-      uint64_t input2i0 = input2[i0];
-      Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i0);
-      Hacl_Bignum_Fmul_shift_reduce(input);
-    }
-  }
-  i = (uint32_t)4U;
-  input2i = input2[i];
-  Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
-}
-
-inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2)
-{
-  uint64_t tmp[5U] = { 0U };
-  memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
-  KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
-  {
-    FStar_UInt128_uint128 t[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    }
-    {
-      FStar_UInt128_uint128 b4;
-      FStar_UInt128_uint128 b0;
-      FStar_UInt128_uint128 b4_;
-      FStar_UInt128_uint128 b0_;
-      uint64_t i0;
-      uint64_t i1;
-      uint64_t i0_;
-      uint64_t i1_;
-      Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
-      Hacl_Bignum_Fproduct_carry_wide_(t);
-      b4 = t[4U];
-      b0 = t[0U];
-      b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
-      b0_ =
-        FStar_UInt128_add(b0,
-          FStar_UInt128_mul_wide((uint64_t)19U,
-            FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
-      t[4U] = b4_;
-      t[0U] = b0_;
-      Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
-      i0 = output[0U];
-      i1 = output[1U];
-      i0_ = i0 & (uint64_t)0x7ffffffffffffU;
-      i1_ = i1 + (i0 >> (uint32_t)51U);
-      output[0U] = i0_;
-      output[1U] = i1_;
-    }
-  }
-}
-
-inline static void Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_uint128 *tmp, uint64_t *output)
-{
-  uint64_t r0 = output[0U];
-  uint64_t r1 = output[1U];
-  uint64_t r2 = output[2U];
-  uint64_t r3 = output[3U];
-  uint64_t r4 = output[4U];
-  uint64_t d0 = r0 * (uint64_t)2U;
-  uint64_t d1 = r1 * (uint64_t)2U;
-  uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
-  uint64_t d419 = r4 * (uint64_t)19U;
-  uint64_t d4 = d419 * (uint64_t)2U;
-  FStar_UInt128_uint128
-  s0 =
-    FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0),
-        FStar_UInt128_mul_wide(d4, r1)),
-      FStar_UInt128_mul_wide(d2, r3));
-  FStar_UInt128_uint128
-  s1 =
-    FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1),
-        FStar_UInt128_mul_wide(d4, r2)),
-      FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3));
-  FStar_UInt128_uint128
-  s2 =
-    FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2),
-        FStar_UInt128_mul_wide(r1, r1)),
-      FStar_UInt128_mul_wide(d4, r3));
-  FStar_UInt128_uint128
-  s3 =
-    FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3),
-        FStar_UInt128_mul_wide(d1, r2)),
-      FStar_UInt128_mul_wide(r4, d419));
-  FStar_UInt128_uint128
-  s4 =
-    FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4),
-        FStar_UInt128_mul_wide(d1, r3)),
-      FStar_UInt128_mul_wide(r2, r2));
-  tmp[0U] = s0;
-  tmp[1U] = s1;
-  tmp[2U] = s2;
-  tmp[3U] = s3;
-  tmp[4U] = s4;
-}
-
-inline static void Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_uint128 *tmp, uint64_t *output)
-{
-  FStar_UInt128_uint128 b4;
-  FStar_UInt128_uint128 b0;
-  FStar_UInt128_uint128 b4_;
-  FStar_UInt128_uint128 b0_;
-  uint64_t i0;
-  uint64_t i1;
-  uint64_t i0_;
-  uint64_t i1_;
-  Hacl_Bignum_Fsquare_fsquare__(tmp, output);
-  Hacl_Bignum_Fproduct_carry_wide_(tmp);
-  b4 = tmp[4U];
-  b0 = tmp[0U];
-  b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
-  b0_ =
-    FStar_UInt128_add(b0,
-      FStar_UInt128_mul_wide((uint64_t)19U,
-        FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
-  tmp[4U] = b4_;
-  tmp[0U] = b0_;
-  Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
-  i0 = output[0U];
-  i1 = output[1U];
-  i0_ = i0 & (uint64_t)0x7ffffffffffffU;
-  i1_ = i1 + (i0 >> (uint32_t)51U);
-  output[0U] = i0_;
-  output[1U] = i1_;
-}
-
-static void
-Hacl_Bignum_Fsquare_fsquare_times_(
-  uint64_t *input,
-  FStar_UInt128_uint128 *tmp,
-  uint32_t count1
-)
-{
-  uint32_t i;
-  Hacl_Bignum_Fsquare_fsquare_(tmp, input);
-  for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
-    Hacl_Bignum_Fsquare_fsquare_(tmp, input);
-}
-
-inline static void
-Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
-{
-  KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
-  {
-    FStar_UInt128_uint128 t[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    }
-    memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
-    Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
-  }
-}
-
-inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
-{
-  KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
-  {
-    FStar_UInt128_uint128 t[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    }
-    Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
-  }
-}
-
-inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
-{
-  uint64_t buf[20U] = { 0U };
-  uint64_t *a0 = buf;
-  uint64_t *t00 = buf + (uint32_t)5U;
-  uint64_t *b0 = buf + (uint32_t)10U;
-  uint64_t *t01;
-  uint64_t *b1;
-  uint64_t *c0;
-  uint64_t *a;
-  uint64_t *t0;
-  uint64_t *b;
-  uint64_t *c;
-  Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U);
-  Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)2U);
-  Hacl_Bignum_Fmul_fmul(b0, t00, z);
-  Hacl_Bignum_Fmul_fmul(a0, b0, a0);
-  Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)1U);
-  Hacl_Bignum_Fmul_fmul(b0, t00, b0);
-  Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
-  t01 = buf + (uint32_t)5U;
-  b1 = buf + (uint32_t)10U;
-  c0 = buf + (uint32_t)15U;
-  Hacl_Bignum_Fmul_fmul(b1, t01, b1);
-  Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
-  Hacl_Bignum_Fmul_fmul(c0, t01, b1);
-  Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
-  Hacl_Bignum_Fmul_fmul(t01, t01, c0);
-  Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
-  Hacl_Bignum_Fmul_fmul(b1, t01, b1);
-  Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
-  a = buf;
-  t0 = buf + (uint32_t)5U;
-  b = buf + (uint32_t)10U;
-  c = buf + (uint32_t)15U;
-  Hacl_Bignum_Fmul_fmul(c, t0, b);
-  Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
-  Hacl_Bignum_Fmul_fmul(t0, t0, c);
-  Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
-  Hacl_Bignum_Fmul_fmul(t0, t0, b);
-  Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
-  Hacl_Bignum_Fmul_fmul(out, t0, a);
-}
-
-inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
-{
-  uint32_t i;
-  for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-  {
-    uint64_t xi = a[i];
-    uint64_t yi = b[i];
-    a[i] = xi + yi;
-  }
-}
-
-inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
-{
-  uint64_t tmp[5U] = { 0U };
-  uint64_t b0;
-  uint64_t b1;
-  uint64_t b2;
-  uint64_t b3;
-  uint64_t b4;
-  memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
-  b0 = tmp[0U];
-  b1 = tmp[1U];
-  b2 = tmp[2U];
-  b3 = tmp[3U];
-  b4 = tmp[4U];
-  tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
-  tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
-  tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
-  tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
-  tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
-  {
-    uint32_t i;
-    for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-    {
-      uint64_t xi = a[i];
-      uint64_t yi = tmp[i];
-      a[i] = yi - xi;
-    }
-  }
-}
-
-inline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
-{
-  KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
-  {
-    FStar_UInt128_uint128 tmp[5U];
-    {
-      uint32_t _i;
-      for (_i = 0U; _i < (uint32_t)5U; ++_i)
-        tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    }
-    {
-      FStar_UInt128_uint128 b4;
-      FStar_UInt128_uint128 b0;
-      FStar_UInt128_uint128 b4_;
-      FStar_UInt128_uint128 b0_;
-      {
-        uint32_t i;
-        for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
-        {
-          uint64_t xi = b[i];
-          tmp[i] = FStar_UInt128_mul_wide(xi, s);
-        }
-      }
-      Hacl_Bignum_Fproduct_carry_wide_(tmp);
-      b4 = tmp[4U];
-      b0 = tmp[0U];
-      b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
-      b0_ =
-        FStar_UInt128_add(b0,
-          FStar_UInt128_mul_wide((uint64_t)19U,
-            FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
-      tmp[4U] = b4_;
-      tmp[0U] = b0_;
-      Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
-    }
-  }
-}
-
-inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
-{
-  Hacl_Bignum_Fmul_fmul(output, a, b);
-}
-
-inline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
-{
-  Hacl_Bignum_Crecip_crecip(output, input);
-}
-
-static void
-Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
-{
-  uint32_t i = ctr - (uint32_t)1U;
-  uint64_t ai = a[i];
-  uint64_t bi = b[i];
-  uint64_t x = swap1 & (ai ^ bi);
-  uint64_t ai1 = ai ^ x;
-  uint64_t bi1 = bi ^ x;
-  a[i] = ai1;
-  b[i] = bi1;
-}
-
-static void
-Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
-{
-  if (!(ctr == (uint32_t)0U))
-  {
-    uint32_t i;
-    Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
-    i = ctr - (uint32_t)1U;
-    Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
-  }
-}
-
-static void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
-{
-  uint64_t swap1 = (uint64_t)0U - iswap;
-  Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
-  Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
-}
-
-static void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
-{
-  memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
-  memcpy(output + (uint32_t)5U,
-    input + (uint32_t)5U,
-    (uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]);
-}
-
-static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
-{
-  uint64_t i0 = load64_le(input);
-  uint8_t *x00 = input + (uint32_t)6U;
-  uint64_t i1 = load64_le(x00);
-  uint8_t *x01 = input + (uint32_t)12U;
-  uint64_t i2 = load64_le(x01);
-  uint8_t *x02 = input + (uint32_t)19U;
-  uint64_t i3 = load64_le(x02);
-  uint8_t *x0 = input + (uint32_t)24U;
-  uint64_t i4 = load64_le(x0);
-  uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
-  uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
-  uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
-  uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
-  uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
-  output[0U] = output0;
-  output[1U] = output1;
-  output[2U] = output2;
-  output[3U] = output3;
-  output[4U] = output4;
-}
-
-static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
-{
-  uint64_t t0 = input[0U];
-  uint64_t t1 = input[1U];
-  uint64_t t2 = input[2U];
-  uint64_t t3 = input[3U];
-  uint64_t t4 = input[4U];
-  uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
-  uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
-  uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
-  uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
-  uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
-  uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
-  input[0U] = t0_;
-  input[1U] = t1__;
-  input[2U] = t2__;
-  input[3U] = t3__;
-  input[4U] = t4_;
-}
-
-static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
-{
-  Hacl_EC_Format_fcontract_first_carry_pass(input);
-  Hacl_Bignum_Modulo_carry_top(input);
-}
-
-static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
-{
-  uint64_t t0 = input[0U];
-  uint64_t t1 = input[1U];
-  uint64_t t2 = input[2U];
-  uint64_t t3 = input[3U];
-  uint64_t t4 = input[4U];
-  uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
-  uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
-  uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
-  uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
-  uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
-  uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
-  uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
-  input[0U] = t0_;
-  input[1U] = t1__;
-  input[2U] = t2__;
-  input[3U] = t3__;
-  input[4U] = t4_;
-}
-
-static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
-{
-  uint64_t i0;
-  uint64_t i1;
-  uint64_t i0_;
-  uint64_t i1_;
-  Hacl_EC_Format_fcontract_second_carry_pass(input);
-  Hacl_Bignum_Modulo_carry_top(input);
-  i0 = input[0U];
-  i1 = input[1U];
-  i0_ = i0 & (uint64_t)0x7ffffffffffffU;
-  i1_ = i1 + (i0 >> (uint32_t)51U);
-  input[0U] = i0_;
-  input[1U] = i1_;
-}
-
-static void Hacl_EC_Format_fcontract_trim(uint64_t *input)
-{
-  uint64_t a0 = input[0U];
-  uint64_t a1 = input[1U];
-  uint64_t a2 = input[2U];
-  uint64_t a3 = input[3U];
-  uint64_t a4 = input[4U];
-  uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
-  uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
-  uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
-  uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
-  uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
-  uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
-  uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
-  uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
-  input[0U] = a0_;
-  input[1U] = a1_;
-  input[2U] = a2_;
-  input[3U] = a3_;
-  input[4U] = a4_;
-}
-
-static void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
-{
-  uint64_t t0 = input[0U];
-  uint64_t t1 = input[1U];
-  uint64_t t2 = input[2U];
-  uint64_t t3 = input[3U];
-  uint64_t t4 = input[4U];
-  uint64_t o0 = t1 << (uint32_t)51U | t0;
-  uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
-  uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
-  uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
-  uint8_t *b0 = output;
-  uint8_t *b1 = output + (uint32_t)8U;
-  uint8_t *b2 = output + (uint32_t)16U;
-  uint8_t *b3 = output + (uint32_t)24U;
-  store64_le(b0, o0);
-  store64_le(b1, o1);
-  store64_le(b2, o2);
-  store64_le(b3, o3);
-}
-
-static void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
-{
-  Hacl_EC_Format_fcontract_first_carry_full(input);
-  Hacl_EC_Format_fcontract_second_carry_full(input);
-  Hacl_EC_Format_fcontract_trim(input);
-  Hacl_EC_Format_fcontract_store(output, input);
-}
-
-static void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
-{
-  uint64_t *x = point;
-  uint64_t *z = point + (uint32_t)5U;
-  uint64_t buf[10U] = { 0U };
-  uint64_t *zmone = buf;
-  uint64_t *sc = buf + (uint32_t)5U;
-  Hacl_Bignum_crecip(zmone, z);
-  Hacl_Bignum_fmul(sc, x, zmone);
-  Hacl_EC_Format_fcontract(scalar, sc);
-}
-
-static void
-Hacl_EC_AddAndDouble_fmonty(
-  uint64_t *pp,
-  uint64_t *ppq,
-  uint64_t *p,
-  uint64_t *pq,
-  uint64_t *qmqp
-)
-{
-  uint64_t *qx = qmqp;
-  uint64_t *x2 = pp;
-  uint64_t *z2 = pp + (uint32_t)5U;
-  uint64_t *x3 = ppq;
-  uint64_t *z3 = ppq + (uint32_t)5U;
-  uint64_t *x = p;
-  uint64_t *z = p + (uint32_t)5U;
-  uint64_t *xprime = pq;
-  uint64_t *zprime = pq + (uint32_t)5U;
-  uint64_t buf[40U] = { 0U };
-  uint64_t *origx = buf;
-  uint64_t *origxprime0 = buf + (uint32_t)5U;
-  uint64_t *xxprime0 = buf + (uint32_t)25U;
-  uint64_t *zzprime0 = buf + (uint32_t)30U;
-  uint64_t *origxprime;
-  uint64_t *xx0;
-  uint64_t *zz0;
-  uint64_t *xxprime;
-  uint64_t *zzprime;
-  uint64_t *zzzprime;
-  uint64_t *zzz;
-  uint64_t *xx;
-  uint64_t *zz;
-  uint64_t scalar;
-  memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
-  Hacl_Bignum_fsum(x, z);
-  Hacl_Bignum_fdifference(z, origx);
-  memcpy(origxprime0, xprime, (uint32_t)5U * sizeof xprime[0U]);
-  Hacl_Bignum_fsum(xprime, zprime);
-  Hacl_Bignum_fdifference(zprime, origxprime0);
-  Hacl_Bignum_fmul(xxprime0, xprime, z);
-  Hacl_Bignum_fmul(zzprime0, x, zprime);
-  origxprime = buf + (uint32_t)5U;
-  xx0 = buf + (uint32_t)15U;
-  zz0 = buf + (uint32_t)20U;
-  xxprime = buf + (uint32_t)25U;
-  zzprime = buf + (uint32_t)30U;
-  zzzprime = buf + (uint32_t)35U;
-  memcpy(origxprime, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
-  Hacl_Bignum_fsum(xxprime, zzprime);
-  Hacl_Bignum_fdifference(zzprime, origxprime);
-  Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
-  Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
-  Hacl_Bignum_fmul(z3, zzzprime, qx);
-  Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
-  Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
-  zzz = buf + (uint32_t)10U;
-  xx = buf + (uint32_t)15U;
-  zz = buf + (uint32_t)20U;
-  Hacl_Bignum_fmul(x2, xx, zz);
-  Hacl_Bignum_fdifference(zz, xx);
-  scalar = (uint64_t)121665U;
-  Hacl_Bignum_fscalar(zzz, zz, scalar);
-  Hacl_Bignum_fsum(zzz, xx);
-  Hacl_Bignum_fmul(z2, zzz, zz);
-}
-
-static void
-Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint8_t byt
-)
-{
-  uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
-  uint64_t bit;
-  Hacl_EC_Point_swap_conditional(nq, nqpq, bit0);
-  Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
-  bit = (uint64_t)(byt >> (uint32_t)7U);
-  Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit);
-}
-
-static void
-Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint8_t byt
-)
-{
-  uint8_t byt1;
-  Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
-  byt1 = byt << (uint32_t)1U;
-  Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
-}
-
-static void
-Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint8_t byt,
-  uint32_t i
-)
-{
-  if (!(i == (uint32_t)0U))
-  {
-    uint32_t i_ = i - (uint32_t)1U;
-    uint8_t byt_;
-    Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
-    byt_ = byt << (uint32_t)2U;
-    Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
-  }
-}
-
-static void
-Hacl_EC_Ladder_BigLoop_cmult_big_loop(
-  uint8_t *n1,
-  uint64_t *nq,
-  uint64_t *nqpq,
-  uint64_t *nq2,
-  uint64_t *nqpq2,
-  uint64_t *q,
-  uint32_t i
-)
-{
-  if (!(i == (uint32_t)0U))
-  {
-    uint32_t i1 = i - (uint32_t)1U;
-    uint8_t byte = n1[i1];
-    Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
-    Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
-  }
-}
-
-static void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
-{
-  uint64_t point_buf[40U] = { 0U };
-  uint64_t *nq = point_buf;
-  uint64_t *nqpq = point_buf + (uint32_t)10U;
-  uint64_t *nq2 = point_buf + (uint32_t)20U;
-  uint64_t *nqpq2 = point_buf + (uint32_t)30U;
-  Hacl_EC_Point_copy(nqpq, q);
-  nq[0U] = (uint64_t)1U;
-  Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
-  Hacl_EC_Point_copy(result, nq);
-}
-
-void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
-{
-  uint64_t buf0[10U] = { 0U };
-  uint64_t *x0 = buf0;
-  uint64_t *z = buf0 + (uint32_t)5U;
-  uint64_t *q;
-  Hacl_EC_Format_fexpand(x0, basepoint);
-  z[0U] = (uint64_t)1U;
-  q = buf0;
-  {
-    uint8_t e[32U] = { 0U };
-    uint8_t e0;
-    uint8_t e31;
-    uint8_t e01;
-    uint8_t e311;
-    uint8_t e312;
-    uint8_t *scalar;
-    memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
-    e0 = e[0U];
-    e31 = e[31U];
-    e01 = e0 & (uint8_t)248U;
-    e311 = e31 & (uint8_t)127U;
-    e312 = e311 | (uint8_t)64U;
-    e[0U] = e01;
-    e[31U] = e312;
-    scalar = e;
-    {
-      uint64_t buf[15U] = { 0U };
-      uint64_t *nq = buf;
-      uint64_t *x = nq;
-      x[0U] = (uint64_t)1U;
-      Hacl_EC_Ladder_cmult(nq, scalar, q);
-      Hacl_EC_Format_scalar_of_point(mypublic, nq);
-    }
-  }
-}
-

3rdparty/everest/library/x25519.c

@@ -1,186 +0,0 @@
-/*
- *  ECDH with curve-optimized implementation multiplexing
- *
- *  Copyright 2016-2018 INRIA and Microsoft Corporation
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-
-#include <mbedtls/ecdh.h>
-
-#if !(defined(__SIZEOF_INT128__) && (__SIZEOF_INT128__ == 16))
-#define KRML_VERIFIED_UINT128
-#endif
-
-#include <Hacl_Curve25519.h>
-#include <mbedtls/platform_util.h>
-
-#include "x25519.h"
-
-#include <string.h>
-
-/*
- * Initialize context
- */
-void mbedtls_x25519_init( mbedtls_x25519_context *ctx )
-{
-    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x25519_context ) );
-}
-
-/*
- * Free context
- */
-void mbedtls_x25519_free( mbedtls_x25519_context *ctx )
-{
-    if( ctx == NULL )
-        return;
-
-    mbedtls_platform_zeroize( ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES );
-    mbedtls_platform_zeroize( ctx->peer_point, MBEDTLS_X25519_KEY_SIZE_BYTES );
-}
-
-int mbedtls_x25519_make_params( mbedtls_x25519_context *ctx, size_t *olen,
-                        unsigned char *buf, size_t blen,
-                        int( *f_rng )(void *, unsigned char *, size_t),
-                        void *p_rng )
-{
-    int ret = 0;
-
-    uint8_t base[MBEDTLS_X25519_KEY_SIZE_BYTES] = {0};
-
-    if( ( ret = f_rng( p_rng, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES ) ) != 0 )
-        return ret;
-
-    *olen = MBEDTLS_X25519_KEY_SIZE_BYTES + 4;
-    if( blen < *olen )
-        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
-
-    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
-    *buf++ = MBEDTLS_ECP_TLS_CURVE25519 >> 8;
-    *buf++ = MBEDTLS_ECP_TLS_CURVE25519 & 0xFF;
-    *buf++ = MBEDTLS_X25519_KEY_SIZE_BYTES;
-
-    base[0] = 9;
-    Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, base );
-
-    base[0] = 0;
-    if( memcmp( buf, base, MBEDTLS_X25519_KEY_SIZE_BYTES) == 0 )
-        return MBEDTLS_ERR_ECP_RANDOM_FAILED;
-
-    return( 0 );
-}
-
-int mbedtls_x25519_read_params( mbedtls_x25519_context *ctx,
-                        const unsigned char **buf, const unsigned char *end )
-{
-    if( end - *buf < MBEDTLS_X25519_KEY_SIZE_BYTES + 1 )
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
-
-    if( ( *(*buf)++ != MBEDTLS_X25519_KEY_SIZE_BYTES ) )
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
-
-    memcpy( ctx->peer_point, *buf, MBEDTLS_X25519_KEY_SIZE_BYTES );
-    *buf += MBEDTLS_X25519_KEY_SIZE_BYTES;
-    return( 0 );
-}
-
-int mbedtls_x25519_get_params( mbedtls_x25519_context *ctx, const mbedtls_ecp_keypair *key,
-                               mbedtls_x25519_ecdh_side side )
-{
-    size_t olen = 0;
-
-    switch( side ) {
-    case MBEDTLS_X25519_ECDH_THEIRS:
-        return mbedtls_ecp_point_write_binary( &key->grp, &key->Q, MBEDTLS_ECP_PF_COMPRESSED, &olen, ctx->peer_point, MBEDTLS_X25519_KEY_SIZE_BYTES );
-    case MBEDTLS_X25519_ECDH_OURS:
-        return mbedtls_mpi_write_binary_le( &key->d, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES );
-    default:
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
-    }
-}
-
-int mbedtls_x25519_calc_secret( mbedtls_x25519_context *ctx, size_t *olen,
-                        unsigned char *buf, size_t blen,
-                        int( *f_rng )(void *, unsigned char *, size_t),
-                        void *p_rng )
-{
-    /* f_rng and p_rng are not used here because this implementation does not
-       need blinding since it has constant trace. */
-    (( void )f_rng);
-    (( void )p_rng);
-
-    *olen = MBEDTLS_X25519_KEY_SIZE_BYTES;
-
-    if( blen < *olen )
-        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
-
-    Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, ctx->peer_point);
-
-    /* Wipe the DH secret and don't let the peer chose a small subgroup point */
-    mbedtls_platform_zeroize( ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES );
-
-    if( memcmp( buf, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES) == 0 )
-        return MBEDTLS_ERR_ECP_RANDOM_FAILED;
-
-    return( 0 );
-}
-
-int mbedtls_x25519_make_public( mbedtls_x25519_context *ctx, size_t *olen,
-                        unsigned char *buf, size_t blen,
-                        int( *f_rng )(void *, unsigned char *, size_t),
-                        void *p_rng )
-{
-    int ret = 0;
-    unsigned char base[MBEDTLS_X25519_KEY_SIZE_BYTES] = { 0 };
-
-    if( ctx == NULL )
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
-
-    if( ( ret = f_rng( p_rng, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES ) ) != 0 )
-        return ret;
-
-    *olen = MBEDTLS_X25519_KEY_SIZE_BYTES + 1;
-    if( blen < *olen )
-        return(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
-    *buf++ = MBEDTLS_X25519_KEY_SIZE_BYTES;
-
-    base[0] = 9;
-    Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, base );
-
-    base[0] = 0;
-    if( memcmp( buf, base, MBEDTLS_X25519_KEY_SIZE_BYTES ) == 0 )
-        return MBEDTLS_ERR_ECP_RANDOM_FAILED;
-
-    return( ret );
-}
-
-int mbedtls_x25519_read_public( mbedtls_x25519_context *ctx,
-                        const unsigned char *buf, size_t blen )
-{
-    if( blen < MBEDTLS_X25519_KEY_SIZE_BYTES + 1 )
-        return(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
-    if( (*buf++ != MBEDTLS_X25519_KEY_SIZE_BYTES) )
-        return(MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
-    memcpy( ctx->peer_point, buf, MBEDTLS_X25519_KEY_SIZE_BYTES );
-    return( 0 );
-}
-
-
-#endif /* MBEDTLS_ECDH_C && MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */

CMakeLists.txt

@@ -1,42 +1,16 @@
-#
-# CMake build system design considerations:
-#
-# - Include directories:
-#   + Do not define include directories globally using the include_directories
-#     command but rather at the target level using the
-#     target_include_directories command. That way, it is easier to guarantee
-#     that targets are built using the proper list of include directories.
-#   + Use the PUBLIC and PRIVATE keywords to specifiy the scope of include
-#     directories. That way, a target linking to a library (using the
-#     target_link_librairies command) inherits from the library PUBLIC include
-#     directories and not from the PRIVATE ones.
-#   + Note: there is currently one remaining include_directories command in the
-#     CMake files. It is related to ZLIB support which is planned to be removed.
-#     When the support is removed, the associated include_directories command
-#     will be removed as well as this note.
-# - MBEDTLS_TARGET_PREFIX: CMake targets are designed to be alterable by calling
-#   CMake in order to avoid target name clashes, via the use of
-#   MBEDTLS_TARGET_PREFIX. The value of this variable is prefixed to the
-#   mbedtls, mbedx509, mbedcrypto and apidoc targets.
-#
-
-cmake_minimum_required(VERSION 2.8.12)
+cmake_minimum_required(VERSION 2.6)
 if(TEST_CPP)
     project("mbed TLS" C CXX)
 else()
     project("mbed TLS" C)
 endif()
 
-# Set the project root directory.
-set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR})
-
 option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
 option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
 
-option(ENABLE_PROGRAMS "Build mbed TLS programs." ON)
+option(ENABLE_PROGRAMS "Build mbed TLS programs." OFF)
 
 option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
-option(MBEDTLS_FATAL_WARNINGS "Compiler warnings treated as errors" ON)
 
 string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
 string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}")
@@ -47,7 +21,7 @@ string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${CMAKE_C_COMPILER_ID}")
 if(CMAKE_COMPILER_IS_MSVC)
     option(ENABLE_TESTING "Build mbed TLS tests." OFF)
 else()
-    option(ENABLE_TESTING "Build mbed TLS tests." ON)
+    option(ENABLE_TESTING "Build mbed TLS tests." OFF)
 endif()
 
 # Warning string - created as a list for compatibility with CMake 2.8
@@ -72,30 +46,19 @@ set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
                          "${CTR_DRBG_128_BIT_KEY_WARN_L3}"
                          "${WARNING_BORDER}")
 
-# Python 3 is only needed here to check for configuration warnings.
-if(NOT CMAKE_VERSION VERSION_LESS 3.15.0)
-    set(Python3_FIND_STRATEGY LOCATION)
-    find_package(Python3 COMPONENTS Interpreter)
-    if(Python3_Interpreter_FOUND)
-        set(MBEDTLS_PYTHON_EXECUTABLE ${Python3_EXECUTABLE})
-    endif()
-else()
-    find_package(PythonInterp 3)
-    if(PYTHONINTERP_FOUND)
-        set(MBEDTLS_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE})
-    endif()
-endif()
-if(MBEDTLS_PYTHON_EXECUTABLE)
+find_package(PythonInterp)
+find_package(Perl)
+if(PERL_FOUND)
 
     # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
-    execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+    execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
                         RESULT_VARIABLE result)
     if(${result} EQUAL 0)
         message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
     endif()
 
     # If NULL Entropy is configured, display an appropriate warning
-    execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
+    execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
                         RESULT_VARIABLE result)
     if(${result} EQUAL 0)
         message(WARNING ${NULL_ENTROPY_WARNING})
@@ -116,12 +79,9 @@ option: \n\
     endif()
 endif()
 
-# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
-if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
-    set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
-        CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
-        FORCE)
-endif()
+set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
+    CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
+    FORCE)
 
 # Create a symbolic link from ${base_name} in the binary directory
 # to the corresponding path in the source directory.
@@ -159,48 +119,37 @@ endfunction(link_to_source)
 
 string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
 
-include(CheckCCompilerFlag)
-
 if(CMAKE_COMPILER_IS_GNU)
     # some warnings we want are not available with old GCC versions
     # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
     execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
                     OUTPUT_VARIABLE GCC_VERSION)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings")
-    if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3)
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wvla")
-    endif()
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings")
     if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
     endif()
     if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
     endif()
-    if (GCC_VERSION VERSION_GREATER 5.0)
-        CHECK_C_COMPILER_FLAG("-Wformat-signedness" C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
-        if(C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
-            set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-signedness")
-        endif()
-    endif()
     set(CMAKE_C_FLAGS_RELEASE     "-O2")
     set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
     set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")
-    set(CMAKE_C_FLAGS_ASAN        "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
-    set(CMAKE_C_FLAGS_ASANDBG     "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
-    set(CMAKE_C_FLAGS_CHECK       "-Os")
+    set(CMAKE_C_FLAGS_ASAN        "-Werror -fsanitize=address -fno-common -O3")
+    set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+    set(CMAKE_C_FLAGS_CHECK       "-Werror -Os")
     set(CMAKE_C_FLAGS_CHECKFULL   "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
 endif(CMAKE_COMPILER_IS_GNU)
 
 if(CMAKE_COMPILER_IS_CLANG)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow")
     set(CMAKE_C_FLAGS_RELEASE     "-O2")
     set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
     set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")
-    set(CMAKE_C_FLAGS_ASAN        "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
-    set(CMAKE_C_FLAGS_ASANDBG     "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
-    set(CMAKE_C_FLAGS_MEMSAN      "-fsanitize=memory -O3")
-    set(CMAKE_C_FLAGS_MEMSANDBG   "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
-    set(CMAKE_C_FLAGS_CHECK       "-Os")
+    set(CMAKE_C_FLAGS_ASAN        "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
+    set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+    set(CMAKE_C_FLAGS_MEMSAN      "-Werror -fsanitize=memory -O3")
+    set(CMAKE_C_FLAGS_MEMSANDBG   "-Werror -fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
+    set(CMAKE_C_FLAGS_CHECK       "-Werror -Os")
 endif(CMAKE_COMPILER_IS_CLANG)
 
 if(CMAKE_COMPILER_IS_IAR)
@@ -208,25 +157,14 @@ if(CMAKE_COMPILER_IS_IAR)
 endif(CMAKE_COMPILER_IS_IAR)
 
 if(CMAKE_COMPILER_IS_MSVC)
-    # Strictest warnings
+    # Compile with UTF-8 encoding (REMOVE THIS COMMIT ONCE A FIX IS DEPLOYED UPSTREAM)
+    add_compile_options(/utf-8)
+
+    # Strictest warnings, and treat as errors
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
 endif(CMAKE_COMPILER_IS_MSVC)
 
-if(MBEDTLS_FATAL_WARNINGS)
-    if(CMAKE_COMPILER_IS_MSVC)
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
-    endif(CMAKE_COMPILER_IS_MSVC)
-
-    if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
-        if(UNSAFE_BUILD)
-            set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error=cpp")
-            set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error=cpp")
-            set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error=cpp")
-        endif(UNSAFE_BUILD)
-    endif(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
-endif(MBEDTLS_FATAL_WARNINGS)
-
 if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
     if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
         set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
@@ -238,6 +176,8 @@ else()
     set(LIB_INSTALL_DIR lib)
 endif()
 
+include_directories(include/)
+
 if(ENABLE_ZLIB_SUPPORT)
     find_package(ZLIB)
 
@@ -246,41 +186,14 @@ if(ENABLE_ZLIB_SUPPORT)
     endif(ZLIB_FOUND)
 endif(ENABLE_ZLIB_SUPPORT)
 
-add_subdirectory(include)
-
-add_subdirectory(3rdparty)
-list(APPEND libs ${thirdparty_lib})
-
 add_subdirectory(library)
-
-#
-# The C files in tests/src directory contain test code shared among test suites
-# and programs. This shared test code is compiled and linked to test suites and
-# programs objects as a set of compiled objects. The compiled objects are NOT
-# built into a library that the test suite and program objects would link
-# against as they link against the mbedcrypto, mbedx509 and mbedtls libraries.
-# The reason is that such library is expected to have mutual dependencies with
-# the aforementioned libraries and that there is as of today no portable way of
-# handling such dependencies (only toolchain specific solutions).
-#
-# Thus the below definition of the `mbedtls_test` CMake library of objects
-# target. This library of objects is used by tests and programs CMake files
-# to define the test executables.
-#
-if(ENABLE_TESTING OR ENABLE_PROGRAMS)
-    file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
-    add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
-    target_include_directories(mbedtls_test
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
-endif()
+add_subdirectory(include)
 
 if(ENABLE_PROGRAMS)
     add_subdirectory(programs)
 endif()
 
-ADD_CUSTOM_TARGET(${MBEDTLS_TARGET_PREFIX}apidoc
+ADD_CUSTOM_TARGET(apidoc
     COMMAND doxygen mbedtls.doxyfile
     WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
 

ChangeLog

@@ -1,69 +1,55 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= mbed TLS 2.25.0 branch released 2020-12-11
+= mbed TLS 2.16.10 branch released 2021-03-12
 
-API changes
-   * The numerical values of the PSA Crypto API macros have been updated to
-     conform to version 1.0.0 of the specification.
-   * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4.
-     The underlying stream cipher is determined by the key type
-     (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
-   * The functions mbedtls_cipher_auth_encrypt() and
-     mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
-     as they have no way to check if the output buffer is large enough.
-     Please use mbedtls_cipher_auth_encrypt_ext() and
-     mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
-     Cryptofuzz. Fixes #3665.
-
-Requirement changes
-   * Update the minimum required CMake version to 2.8.12.  This silences a
-     warning on CMake 3.19.0. #3801
-
-New deprecations
-   * PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated.
-     Use PSA_ALG_STREAM_CIPHER instead.
-   * The functions mbedtls_cipher_auth_encrypt() and
-     mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
-     functions mbedtls_cipher_auth_encrypt_ext() and
-     mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
-     these new functions always append the tag to the ciphertext, and include
-     the tag in the ciphertext length.
-
-Features
-   * Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric
-     ciphers, asymmetric signing/verification and key generation, validate_key
-     entry point, and export_public_key interface.)
-   * Add support for ECB to the PSA cipher API.
-   * In PSA, allow using a key declared with a base key agreement algorithm
-     in combined key agreement and derivation operations, as long as the key
-     agreement algorithm in use matches the algorithm the key was declared with.
-     This is currently non-standard behaviour, but expected to make it into a
-     future revision of the PSA Crypto standard.
-   * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
-     mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
-     external CMake projects that include this one to avoid CMake target name
-     clashes.  The default value of this variable is "", so default target names
-     are unchanged.
-   * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
-     Pascal, improved by Ron Eldor.
-   * In the PSA API, it is no longer necessary to open persistent keys:
-     operations now accept the key identifier. The type psa_key_handle_t is now
-     identical to psa_key_id_t instead of being platform-defined. This bridges
-     the last major gap to compliance with the PSA Cryptography specification
-     version 1.0.0. Opening persistent keys is still supported for backward
-     compatibility, but will be deprecated and later removed in future
-     releases.
-   * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and
-     PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
-     1.0.0 of the PSA Crypto API specification.
+Default behavior changes
+   * In mbedtls_rsa_context objects, the ver field was formerly documented
+     as always 0. It is now reserved for internal purposes and may take
+     different values.
+
+Security
+   * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
+     |A| - |B| where |B| is larger than |A| and has more limbs (so the
+     function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
+     applications calling mbedtls_mpi_sub_abs() directly are affected:
+     all calls inside the library were safe since this function is
+     only called with |A| >= |B|. Reported by Guido Vranken in #4042.
+   * Fix an errorneous estimation for an internal buffer in
+     mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
+     value the function might fail to write a private RSA keys of the largest
+     supported size.
+     Found by Daniel Otte, reported in #4093 and fixed in #4094,
+     backported in #4100.
+   * Fix a stack buffer overflow with mbedtls_net_poll() and
+     mbedtls_net_recv_timeout() when given a file descriptor that is
+     beyond FD_SETSIZE. Reported by FigBug in #4169.
+   * Guard against strong local side channel attack against base64 tables by
+     making access aceess to them use constant flow code.
+
+Bugfix
+   * Fix an incorrect error code if an RSA private operation glitched.
+   * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
+     is enabled, on platforms where initializing a mutex allocates resources.
+     This was a regression introduced in the previous release. Reported in
+     #4017, #4045 and #4071.
+   * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
+     twice is safe. This happens for RSA when some Mbed TLS library functions
+     fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
+     enabled on platforms where freeing a mutex twice is not safe.
+   * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
+     when MBEDTLS_THREADING_C is enabled on platforms where initializing
+     a mutex allocates resources.
+   * This change makes 'mbedtls_x509write_crt_set_basic_constraints'
+     consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
+     include this extension in all CA certificates that contain public keys
+     used to validate digital signatures on certificates and MUST mark the
+     extension as critical in such certificates." Previous to this change,
+     the extension was always marked as non-critical. This was fixed by
+     #4044.
+
+= mbed TLS 2.16.9 branch released 2020-12-11
 
 Security
-   * The functions mbedtls_cipher_auth_encrypt() and
-     mbedtls_cipher_auth_decrypt() would write past the minimum documented
-     size of the output buffer when used with NIST_KW. As a result, code using
-     those functions as documented with NIST_KW could have a buffer overwrite
-     of up to 15 bytes, with consequences ranging up to arbitrary code
-     execution depending on the location of the output buffer.
    * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
      MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
      generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
@@ -93,50 +79,18 @@ Security
 Bugfix
    * Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey()
      when the input has trailing garbage. Fixes #2512.
-   * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
-     enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
-   * Include the psa_constant_names generated source code in the source tree
-     instead of generating it at build time. Fixes #3524.
    * Fix rsa_prepare_blinding() to retry when the blinding value is not
      invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
      addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
      Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
      Fixes #3647.
-   * Use socklen_t on Android and other POSIX-compliant system
    * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
      Fix #3432.
-   * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
-     sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
-     psa_cipher_* functions compliant with the PSA Crypto API specification.
-   * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
-     "x25519" and "x448". These curves support ECDH but not ECDSA. If you need
-     only the curves that support ECDSA, filter the list with
-     mbedtls_ecdsa_can_do().
-   * Fix psa_generate_key() returning an error when asked to generate
-     an ECC key pair on Curve25519 or secp244k1.
-   * Fix psa_key_derivation_output_key() to allow the output of a combined key
-     agreement and subsequent key derivation operation to be used as a key
-     inside of the PSA Crypto core.
-   * Fix handling of EOF against 0xff bytes and on platforms with unsigned
-     chars. Fixes a build failure on platforms where char is unsigned. Fixes
-     #3794.
-   * Fix an off-by-one error in the additional data length check for
-     CCM, which allowed encryption with a non-standard length field.
-     Fixes #3719.
    * Correct the default IV size for mbedtls_cipher_info_t structures using
      MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
    * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
-     defined. Fix contributed in #3571.
-   * Fix conditions for including string.h in error.c. Fixes #3866.
-   * psa_set_key_id() now also sets the lifetime to persistent for keys located
-     in a secure element.
-   * Attempting to create a volatile key with a non-zero key identifier now
-     fails. Previously the key identifier was just ignored when creating a
-     volatile key.
-   * Attempting to create or register a key with a key identifier in the vendor
-     range now fails.
+     defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602.
    * Fix build failures on GCC 11. Fixes #3782.
-   * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
    * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
      (an error condition) and the second operand was aliased to the result.
    * Fix a case in elliptic curve arithmetic where an out-of-memory condition
@@ -156,52 +110,20 @@ Bugfix
 Changes
    * Reduce stack usage significantly during sliding window exponentiation.
      Reported in #3591 and fix contributed in #3592 by Daniel Otte.
-   * The PSA persistent storage format is updated to always store the key bits
-     attribute. No automatic upgrade path is provided. Previously stored keys
-     must be erased, or manually upgraded based on the key storage format
-     specification (docs/architecture/mbed-crypto-storage-specification.md).
-     Fixes #3740.
    * Remove the zeroization of a pointer variable in AES rounds. It was valid
      but spurious and misleading since it looked like a mistaken attempt to
      zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
      Leti, France.
 
-= mbed TLS 2.24.0 branch released 2020-09-01
-
-API changes
-   * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
-     group families to psa_ecc_family_t and psa_dh_family_t, in line with the
-     PSA Crypto API specification version 1.0.0.
-     Rename associated macros as well:
-     PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
-     PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
-     PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
-     PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
-
-Default behavior changes
-   * Stop storing persistent information about externally stored keys created
-     through PSA Crypto with a volatile lifetime. Reported in #3288 and
-     contributed by Steven Cooreman in #3382.
+= mbed TLS 2.16.8 branch released 2020-09-01
 
 Features
-   * The new function mbedtls_ecp_write_key() exports private ECC keys back to
-     a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
    * Support building on e2k (Elbrus) architecture: correctly enable
      -Wformat-signedness, and fix the code that causes signed-one-bit-field
      and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
      <akemi_homura@kurisa.ch>.
 
 Security
-   * Fix a vulnerability in the verification of X.509 certificates when
-     matching the expected common name (the cn argument of
-     mbedtls_x509_crt_verify()) with the actual certificate name: when the
-     subjecAltName extension is present, the expected name was compared to any
-     name in that extension regardless of its type. This means that an
-     attacker could for example impersonate a 4-bytes or 16-byte domain by
-     getting a certificate for the corresponding IPv4 or IPv6 (this would
-     require the attacker to control that IP address, though). Similar attacks
-     using other subjectAltName name types might be possible. Found and
-     reported by kFYatek in #3498.
    * When checking X.509 CRLs, a certificate was only considered as revoked if
      its revocationDate was in the past according to the local clock if
      available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
@@ -235,80 +157,30 @@ Security
      Johan Uppman Bruce of Sectra.
 
 Bugfix
-   * Library files installed after a CMake build no longer have execute
-     permission.
-   * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
-     redefinition if the function is inlined.
-     Reported in #3451 and fix contributed in #3452 by okhowang.
-   * Fix the endianness of Curve25519 keys imported/exported through the PSA
-     APIs. psa_import_key and psa_export_key will now correctly expect/output
-     Montgomery keys in little-endian as defined by RFC7748. Contributed by
-     Steven Cooreman in #3425.
-   * Fix build errors when the only enabled elliptic curves are Montgomery
-     curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
-     also fixes missing declarations reported by Steven Cooreman in #1147.
-   * Fix self-test failure when the only enabled short Weierstrass elliptic
-     curve is secp192k1. Fixes #2017.
-   * PSA key import will now correctly import a Curve25519/Curve448 public key
-     instead of erroring out. Contributed by Steven Cooreman in #3492.
-   * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
-     lower bits. Fix contributed in #3540.
-   * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
-     conditions. Reported and fix suggested by Guido Vranken in #3486.
-   * Fix bug in redirection of unit test outputs on platforms where stdout is
-     defined as a macro. First reported in #2311 and fix contributed in #3528.
-
-Changes
-   * Only pass -Wformat-signedness to versions of GCC that support it. Reported
-     in #3478 and fix contributed in #3479 by okhowang.
+   * Avoid use of statically sized stack buffers for certificate writing.
+     This previously limited the maximum size of DER encoded certificates
+     in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
    * Reduce the stack consumption of mbedtls_x509write_csr_der() which
      previously could lead to stack overflow on constrained devices.
      Contributed by Doru Gucea and Simon Leet in #3464.
-   * Undefine the ASSERT macro before defining it locally, in case it is defined
-     in a platform header. Contributed by Abdelatif Guettouche in #3557.
+   * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
+     lower bits. Fix contributed in #3540.
+   * Fix building library/net_sockets.c and the ssl_mail_client program on
+     NetBSD. NetBSD conditionals were added for the backport to avoid the risk
+     of breaking a platform. Original fix contributed by Nia Alarie in #3422.
+     Adapted for long-term support branch 2.16 in #3558.
+   * Fix bug in redirection of unit test outputs on platforms where stdout is
+     defined as a macro. First reported in #2311 and fix contributed in #3528.
+     Adopted for LTS branch 2.16 in #3601.
+
+Changes
    * Update copyright notices to use Linux Foundation guidance. As a result,
      the copyright of contributors other than Arm is now acknowledged, and the
      years of publishing are no longer tracked in the source files. This also
      eliminates the need for the lines declaring the files to be part of
      MbedTLS. Fixes #3457.
-   * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
-     example applications which allows to provide a password for the key file
-     specified through the existing key_file argument. This allows the use of
-     these applications with password-protected key files. Analogously but for
-     ssl_server2 only, add the command line parameter key_pwd2 which allows to
-     set a password for the key file provided through the existing key_file2
-     argument.
 
-= mbed TLS 2.23.0 branch released 2020-07-01
-
-Default behavior changes
-   * In the experimental PSA secure element interface, change the encoding of
-     key lifetimes to encode a persistence level and the location. Although C
-     prototypes do not effectively change, code calling
-     psa_register_se_driver() must be modified to pass the driver's location
-     instead of the keys' lifetime. If the library is upgraded on an existing
-     device, keys created with the old lifetime value will not be readable or
-     removable through Mbed TLS after the upgrade.
-
-Features
-   * New functions in the error module return constant strings for
-     high- and low-level error codes, complementing mbedtls_strerror()
-     which constructs a string for any error code, including compound
-     ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
-     in #3176.
-   * The new utility programs/ssl/ssl_context_info prints a human-readable
-     dump of an SSL context saved with mbedtls_ssl_context_save().
-   * Add support for midipix, a POSIX layer for Microsoft Windows.
-   * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
-     parsing unsupported certificate extensions via user provided callback.
-     Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
-     a solution to #3241.
-   * Pass the "certificate policies" extension to the callback supplied to
-     mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
-     policies (#3419).
-   * Added support to entropy_poll for the kern.arandom syscall supported on
-     some BSD systems. Contributed by Nia Alarie in #3423.
-   * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
+= mbed TLS 2.16.7 branch released 2020-07-01
 
 Security
    * Fix a side channel vulnerability in modular exponentiation that could
@@ -333,92 +205,36 @@ Security
 
 Bugfix
    * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
-     Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
+     Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
      the example programs. Reported in #1430 and fix contributed by irwir.
    * Fix undefined behavior in X.509 certificate parsing if the
      pathLenConstraint basic constraint value is equal to INT_MAX.
      The actual effect with almost every compiler is the intended
-     behavior, so this is unlikely to be exploitable anywhere. #3192
-   * Fix issue with a detected HW accelerated record error not being exposed
-     due to shadowed variable. Contributed by Sander Visser in #3310.
-   * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
-     NULL pointer argument. Contributed by Sander Visser in #3312.
-   * Fix potential linker errors on dual world platforms by inlining
-     mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
-     from psa_crypto.c. Fixes #3300.
-   * Remove dead code in X.509 certificate parsing. Contributed by irwir in
-     #2855.
+     behavior, so this is unlikely to be exploitable anywhere. #3197
    * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
    * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
      when PRNG function fails. Contributed by Jonas Lejeune in #3318.
-   * Remove unused macros from MSVC projects. Reported in #3297 and fix
-     submitted in #3333 by irwir.
    * Add additional bounds checks in ssl_write_client_hello() preventing
      output buffer overflow if the configuration declared a buffer that was
      too small.
-   * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
-     fix submitted in #3421 by Nia Alarie.
-   * Fix building library/net_sockets.c and the ssl_mail_client program on
-     NetBSD. Contributed by Nia Alarie in #3422.
-   * Fix false positive uninitialised variable reported by cpp-check.
-     Contributed by Sander Visser in #3311.
-   * Update iv and len context pointers manually when reallocating buffers
-     using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
-     when receiving a connection with CID, when these fields were shifted
-     in ssl_parse_record_header().
 
 Changes
-   * Fix warnings about signedness issues in format strings. The build is now
-     clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
-     in #3153.
-   * Fix minor performance issue in operations on Curve25519 caused by using a
-     suboptimal modular reduction in one place. Found and fix contributed by
-     Aurelien Jarno in #3209.
-   * Combine identical cases in switch statements in md.c. Contributed
-     by irwir in #3208.
-   * Simplify a bounds check in ssl_write_certificate_request(). Contributed
-     by irwir in #3150.
    * Unify the example programs termination to call mbedtls_exit() instead of
      using a return command. This has been done to enable customization of the
      behavior in bare metal environments.
-   * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
-     Contributed by Koh M. Nakagawa in #3326.
-   * Use FindPython3 when cmake version >= 3.15.0
    * Abort the ClientHello writing function as soon as some extension doesn't
      fit into the record buffer. Previously, such extensions were silently
      dropped. As a consequence, the TLS handshake now fails when the output
      buffer is not large enough to hold the ClientHello.
-   * The unit tests now rely on header files in tests/include/test and source
-     files in tests/src. When building with make or cmake, the files in
-     tests/src are compiled and the resulting object linked into each test
-     executable.
    * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
-     `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
-     coutermeasures. If side channels are not a concern, this dependency can
-     be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
-   * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
-     Martinho. #3147
-   * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
-     in #3182 and fix submitted by irwir. #3217
-   * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
+     `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
+     `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
+     are not a concern, this dependency can be avoided by enabling the new
+     option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
 
-= mbed TLS 2.22.0 branch released 2020-04-14
-
-New deprecations
-   * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
-     SSL module for hardware acceleration of individual records.
-   * Deprecate mbedtls_ssl_get_max_frag_len() in favour of
-     mbedtls_ssl_get_output_max_frag_len() and
-     mbedtls_ssl_get_input_max_frag_len() to be more precise about which max
-     fragment length is desired.
+= mbed TLS 2.16.6 branch released 2020-04-14
 
 Security
-   * Fix issue in DTLS handling of new associations with the same parameters
-     (RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to
-     the server could cause it to drop established associations with
-     legitimate clients, resulting in a Denial of Service. This could only
-     happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
-     (which it is by default).
    * Fix side channel in ECC code that allowed an adversary with access to
      precise enough timing and memory access information (typically an
      untrusted operating system attacking a secure enclave) to fully recover
@@ -427,37 +243,13 @@ Security
    * Fix a potentially remotely exploitable buffer overread in a
      DTLS client when parsing the Hello Verify Request message.
 
-Features
-   * The new build option MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH automatically
-     resizes the I/O buffers before and after handshakes, reducing the memory
-     consumption during application data transfer.
-
 Bugfix
    * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
      MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
-   * Remove a spurious check in ssl_parse_client_psk_identity that triggered
-     a warning with some compilers. Fix contributed by irwir in #2856.
    * Fix a function name in a debug message. Contributed by Ercan Ozturk in
      #3013.
 
-Changes
-   * Mbed Crypto is no longer a Git submodule. The crypto part of the library
-     is back directly in the present repository.
-   * Split mbedtls_ssl_get_max_frag_len() into
-     mbedtls_ssl_get_output_max_frag_len() and
-     mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input
-     buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
-     is defined), regardless of what MFL was configured for it.
-
-= mbed TLS 2.21.0 branch released 2020-02-20
-
-New deprecations
-   * Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing
-     SSLv2 ClientHello messages.
-   * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
-   * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
-     library which allows TLS authentication to use keys stored in a
-     PKCS#11 token such as a smartcard.
+= mbed TLS 2.16.5 branch released 2020-02-20
 
 Security
    * Fix potential memory overread when performing an ECDSA signature
@@ -472,49 +264,22 @@ Security
      Brumley. Reported and fix contributed by Jack Lloyd.
      ARMmbed/mbed-crypto#352
 
-Features
-   * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
-     support without SHA-384.
-
-API changes
-   * Change the encoding of key types and curves in the PSA API. The new
-     values are aligned with the upcoming release of the PSA Crypto API
-     specification version 1.0.0. The main change which may break some
-     existing code is that elliptic curve key types no longer encode the
-     exact curve: a psa_ecc_curve_t or psa_key_type_t value only encodes
-     a curve family and the key size determines the exact curve (for example,
-     PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
-
 Bugfix
    * Fix an unchecked call to mbedtls_md() in the x509write module.
-   * Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by
-     Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
-   * Fix some false-positive uninitialized variable warnings in X.509. Fix
-     contributed by apple-ihack-geek in #2663.
-   * Fix a possible error code mangling in psa_mac_verify_finish() when
-     a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
    * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
      RSA keys that would later be rejected by functions expecting private
      keys. Found by Catena cyber using oss-fuzz (issue 20467).
-   * Fix a bug in mbedtls_pk_parse_key() that would cause it to
-     accept some RSA keys with invalid values by silently fixing those values.
+   * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
+     RSA keys with invalid values by silently fixing those values.
 
-= mbed TLS 2.20.0 branch released 2020-01-15
-
-Default behavior changes
-   * The initial seeding of a CTR_DRBG instance makes a second call to the
-     entropy function to obtain entropy for a nonce if the entropy size is less
-     than 3/2 times the key size. In case you want to disable the extra call to
-     grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
-     nonce length to 0.
+= mbed TLS 2.16.4 branch released 2020-01-15
 
 Security
-   * Enforce that mbedtls_entropy_func() gathers a total of
-     MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the
-     default configuration, on a platform with a single entropy source, the
-     entropy module formerly only grabbed 32 bytes, which is good enough for
-     security if the source is genuinely strong, but less than the expected 64
-     bytes (size of the entropy accumulator).
+   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+     constant time/constant trace, so side channel attacks can retrieve the
+     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+     to have only large prime factors), and then, by brute force, recover the
+     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
    * Zeroize local variables in mbedtls_internal_aes_encrypt() and
      mbedtls_internal_aes_decrypt() before exiting the function. The value of
      these variables can be used to recover the last round key. To follow best
@@ -523,11 +288,6 @@ Security
      Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
      Grant Hernandez, and Kevin Butler (University of Florida) and
      Dave Tian (Purdue University).
-   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
-     constant time/constant trace, so side channel attacks can retrieve the
-     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
-     to have only large prime factors), and then, by brute force, recover the
-     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
    * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
      timings on the comparison in the key generation enabled the attacker to
      learn leading bits of the ephemeral key used during ECDSA signatures and to
@@ -537,159 +297,62 @@ Security
      reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
      Sectra.
 
-Features
-   * Key derivation inputs in the PSA API can now either come from a key object
-     or from a buffer regardless of the step type.
-   * The CTR_DRBG module can grab a nonce from the entropy source during the
-     initial seeding. The default nonce length is chosen based on the key size
-     to achieve the security strength defined by NIST SP 800-90A. You can
-     change it with mbedtls_ctr_drbg_set_nonce_len().
-   * Add ENUMERATED tag support to the ASN.1 module. Contributed by
-     msopiha-linaro in ARMmbed/mbed-crypto#307.
-
-API changes
-   * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
-     key derivation function, use a buffer instead (this is now always
-     possible).
-   * Rename psa_asymmetric_sign() to psa_sign_hash() and
-     psa_asymmetric_verify() to psa_verify_hash().
-
 Bugfix
-   * Fix an incorrect size in a debugging message. Reported and fix
-     submitted by irwir. Fixes #2717.
-   * Fix an unused variable warning when compiling without DTLS.
-     Reported and fix submitted by irwir. Fixes #2800.
-   * Remove a useless assignment. Reported and fix submitted by irwir.
-     Fixes #2801.
-   * Fix a buffer overflow in the PSA HMAC code when using a long key with an
-     unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
-   * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
-     to OSS-Fuzz for finding a bug in an intermediate version of the fix.
-   * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at
-     most 2 bytes.
-   * mbedtls_ctr_drbg_set_entropy_len() and
-     mbedtls_hmac_drbg_set_entropy_len() now work if you call them before
-     mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed().
+   * Remove redundant line for getting the bitlen of a bignum, since the variable
+     holding the returned value is overwritten a line after.
+     Found by irwir in #2377.
+   * Support mbedtls_hmac_drbg_set_entropy_len() and
+     mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
+     the initial seeding always reset the entropy length to the compile-time
+     default.
 
 Changes
-   * Remove the technical possibility to define custom mbedtls_md_info
-     structures, which was exposed only in an internal header.
-   * psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as
-     before).
-   * Variables containing error codes are now initialized to an error code
-     rather than success, so that coding mistakes or memory corruption tends to
-     cause functions to return this error code rather than a success. There are
-     no known instances where this changes the behavior of the library: this is
-     merely a robustness improvement. ARMmbed/mbed-crypto#323
-   * Remove a useless call to mbedtls_ecp_group_free(). Contributed by
-     Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
-   * Speed up PBKDF2 by caching the digest calculation. Contributed by Jack
-     Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
-   * Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by
-     Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
+   * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
+     from the cipher abstraction layer. Fixes #2198.
+   * Clarify how the interface of the CTR_DRBG and HMAC modules relates to
+     NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
+     to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
 
-= mbed TLS 2.19.1 branch released 2019-09-16
-
-Features
-   * Declare include headers as PUBLIC to propagate to CMake project consumers
-     Contributed by Zachary J. Fields in PR #2949.
-   * Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of
-     TLS sessions with tools like Wireshark.
-
-API Changes
-   * Make client_random and server_random const in
-     mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
-     from modifying the client/server hello.
-
-Bugfix
-   * Fix some false-positive uninitialized variable warnings in crypto. Fix
-     contributed by apple-ihack-geek in #2663.
-
-= mbed TLS 2.19.0 branch released 2019-09-06
+= mbed TLS 2.16.3 branch released 2019-09-06
 
 Security
    * Fix a missing error detection in ECJPAKE. This could have caused a
      predictable shared secret if a hardware accelerator failed and the other
      side of the key exchange had a similar bug.
-   * When writing a private EC key, use a constant size for the private
-     value, as specified in RFC 5915. Previously, the value was written
-     as an ASN.1 INTEGER, which caused the size of the key to leak
-     about 1 bit of information on average and could cause the value to be
-     1 byte too large for the output buffer.
    * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
      implement blinding. Because of this for the same key and message the same
      blinding value was generated. This reduced the effectiveness of the
      countermeasure and leaked information about the private key through side
      channels. Reported by Jack Lloyd.
-
-Features
-   * Add new API functions mbedtls_ssl_session_save() and
-     mbedtls_ssl_session_load() to allow serializing a session, for example to
-     store it in non-volatile storage, and later using it for TLS session
-     resumption.
-   * Add a new API function mbedtls_ssl_check_record() to allow checking that
-     an incoming record is valid, authentic and has not been seen before. This
-     feature can be used alongside Connection ID and SSL context serialisation.
-     The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
-     option.
-   * New implementation of X25519 (ECDH using Curve25519) from Project Everest
-     (https://project-everest.github.io/). It can be enabled at compile time
-     with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
-     verified and significantly faster, but is only supported on x86 platforms
-     (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
-     Christoph Wintersteiger from Microsoft Research.
-   * Add mbedtls_net_close(), enabling the building of forking servers where
-     the parent process closes the client socket and continue accepting, and
-     the child process closes the listening socket and handles the client
-     socket. Contributed by Robert Larsen in #2803.
+   * When writing a private EC key, use a constant size for the private
+     value, as specified in RFC 5915. Previously, the value was written
+     as an ASN.1 INTEGER, which caused the size of the key to leak
+     about 1 bit of information on average and could cause the value to be
+     1 byte too large for the output buffer.
 
 API Changes
-   * Add DER-encoded test CRTs to library/certs.c, allowing
-     the example programs ssl_server2 and ssl_client2 to be run
-     if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
-   * The HAVEGE state type now uses uint32_t elements instead of int.
-   * The functions mbedtls_ecp_curve_list() and mbedtls_ecp_grp_id_list() now
-     list all curves for which at least one of ECDH or ECDSA is supported, not
-     just curves for which both are supported. Call mbedtls_ecdsa_can_do() or
-     mbedtls_ecdh_can_do() on each result to check whether each algorithm is
-     supported.
    * The new function mbedtls_ecdsa_sign_det_ext() is similar to
      mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
      purpose of blinding.
 
-New deprecations
-   * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an
-     RNG function as an input.
-   * Calling mbedtls_ecdsa_write_signature() with NULL as the f_rng argument
-     is now deprecated.
-
 Bugfix
-   * Fix missing bounds checks in X.509 parsing functions that could
-     lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
-   * Fix multiple X.509 functions previously returning ASN.1 low-level error
-     codes to always wrap these codes into X.509 high level error codes before
-     returning. Fixes #2431.
    * Fix to allow building test suites with any warning that detects unused
      functions. Fixes #1628.
    * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
    * Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
-   * Fix build failure when building with mingw on Windows by including
-     stdarg.h where needed. Fixes #2656.
    * Fix Visual Studio Release x64 build configuration by inheriting
      PlatformToolset from the project configuration. Fixes #1430 reported by
      irwir.
    * Enable Suite B with subset of ECP curves. Make sure the code compiles even
      if some curves are not defined. Fixes #1591 reported by dbedev.
    * Fix misuse of signed arithmetic in the HAVEGE module. #2598
-   * Avoid use of statically sized stack buffers for certificate writing.
-     This previously limited the maximum size of DER encoded certificates
-     in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
-   * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
    * Update test certificates that were about to expire. Reported by
      Bernhard M. Wiedemann in #2357.
    * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
      that are only available in Thumb mode. Fix contributed by Aurelien Jarno
      in #2169.
+   * Fix undefined memset(NULL) call in test_suite_nist_kw.
+   * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
    * Fix propagation of restart contexts in restartable EC operations.
      This could previously lead to segmentation faults in builds using an
      address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
@@ -698,77 +361,35 @@ Bugfix
    * Improve code clarity in x509_crt module, removing false-positive
      uninitialized variable warnings on some recent toolchains (GCC8, etc).
      Discovered and fixed by Andy Gross (Linaro), #2392.
+   * Zero length buffer check for undefined behavior in
+     mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49.
    * Fix bug in endianness conversion in bignum module. This lead to
      functionally incorrect code on bigendian systems which don't have
      __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622.
 
 Changes
-   * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
    * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
      suggests). #2671
    * Make `make clean` clean all programs always. Fixes #1862.
-   * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
-     docker-env.sh) to simplify running test suites on a Linux host. Contributed
-     by Peter Kolbus (Garmin).
-   * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
-     test runs without variability. Contributed by Philippe Antoine (Catena
-     cyber) in #2681.
-   * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
-   * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
-     Contributed by Philippe Antoine (Catena cyber).
-   * Remove the crypto part of the library from Mbed TLS. The crypto
-     code and tests are now only available via Mbed Crypto, which
-     Mbed TLS references as a Git submodule.
 
-= mbed TLS 2.18.1 branch released 2019-07-12
-
-Bugfix
-   * Fix build failure when building with mingw on Windows by including
-     stdarg.h where needed. Fixes #2656.
-
-Changes
-   * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
-     Ashley Duncan in #2609.
-
-= mbed TLS 2.18.0 branch released 2019-06-11
-
-Features
-   * Add the Any Policy certificate policy oid, as defined in
-     rfc 5280 section 4.2.1.4.
-   * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
-     Contributed by Jack Lloyd and Fortanix Inc.
-   * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
-   * Add the oid certificate policy x509 extension.
-   * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
-     Contributed by Jack Lloyd and Fortanix Inc.
-   * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
-     and the used tls-prf.
-   * Add public API for tls-prf function, according to requested enum.
-   * Add support for parsing otherName entries in the Subject Alternative Name
-     X.509 certificate extension, specifically type hardware module name,
-     as defined in RFC 4108 section 5.
-   * Add support for parsing certificate policies extension, as defined in
-     RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
-     supported.
-   * List all SAN types in the subject_alt_names field of the certificate.
-     Resolves #459.
-   * Add support for draft-05 of the Connection ID extension, as specified
-     in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
-     The Connection ID extension allows to keep DTLS connections beyond the
-     lifetime of the underlying transport by adding a connection identifier
-     to the DTLS record header. This identifier can be used to associated an
-     incoming record with the correct connection data even after the peer has
-     changed its IP or port. The feature is enabled at compile-time by setting
-     MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
-     through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
-
-
-API Changes
-   * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
-     and the used tls-prf.
-   * Add public API for tls-prf function, according to requested enum.
+= mbed TLS 2.16.2 branch released 2019-06-11
+
+Security
+   * Make mbedtls_ecdh_get_params return an error if the second key
+     belongs to a different group from the first. Before, if an application
+     passed keys that belonged to different group, the first key's data was
+     interpreted according to the second group, which could lead to either
+     an error or a meaningless output from mbedtls_ecdh_get_params. In the
+     latter case, this could expose at most 5 bits of the private key.
 
 Bugfix
+   * Server's RSA certificate in certs.c was SHA-1 signed. In the default
+     mbedTLS configuration only SHA-2 signed certificates are accepted.
+     This certificate is used in the demo server programs, which lead the
+     client programs to fail at the peer's certificate verification
+     due to an unacceptable hash signature. The certificate has been
+     updated to one that is SHA-256 signed. Fix contributed by
+     Illya Gerasymchuk.
    * Fix private key DER output in the key_app_writer example. File contents
      were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
      Christian Walther in #2239.
@@ -783,26 +404,22 @@ Bugfix
      GCM and CCM were not affected. Fixed by Jack Lloyd.
    * Fix incorrect default port number in ssl_mail_client example's usage.
      Found and fixed by irwir. #2337
-   * Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx.
-     Fixed by Peter Kolbus (Garmin). #2579
    * Add missing parentheses around parameters in the definition of the
      public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
      in case operators binding less strongly than subtraction were used
      for the parameter.
    * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
      sni entry parameter. Reported by inestlerode in #560.
-   * Set the next sequence of the subject_alt_name to NULL when deleting
-     sequence on failure. Found and fix suggested by Philippe Antoine.
-     Credit to OSS-Fuzz.
+   * Add DER-encoded test CRTs to library/certs.c, allowing
+     the example programs ssl_server2 and ssl_client2 to be run
+     if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
+   * Fix missing bounds checks in X.509 parsing functions that could
+     lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
+   * Fix multiple X.509 functions previously returning ASN.1 low-level error
+     codes to always wrap these codes into X.509 high level error codes before
+     returning. Fixes #2431.
 
 Changes
-   * Server's RSA certificate in certs.c was SHA-1 signed. In the default
-     mbedTLS configuration only SHA-2 signed certificates are accepted.
-     This certificate is used in the demo server programs, which lead the
-     client programs to fail at the peer's certificate verification
-     due to an unacceptable hash signature. The certificate has been
-     updated to one that is SHA-256 signed. Fix contributed by
-     Illya Gerasymchuk.
    * Return from various debugging routines immediately if the
      provided SSL context is unset.
    * Remove dead code from bignum.c in the default configuration.
@@ -811,39 +428,15 @@ Changes
      Contributed by Peter Kolbus (Garmin).
    * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
      improve clarity. Fixes #2258.
+   * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
 
-= mbed TLS 2.17.0 branch released 2019-03-19
+= mbed TLS 2.16.1 branch released 2019-03-19
 
 Features
-   * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`
-     which allows copy-less parsing of DER encoded X.509 CRTs,
-     at the cost of additional lifetime constraints on the input
-     buffer, but at the benefit of reduced RAM consumption.
-   * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1
-     named bitstring in DER as required by RFC 5280 Appendix B.
    * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
      from the default list (enabled by default). See
      https://sweet32.info/SWEET32_CCS16.pdf.
 
-API Changes
-   * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
-     See the Features section for more information.
-   * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
-     for the benefit of saving RAM, by disabling the new compile-time
-     option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
-     API stability). Disabling this option makes mbedtls_ssl_get_peer_cert()
-     always return NULL, and removes the peer_cert field from the
-     mbedtls_ssl_session structure which otherwise stores the peer's
-     certificate.
-
-Security
-   * Make mbedtls_ecdh_get_params return an error if the second key
-     belongs to a different group from the first. Before, if an application
-     passed keys that belonged to different group, the first key's data was
-     interpreted according to the second group, which could lead to either
-     an error or a meaningless output from mbedtls_ecdh_get_params. In the
-     latter case, this could expose at most 5 bits of the private key.
-
 Bugfix
    * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
      when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
@@ -853,14 +446,19 @@ Bugfix
      previously lead to a stack overflow on constrained targets.
    * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
      in the header files, which missed the precompilation check. #971
-   * Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
-   * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
-   * Remove the mbedtls namespacing from the header file, to fix a "file not found"
-     build error. Fixed by Haijun Gu #2319.
+   * Fix clobber list in MIPS assembly for large integer multiplication.
+     Previously, this could lead to functionally incorrect assembly being
+     produced by some optimizing compilers, showing up as failures in
+     e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
+     by Aurelien Jarno and submitted by Jeffrey Martin.
    * Fix signed-to-unsigned integer conversion warning
      in X.509 module. Fixes #2212.
    * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
      Fixes #2190.
+   * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
+   * Remove the mbedtls namespacing from the header file, to fix a "file not found"
+     build error. Fixed by Haijun Gu #2319.
+   * Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
    * Fix false failure in all.sh when backup files exist in include/mbedtls
      (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
    * Ensure that unused bits are zero when writing ASN.1 bitstrings when using
@@ -871,26 +469,15 @@ Bugfix
      leading content octet. Fixes #1610.
 
 Changes
-   * Reduce RAM consumption during session renegotiation by not storing
-     the peer CRT chain and session ticket twice.
    * Include configuration file in all header files that use configuration,
      instead of relying on other header files that they include.
      Inserted as an enhancement for #1371
    * Add support for alternative CSR headers, as used by Microsoft and defined
      in RFC 7468. Found by Michael Ernst. Fixes #767.
-   * Correct many misspellings. Fixed by MisterDA #2371.
-   * Provide an abstraction of vsnprintf to allow alternative implementations
-     for platforms that don't provide it. Based on contributions by Joris Aerts
-     and Nathaniel Wesley Filardo.
-   * Fix clobber list in MIPS assembly for large integer multiplication.
-     Previously, this could lead to functionally incorrect assembly being
-     produced by some optimizing compilers, showing up as failures in
-     e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
-     by Aurelien Jarno and submitted by Jeffrey Martin.
-   * Reduce the complexity of the timing tests. They were assuming more than the
-     underlying OS actually guarantees.
    * Fix configuration queries in ssl-opt.h. #2030
    * Ensure that ssl-opt.h can be run in OS X. #2029
+   * Reduce the complexity of the timing tests. They were assuming more than the
+     underlying OS actually guarantees.
    * Re-enable certain interoperability tests in ssl-opt.sh which had previously
      been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
    * Ciphersuites based on 3DES now have the lowest priority by default when
@@ -953,24 +540,6 @@ Bugfix
    * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
      of check for certificate/key matching. Reported by Attila Molnar, #507.
 
- = mbed TLS 2.15.1 branch released 2018-11-30
-
- Changes
-    * Update the Mbed Crypto submodule to version 0.1.0b2.
-
- = mbed TLS 2.15.0 branch released 2018-11-23
-
- Features
-    * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
-      Mbed Crypto as the source of the cryptography implementation.
-    * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
-      the PSA Crypto API from Mbed Crypto when additionally used with the
-      USE_CRYPTO_SUBMODULE build option.
-
- Changes
-    * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
-      from the cipher abstraction layer. Fixes #2198.
-
 = mbed TLS 2.14.1 branch released 2018-11-30
 
 Security

ChangeLog.d/00README.md

@@ -22,7 +22,7 @@ We generally don't include changelog entries for:
 * Changes to parts of the code base that users don't interact with directly,
   such as test code and test data.
 
-Until Mbed TLS 2.24.0, we required changelog entries in more cases.
+Until Mbed TLS 2.16.8, we required changelog entries in more cases.
 Looking at older changelog entries is good practice for how to write a
 changelog entry, but not for deciding whether to write one.
 

ChangeLog.d/add-missing-parenthesis.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
+     defined. Fixes #4217.

ChangeLog.d/aescrypt2.txt

@@ -0,0 +1,3 @@
+Changes
+   * Remove the AES sample application programs/aes/aescrypt2 which shows
+     bad cryptographic practice. Fix #1906.

ChangeLog.d/bugfix_PR3616.txt

@@ -0,0 +1,5 @@
+Bugfix
+   * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
+     lead to the seed file corruption in case if the path to the seed file is
+     equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
+     Krasnoshchok in #3616.

ChangeLog.d/dhm_min_bitlen.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+     minimum size was rounded down to the nearest multiple of 8.

ChangeLog.d/dtls_sample_use_read_timeout.txt

@@ -0,0 +1,2 @@
+Changes
+   * Fix the setting of the read timeout in the DTLS sample programs.

ChangeLog.d/fix-pk-parse-key-error-code.txt

@@ -0,0 +1,2 @@
+Bugfix
+   * Fix an incorrect error code when parsing a PKCS#8 private key.

ChangeLog.d/mpi_read_negative_zero.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * mbedtls_mpi_read_string on "-0" produced an MPI object that was not treated
+     as equal to 0 in all cases. Fix it to produce the same object as "0".

LICENSE

@@ -1,202 +1,5 @@
+Unless specifically indicated otherwise in a file, Mbed TLS files are provided
+under the Apache License 2.0, or the GNU General Public License v2.0 or later
+(SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later).
 
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+A copy of these licenses can be found in apache-2.0.txt and gpl-2.0.txt

Makefile

@@ -1,3 +1,4 @@
+
 DESTDIR=/usr/local
 PREFIX=mbedtls_
 
@@ -10,24 +11,19 @@ all: programs tests
 
 no_test: programs
 
-programs: lib mbedtls_test
+programs: lib
 	$(MAKE) -C programs
 
 lib:
 	$(MAKE) -C library
 
-tests: lib mbedtls_test
+tests: lib
 	$(MAKE) -C tests
 
-mbedtls_test:
-	$(MAKE) -C tests mbedtls_test
-
 ifndef WINDOWS
 install: no_test
 	mkdir -p $(DESTDIR)/include/mbedtls
 	cp -rp include/mbedtls $(DESTDIR)/include
-	mkdir -p $(DESTDIR)/include/psa
-	cp -rp include/psa $(DESTDIR)/include
 
 	mkdir -p $(DESTDIR)/lib
 	cp -RP library/libmbedtls.*    $(DESTDIR)/lib
@@ -45,7 +41,6 @@ install: no_test
 
 uninstall:
 	rm -rf $(DESTDIR)/include/mbedtls
-	rm -rf $(DESTDIR)/include/psa
 	rm -f $(DESTDIR)/lib/libmbedtls.*
 	rm -f $(DESTDIR)/lib/libmbedx509.*
 	rm -f $(DESTDIR)/lib/libmbedcrypto.*
@@ -78,11 +73,11 @@ post_build:
 ifndef WINDOWS
 
 	# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
-	-scripts/config.py get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
+	-scripts/config.pl get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
 	    echo '$(CTR_DRBG_128_BIT_KEY_WARNING)'
 
 	# If NULL Entropy is configured, display an appropriate warning
-	-scripts/config.py get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
+	-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
 	    echo '$(NULL_ENTROPY_WARNING)'
 endif
 
@@ -127,22 +122,13 @@ apidoc_clean:
 endif
 
 ## Editor navigation files
-C_SOURCE_FILES = $(wildcard \
-	3rdparty/*/include/*/*.h 3rdparty/*/include/*/*/*.h 3rdparty/*/include/*/*/*/*.h \
-	3rdparty/*/*.c 3rdparty/*/*/*.c 3rdparty/*/*/*/*.c 3rdparty/*/*/*/*/*.c \
-	include/*/*.h \
-	library/*.[hc] \
-	programs/*/*.[hc] \
-	tests/include/*/*.h tests/include/*/*/*.h \
-	tests/src/*.c tests/src/*/*.c \
-	tests/suites/*.function \
-)
+C_SOURCE_FILES = $(wildcard include/*/*.h library/*.[hc] programs/*/*.[hc] tests/suites/*.function)
 # Exuberant-ctags invocation. Other ctags implementations may require different options.
-CTAGS = ctags --langmap=c:+.h.function -o
+CTAGS = ctags --langmap=c:+.h.function --line-directives=no -o
 tags: $(C_SOURCE_FILES)
 	$(CTAGS) $@ $(C_SOURCE_FILES)
 TAGS: $(C_SOURCE_FILES)
-	etags -o $@ $(C_SOURCE_FILES)
+	etags --no-line-directive -o $@ $(C_SOURCE_FILES)
 global: GPATH GRTAGS GSYMS GTAGS
 GPATH GRTAGS GSYMS GTAGS: $(C_SOURCE_FILES)
 	ls $(C_SOURCE_FILES) | gtags -f - --gtagsconf .globalrc

README.md

@@ -3,28 +3,13 @@ README for Mbed TLS
 
 Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems.
 
-Mbed TLS includes a reference implementation of the [PSA Cryptography API](#psa-cryptography-api). This is currently a preview for evaluation purposes only.
-
 Configuration
 -------------
 
-Mbed TLS should build out of the box on most systems. Some platform specific options are available in the fully documented configuration file `include/mbedtls/config.h`, which is also the place where features can be selected. This file can be edited manually, or in a more programmatic way using the Python 3 script `scripts/config.py` (use `--help` for usage instructions).
+Mbed TLS should build out of the box on most systems. Some platform specific options are available in the fully documented configuration file `include/mbedtls/config.h`, which is also the place where features can be selected. This file can be edited manually, or in a more programmatic way using the Perl script `scripts/config.pl` (use `--help` for usage instructions).
 
 Compiler options can be set using conventional environment variables such as `CC` and `CFLAGS` when using the Make and CMake build system (see below).
 
-We provide some non-standard configurations focused on specific use cases in the `configs/` directory. You can read more about those in `configs/README.txt`
-
-Documentation
--------------
-
-Documentation for the Mbed TLS interfaces in the default library configuration is available as part of the [Mbed TLS documentation](https://tls.mbed.org/api/).
-
-To generate a local copy of the library documentation in HTML format, tailored to your compile-time configuration:
-
-1. Make sure that [Doxygen](http://www.doxygen.nl/) is installed. We use version 1.8.11 but slightly older or more recent versions should work.
-1. Run `make apidoc`.
-1. Browse `apidoc/index.html` or `apidoc/modules.html`.
-
 Compiling
 ---------
 
@@ -32,21 +17,12 @@ There are currently three active build systems used within Mbed TLS releases:
 
 -   GNU Make
 -   CMake
--   Microsoft Visual Studio (Microsoft Visual Studio 2013 or later)
+-   Microsoft Visual Studio (Microsoft Visual Studio 2010 or later)
 
 The main systems used for development are CMake and GNU Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically.
 
 The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto, and libmbedx509 depends on libmbedcrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`. Also, when loading shared libraries using dlopen(), you'll need to load libmbedcrypto first, then libmbedx509, before you can load libmbedtls.
 
-### Tool versions
-
-You need the following tools to build the library with the provided makefiles:
-
-* GNU Make or a build tool that CMake supports.
-* A C99 toolchain (compiler, linker, archiver). We actively test with GCC 5.4, Clang 3.8, IAR8 and Visual Studio 2013. More recent versions should work. Slightly older versions may work.
-* Python 3 to generate the test code.
-* Perl to run the tests.
-
 ### Make
 
 We require GNU Make. To build the library and the sample programs, GNU Make and a C compiler are sufficient. Some of the more advanced build targets require some Unix/Linux tools.
@@ -73,7 +49,7 @@ In order to build for a Windows platform, you should use `WINDOWS_BUILD=1` if th
 
 Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; compiler warning options may be overridden separately using `WARNING_CFLAGS`. Some directory-specific options (for example, `-I` directives) are still preserved.
 
-Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -Wextra`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line.
+Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line.
 
 Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
 
@@ -85,11 +61,11 @@ In order to build the source using CMake in a separate directory (recommended),
 
     mkdir /path/to/build_dir && cd /path/to/build_dir
     cmake /path/to/mbedtls_source
-    cmake --build .
+    make
 
 In order to run the tests, enter:
 
-    ctest
+    make test
 
 The test suites need Python to be built and Perl to be executed. If you don't have one of these installed, you'll want to disable the test suites with:
 
@@ -155,12 +131,6 @@ Regarding variables, also note that if you set CFLAGS when invoking cmake,
 your value of CFLAGS doesn't override the content provided by cmake (depending
 on the build mode as seen above), it's merely prepended to it.
 
-#### Mbed TLS as a subproject
-
-Mbed TLS supports being built as a CMake subproject. One can
-use `add_subdirectory()` from a parent CMake project to include Mbed TLS as a
-subproject.
-
 ### Microsoft Visual Studio
 
 The build files for Microsoft Visual Studio are generated for Visual Studio 2010.
@@ -170,8 +140,7 @@ The solution file `mbedTLS.sln` contains all the basic projects needed to build
 Example programs
 ----------------
 
-We've included example programs for a lot of different features and uses in [`programs/`](programs/README.md).
-Please note that the goal of these sample programs is to demonstrate specific features of the library, and the code may need to be adapted to build a real-world application.
+We've included example programs for a lot of different features and uses in [`programs/`](programs/README.md). Most programs only focus on a single feature or usage scenario, so keep that in mind when copying parts of the code.
 
 Tests
 -----
@@ -186,6 +155,11 @@ For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, ad
 -   `tests/scripts/key-exchanges.pl` test builds in configurations with a single key exchange enabled
 -   `tests/scripts/all.sh` runs a combination of the above tests, plus some more, with various build options (such as ASan, full `config.h`, etc).
 
+Configurations
+--------------
+
+We provide some non-standard configurations focused on specific use cases in the `configs/` directory. You can read more about those in `configs/README.txt`
+
 Porting Mbed TLS
 ----------------
 
@@ -195,51 +169,10 @@ Mbed TLS can be ported to many different architectures, OS's and platforms. Befo
 -   [What external dependencies does Mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on)
 -   [How do I configure Mbed TLS](https://tls.mbed.org/kb/compiling-and-building/how-do-i-configure-mbedtls)
 
-PSA cryptography API
---------------------
-
-### PSA API design
-
-Arm's [Platform Security Architecture (PSA)](https://developer.arm.com/architectures/security-architectures/platform-security-architecture) is a holistic set of threat models, security analyses, hardware and firmware architecture specifications, and an open source firmware reference implementation. PSA provides a recipe, based on industry best practice, that allows security to be consistently designed in, at both a hardware and firmware level.
-
-The [PSA cryptography API](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface) provides access to a set of cryptographic primitives. It has a dual purpose. First, it can be used in a PSA-compliant platform to build services, such as secure boot, secure storage and secure communication. Second, it can also be used independently of other PSA components on any platform.
-
-The design goals of the PSA cryptography API include:
-
-* The API distinguishes caller memory from internal memory, which allows the library to be implemented in an isolated space for additional security. Library calls can be implemented as direct function calls if isolation is not desired, and as remote procedure calls if isolation is desired.
-* The structure of internal data is hidden to the application, which allows substituting alternative implementations at build time or run time, for example, in order to take advantage of hardware accelerators.
-* All access to the keys happens through key identifiers, which allows support for external cryptoprocessors that is transparent to applications.
-* The interface to algorithms is generic, favoring algorithm agility.
-* The interface is designed to be easy to use and hard to accidentally misuse.
-
-Arm welcomes feedback on the design of the API. If you think something could be improved, please open an issue on our Github repository. Alternatively, if you prefer to provide your feedback privately, please email us at [`mbed-crypto@arm.com`](mailto:mbed-crypto@arm.com). All feedback received by email is treated confidentially.
-
-### PSA API documentation
-
-A browsable copy of the PSA Cryptography API documents is available on the [PSA cryptography interfaces documentation portal](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface) in [PDF](https://armmbed.github.io/mbed-crypto/PSA_Cryptography_API_Specification.pdf) and [HTML](https://armmbed.github.io/mbed-crypto/html/index.html) formats.
-
-### PSA implementation in Mbed TLS
-
-Mbed TLS includes a reference implementation of the PSA Cryptography API.
-This implementation is not yet as mature as the rest of the library. Some parts of the code have not been reviewed as thoroughly, and some parts of the PSA implementation are not yet well optimized for code size.
-
-The X.509 and TLS code can use PSA cryptography for a limited subset of operations. To enable this support, activate the compilation option `MBEDTLS_USE_PSA_CRYPTO` in `config.h`.
-
-There are currently a few deviations where the library does not yet implement the latest version of the specification. Please refer to the [compliance issues on Github](https://github.com/ARMmbed/mbed-crypto/labels/compliance) for an up-to-date list.
-
-### Upcoming features
-
-Future releases of this library will include:
-
-* A driver programming interface, which makes it possible to use hardware accelerators instead of the default software implementation for chosen algorithms.
-* Support for external keys to be stored and manipulated exclusively in a separate cryptoprocessor.
-* A configuration mechanism to compile only the algorithms you need for your application.
-* A wider set of cryptographic algorithms.
-
 License
 -------
 
-Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license. Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. This enables LTS (Long Term Support) branches of the software to be provided under either the Apache-2.0 OR GPL-2.0-or-later licenses.
+Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. A copy of these licenses can be found in [apache-2.0.txt](./apache-2.0.txt) and [gpl-2.0.txt](./gpl-2.0.txt). Contributors must accept that their contributions are made under both the Apache-2.0 AND GPL-2.0-or-later licenses.
 
 Contributing
 ------------

apache-2.0.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

configs/config-ccm-psk-tls1_2.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 /*
  * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites

configs/config-mini-tls1_1.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 /*
  * Minimal configuration for TLS 1.1 (RFC 4346), implementing only the

configs/config-no-entropy.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 /*
  * Minimal configuration of features that do not require an entropy source
@@ -85,6 +112,6 @@
 /* Miscellaneous options */
 #define MBEDTLS_AES_ROM_TABLES
 
-#include "mbedtls/check_config.h"
+#include "check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */

configs/config-suite-b.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 /*
  * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)

configs/config-symmetric-only.h

@@ -1,99 +0,0 @@
-/**
- * \file config-symmetric-only.h
- *
- * \brief Configuration without any asymmetric cryptography.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
-
-/* System support */
-//#define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HAVE_TIME
-#define MBEDTLS_HAVE_TIME_DATE
-
-/* Mbed Crypto feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_CIPHER_MODE_CFB
-#define MBEDTLS_CIPHER_MODE_CTR
-#define MBEDTLS_CIPHER_MODE_OFB
-#define MBEDTLS_CIPHER_MODE_XTS
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#define MBEDTLS_CIPHER_PADDING_ZEROS
-#define MBEDTLS_ERROR_STRERROR_DUMMY
-#define MBEDTLS_FS_IO
-#define MBEDTLS_ENTROPY_NV_SEED
-#define MBEDTLS_SELF_TEST
-#define MBEDTLS_USE_PSA_CRYPTO
-#define MBEDTLS_VERSION_FEATURES
-
-/* Mbed Crypto modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_ARC4_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BLOWFISH_C
-#define MBEDTLS_CAMELLIA_C
-#define MBEDTLS_ARIA_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CHACHA20_C
-#define MBEDTLS_CHACHAPOLY_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_CMAC_C
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_DES_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_ERROR_C
-#define MBEDTLS_GCM_C
-//#define MBEDTLS_HAVEGE_C
-#define MBEDTLS_HKDF_C
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_NIST_KW_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_MD2_C
-#define MBEDTLS_MD4_C
-#define MBEDTLS_MD5_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PEM_WRITE_C
-#define MBEDTLS_PKCS5_C
-#define MBEDTLS_PKCS12_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_POLY1305_C
-#define MBEDTLS_PSA_CRYPTO_C
-#define MBEDTLS_PSA_CRYPTO_SE_C
-#define MBEDTLS_PSA_CRYPTO_STORAGE_C
-#define MBEDTLS_PSA_ITS_FILE_C
-#define MBEDTLS_RIPEMD160_C
-#define MBEDTLS_SHA1_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SHA512_C
-//#define MBEDTLS_THREADING_C
-#define MBEDTLS_TIMING_C
-#define MBEDTLS_VERSION_C
-#define MBEDTLS_XTEA_C
-
-#include "mbedtls/config_psa.h"
-
-#include "check_config.h"
-
-#endif /* MBEDTLS_CONFIG_H */

configs/config-thread.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /*

docs/.gitignore

@@ -1,3 +0,0 @@
-*.html
-*.pdf
-!PSACryptoDriverModelSpec.pdf

docs/architecture/Makefile

@@ -1,26 +0,0 @@
-PANDOC = pandoc
-
-default: all
-
-all_markdown = \
-	       mbed-crypto-storage-specification.md \
-	       testing/driver-interface-test-strategy.md \
-	       testing/invasive-testing.md \
-	       testing/test-framework.md \
-	       # This line is intentionally left blank
-
-html: $(all_markdown:.md=.html)
-pdf: $(all_markdown:.md=.pdf)
-all: html pdf
-
-.SUFFIXES:
-.SUFFIXES: .md .html .pdf
-
-.md.html:
-	$(PANDOC) -o $@ $<
-.md.pdf:
-	$(PANDOC) -o $@ $<
-
-clean:
-	rm -f *.html *.pdf
-	rm -f testing/*.html testing/*.pdf

docs/architecture/mbed-crypto-storage-specification.md

@@ -1,316 +0,0 @@
-Mbed Crypto storage specification
-=================================
-
-This document specifies how Mbed Crypto uses storage.
-
-Mbed Crypto may be upgraded on an existing device with the storage preserved. Therefore:
-
-1. Any change may break existing installations and may require an upgrade path.
-1. This document retains historical information about all past released versions. Do not remove information from this document unless it has always been incorrect or it is about a version that you are sure was never released.
-
-Mbed Crypto 0.1.0
------------------
-
-Tags: mbedcrypto-0.1.0b, mbedcrypto-0.1.0b2
-
-Released in November 2018. <br>
-Integrated in Mbed OS 5.11.
-
-Supported backends:
-
-* [PSA ITS](#file-namespace-on-its-for-0.1.0)
-* [C stdio](#file-namespace-on-stdio-for-0.1.0)
-
-Supported features:
-
-* [Persistent transparent keys](#key-file-format-for-0.1.0) designated by a [slot number](#key-names-for-0.1.0).
-* [Nonvolatile random seed](#nonvolatile-random-seed-file-format-for-0.1.0) on ITS only.
-
-This is a beta release, and we do not promise backward compatibility, with one exception:
-
-> On Mbed OS, if a device has a nonvolatile random seed file produced with Mbed OS 5.11.x and is upgraded to a later version of Mbed OS, the nonvolatile random seed file is preserved or upgraded.
-
-We do not make any promises regarding key storage, or regarding the nonvolatile random seed file on other platforms.
-
-### Key names for 0.1.0
-
-Information about each key is stored in a dedicated file whose name is constructed from the key identifier. The way in which the file name is constructed depends on the storage backend. The content of the file is described [below](#key-file-format-for-0.1.0).
-
-The valid values for a key identifier are the range from 1 to 0xfffeffff. This limitation on the range is not documented in user-facing documentation: according to the user-facing documentation, arbitrary 32-bit values are valid.
-
-The code uses the following constant in an internal header (note that despite the name, this value is actually one plus the maximum permitted value):
-
-    #define PSA_MAX_PERSISTENT_KEY_IDENTIFIER 0xffff0000
-
-There is a shared namespace for all callers.
-
-### Key file format for 0.1.0
-
-All integers are encoded in little-endian order in 8-bit bytes.
-
-The layout of a key file is:
-
-* magic (8 bytes): `"PSA\0KEY\0"`
-* version (4 bytes): 0
-* type (4 bytes): `psa_key_type_t` value
-* policy usage flags (4 bytes): `psa_key_usage_t` value
-* policy usage algorithm (4 bytes): `psa_algorithm_t` value
-* key material length (4 bytes)
-* key material: output of `psa_export_key`
-* Any trailing data is rejected on load.
-
-### Nonvolatile random seed file format for 0.1.0
-
-The nonvolatile random seed file contains a seed for the random generator. If present, it is rewritten at each boot as part of the random generator initialization.
-
-The file format is just the seed as a byte string with no metadata or encoding of any kind.
-
-### File namespace on ITS for 0.1.0
-
-Assumption: ITS provides a 32-bit file identifier namespace. The Crypto service can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
-
-* File 0: unused.
-* Files 1 through 0xfffeffff: [content](#key-file-format-for-0.1.0) of the [key whose identifier is the file identifier](#key-names-for-0.1.0).
-* File 0xffffff52 (`PSA_CRYPTO_ITS_RANDOM_SEED_UID`): [nonvolatile random seed](#nonvolatile-random-seed-file-format-for-0.1.0).
-* Files 0xffff0000 through 0xffffff51, 0xffffff53 through 0xffffffff: unused.
-
-### File namespace on stdio for 0.1.0
-
-Assumption: C stdio, allowing names containing lowercase letters, digits and underscores, of length up to 23.
-
-An undocumented build-time configuration value `CRYPTO_STORAGE_FILE_LOCATION` allows storing the key files in a directory other than the current directory. This value is simply prepended to the file name (so it must end with a directory separator to put the keys in a different directory).
-
-* `CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_0"`: used as a temporary file. Must be writable. May be overwritten or deleted if present.
-* `sprintf(CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_%lu", key_id)` [content](#key-file-format-for-0.1.0) of the [key whose identifier](#key-names-for-0.1.0) is `key_id`.
-* Other files: unused.
-
-Mbed Crypto 1.0.0
------------------
-
-Tags: mbedcrypto-1.0.0d4, mbedcrypto-1.0.0
-
-Released in February 2019. <br>
-Integrated in Mbed OS 5.12.
-
-Supported integrations:
-
-* [PSA platform](#file-namespace-on-a-psa-platform-for-1.0.0)
-* [library using PSA ITS](#file-namespace-on-its-as-a-library-for-1.0.0)
-* [library using C stdio](#file-namespace-on-stdio-for-1.0.0)
-
-Supported features:
-
-* [Persistent transparent keys](#key-file-format-for-1.0.0) designated by a [key identifier and owner](#key-names-for-1.0.0).
-* [Nonvolatile random seed](#nonvolatile-random-seed-file-format-for-1.0.0) on ITS only.
-
-Backward compatibility commitments: TBD
-
-### Key names for 1.0.0
-
-Information about each key is stored in a dedicated file designated by the key identifier. In integrations where there is no concept of key owner (in particular, in library integrations), the key identifier is exactly the key identifier as defined in the PSA Cryptography API specification (`psa_key_id_t`). In integrations where there is a concept of key owner (integration into a service for example), the key identifier is made of an owner identifier (its semantics and type are integration specific) and of the key identifier (`psa_key_id_t`) from the key owner point of view.
-
-The way in which the file name is constructed from the key identifier depends on the storage backend. The content of the file is described [below](#key-file-format-for-1.0.0).
-
-* Library integration: the key file name is just the key identifier as defined in the PSA crypto specification. This is a 32-bit value.
-* PSA service integration: the key file name is `(uint32_t)owner_uid << 32 | key_id` where `key_id` is the key identifier from the owner point of view and `owner_uid` (of type `int32_t`) is the calling partition identifier provided to the server by the partition manager. This is a 64-bit value.
-
-### Key file format for 1.0.0
-
-The layout is identical to [0.1.0](#key-file-format-for-0.1.0) so far. However note that the encoding of key types, algorithms and key material has changed, therefore the storage format is not compatible (despite using the same value in the version field so far).
-
-### Nonvolatile random seed file format for 1.0.0
-
-[Identical to 0.1.0](#nonvolatile-random-seed-file-format-for-0.1.0).
-
-### File namespace on a PSA platform for 1.0.0
-
-Assumption: ITS provides a 64-bit file identifier namespace. The Crypto service can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
-
-Assumption: the owner identifier is a nonzero value of type `int32_t`.
-
-* Files 0 through 0xffffff51, 0xffffff53 through 0xffffffff: unused, reserved for internal use of the crypto library or crypto service.
-* File 0xffffff52 (`PSA_CRYPTO_ITS_RANDOM_SEED_UID`): [nonvolatile random seed](#nonvolatile-random-seed-file-format-for-0.1.0).
-* Files 0x100000000 through 0xffffffffffff: [content](#key-file-format-for-1.0.0) of the [key whose identifier is the file identifier](#key-names-for-1.0.0). The upper 32 bits determine the owner.
-
-### File namespace on ITS as a library for 1.0.0
-
-Assumption: ITS provides a 64-bit file identifier namespace. The entity using the crypto library can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
-
-This is a library integration, so there is no owner. The key file identifier is identical to the key identifier.
-
-* File 0: unused.
-* Files 1 through 0xfffeffff: [content](#key-file-format-for-1.0.0) of the [key whose identifier is the file identifier](#key-names-for-1.0.0).
-* File 0xffffff52 (`PSA_CRYPTO_ITS_RANDOM_SEED_UID`): [nonvolatile random seed](#nonvolatile-random-seed-file-format-for-1.0.0).
-* Files 0xffff0000 through 0xffffff51, 0xffffff53 through 0xffffffff, 0x100000000 through 0xffffffffffffffff: unused.
-
-### File namespace on stdio for 1.0.0
-
-This is a library integration, so there is no owner. The key file identifier is identical to the key identifier.
-
-[Identical to 0.1.0](#file-namespace-on-stdio-for-0.1.0).
-
-### Upgrade from 0.1.0 to 1.0.0.
-
-* Delete files 1 through 0xfffeffff, which contain keys in a format that is no longer supported.
-
-### Suggested changes to make before 1.0.0
-
-The library integration and the PSA platform integration use different sets of file names. This is annoyingly non-uniform. For example, if we want to store non-key files, we have room in different ranges (0 through 0xffffffff on a PSA platform, 0xffff0000 through 0xffffffffffffffff in a library integration).
-
-It would simplify things to always have a 32-bit owner, with a nonzero value, and thus reserve the range 0–0xffffffff for internal library use.
-
-Mbed Crypto 1.1.0
------------------
-
-Tags: mbedcrypto-1.1.0
-
-Released in early June 2019. <br>
-Integrated in Mbed OS 5.13.
-
-Identical to [1.0.0](#mbed-crypto-1.0.0) except for some changes in the key file format.
-
-### Key file format for 1.1.0
-
-The key file format is identical to [1.0.0](#key-file-format-for-1.0.0), except for the following changes:
-
-* A new policy field, marked as [NEW:1.1.0] below.
-* The encoding of key types, algorithms and key material has changed, therefore the storage format is not compatible (despite using the same value in the version field so far).
-
-A self-contained description of the file layout follows.
-
-All integers are encoded in little-endian order in 8-bit bytes.
-
-The layout of a key file is:
-
-* magic (8 bytes): `"PSA\0KEY\0"`
-* version (4 bytes): 0
-* type (4 bytes): `psa_key_type_t` value
-* policy usage flags (4 bytes): `psa_key_usage_t` value
-* policy usage algorithm (4 bytes): `psa_algorithm_t` value
-* policy enrollment algorithm (4 bytes): `psa_algorithm_t` value [NEW:1.1.0]
-* key material length (4 bytes)
-* key material: output of `psa_export_key`
-* Any trailing data is rejected on load.
-
-Mbed Crypto TBD
----------------
-
-Tags: TBD
-
-Released in TBD 2019. <br>
-Integrated in Mbed OS TBD.
-
-### Changes introduced in TBD
-
-* The layout of a key file now has a lifetime field before the type field.
-* Key files can store references to keys in a secure element. In such key files, the key material contains the slot number.
-
-### File namespace on a PSA platform on TBD
-
-Assumption: ITS provides a 64-bit file identifier namespace. The Crypto service can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
-
-Assumption: the owner identifier is a nonzero value of type `int32_t`.
-
-* Files 0 through 0xfffeffff: unused.
-* Files 0xffff0000 through 0xffffffff: reserved for internal use of the crypto library or crypto service. See [non-key files](#non-key-files-on-tbd).
-* Files 0x100000000 through 0xffffffffffff: [content](#key-file-format-for-1.0.0) of the [key whose identifier is the file identifier](#key-names-for-1.0.0). The upper 32 bits determine the owner.
-
-### File namespace on ITS as a library on TBD
-
-Assumption: ITS provides a 64-bit file identifier namespace. The entity using the crypto library can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
-
-This is a library integration, so there is no owner. The key file identifier is identical to the key identifier.
-
-* File 0: unused.
-* Files 1 through 0xfffeffff: [content](#key-file-format-for-1.0.0) of the [key whose identifier is the file identifier](#key-names-for-1.0.0).
-* Files 0xffff0000 through 0xffffffff: reserved for internal use of the crypto library or crypto service. See [non-key files](#non-key-files-on-tbd).
-* Files 0x100000000 through 0xffffffffffffffff: unused.
-
-### Non-key files on TBD
-
-File identifiers in the range 0xffff0000 through 0xffffffff are reserved for internal use in Mbed Crypto.
-
-* Files 0xfffffe02 through 0xfffffeff (`PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + lifetime`): secure element driver storage. The content of the file is the secure element driver's persistent data.
-* File 0xffffff52 (`PSA_CRYPTO_ITS_RANDOM_SEED_UID`): [nonvolatile random seed](#nonvolatile-random-seed-file-format-for-1.0.0).
-* File 0xffffff54 (`PSA_CRYPTO_ITS_TRANSACTION_UID`): [transaction file](#transaction-file-format-for-tbd).
-* Other files are unused and reserved for future use.
-
-### Key file format for TBD
-
-All integers are encoded in little-endian order in 8-bit bytes except where otherwise indicated.
-
-The layout of a key file is:
-
-* magic (8 bytes): `"PSA\0KEY\0"`.
-* version (4 bytes): 0.
-* lifetime (4 bytes): `psa_key_lifetime_t` value.
-* type (4 bytes): `psa_key_type_t` value.
-* policy usage flags (4 bytes): `psa_key_usage_t` value.
-* policy usage algorithm (4 bytes): `psa_algorithm_t` value.
-* policy enrollment algorithm (4 bytes): `psa_algorithm_t` value.
-* key material length (4 bytes).
-* key material:
-    * For a transparent key: output of `psa_export_key`.
-    * For an opaque key (unified driver interface): driver-specific opaque key blob.
-    * For an opaque key (key in a secure element): slot number (8 bytes), in platform endianness.
-* Any trailing data is rejected on load.
-
-### Transaction file format for TBD
-
-The transaction file contains data about an ongoing action that cannot be completed atomically. It exists only if there is an ongoing transaction.
-
-All integers are encoded in platform endianness.
-
-All currently existing transactions concern a key in a secure element.
-
-The layout of a transaction file is:
-
-* type (2 bytes): the [transaction type](#transaction-types-on-tbd).
-* unused (2 bytes)
-* lifetime (4 bytes): `psa_key_lifetime_t` value that corresponds to a key in a secure element.
-* slot number (8 bytes): `psa_key_slot_number_t` value. This is the unique designation of the key for the secure element driver.
-* key identifier (4 bytes in a library integration, 8 bytes on a PSA platform): the internal representation of the key identifier. On a PSA platform, this encodes the key owner in the same way as [in file identifiers for key files](#file-namespace-on-a-psa-platform-on-tbd)).
-
-#### Transaction types on TBD
-
-* 0x0001: key creation. The following locations may or may not contain data about the key that is being created:
-    * The slot in the secure element designated by the slot number.
-    * The file containing the key metadata designated by the key identifier.
-    * The driver persistent data.
-* 0x0002: key destruction. The following locations may or may not still contain data about the key that is being destroyed:
-    * The slot in the secure element designated by the slot number.
-    * The file containing the key metadata designated by the key identifier.
-    * The driver persistent data.
-
-Mbed Crypto TBD
----------------
-
-Tags: TBD
-
-Released in TBD 2020. <br>
-Integrated in Mbed OS TBD.
-
-### Changes introduced in TBD
-
-* The type field has been split into a type and a bits field of 2 bytes each.
-
-### Key file format for TBD
-
-All integers are encoded in little-endian order in 8-bit bytes except where otherwise indicated.
-
-The layout of a key file is:
-
-* magic (8 bytes): `"PSA\0KEY\0"`.
-* version (4 bytes): 0.
-* lifetime (4 bytes): `psa_key_lifetime_t` value.
-* type (2 bytes): `psa_key_type_t` value.
-* bits (2 bytes): `psa_key_bits_t` value.
-* policy usage flags (4 bytes): `psa_key_usage_t` value.
-* policy usage algorithm (4 bytes): `psa_algorithm_t` value.
-* policy enrollment algorithm (4 bytes): `psa_algorithm_t` value.
-* key material length (4 bytes).
-* key material:
-    * For a transparent key: output of `psa_export_key`.
-    * For an opaque key (unified driver interface): driver-specific opaque key blob.
-    * For an opaque key (key in a secure element): slot number (8 bytes), in platform endianness.
-* Any trailing data is rejected on load.

docs/architecture/testing/driver-interface-test-strategy.md

@@ -1,115 +0,0 @@
-# Mbed Crypto driver interface test strategy
-
-This document describes the test strategy for the driver interfaces in Mbed Crypto. Mbed Crypto has interfaces for secure element drivers, accelerator drivers and entropy drivers. This document is about testing Mbed Crypto itself; testing drivers is out of scope.
-
-The driver interfaces are standardized through PSA Cryptography functional specifications.
-
-## Secure element driver interface
-
-The secure element driver interface (SE interface for short) is defined by [`psa/crypto_se_driver.h`](../../../include/psa/crypto_se_driver.h). This is an interface between Mbed Crypto and one or more third-party drivers.
-
-The SE interface consists of one function provided by Mbed Crypto (`psa_register_se_driver`) and many functions that drivers must implement. To make a driver usable by Mbed Crypto, the initialization code must call `psa_register_se_driver` with a structure that describes the driver. The structure mostly contains function pointers, pointing to the driver's methods. All calls to a driver function are triggered by a call to a PSA crypto API function.
-
-### SE driver interface unit tests
-
-This section describes unit tests that must be implemented to validate the secure element driver interface. Note that a test case may cover multiple requirements; for example a “good case” test can validate that the proper function is called, that it receives the expected inputs and that it produces the expected outputs.
-
-Many SE driver interface unit tests could be covered by running the existing API tests with a key in a secure element.
-
-#### SE driver registration
-
-* Test `psa_register_se_driver` with valid and with invalid arguments.
-* Make at least one failing call to `psa_register_se_driver` followed by a successful call.
-* Make at least one test that successfully registers the maximum number of drivers and fails to register one more.
-
-#### Dispatch to SE driver
-
-For each API function that can lead to a driver call (more precisely, for each driver method call site, but this is practically equivalent):
-
-* Make at least one test with a key in a secure element that checks that the driver method is called. A few API functions involve multiple driver methods; these should validate that all the expected driver methods are called.
-* Make at least one test with a key that is not in a secure element that checks that the driver method is not called.
-* Make at least one test with a key in a secure element with a driver that does not have the requisite method (i.e. the method pointer is `NULL`) but has the substructure containing that method, and check that the return value is `PSA_ERROR_NOT_SUPPORTED`.
-* Make at least one test with a key in a secure element with a driver that does not have the substructure containing that method (i.e. the pointer to the substructure is `NULL`), and check that the return value is `PSA_ERROR_NOT_SUPPORTED`.
-* At least one test should register multiple drivers with a key in each driver and check that the expected driver is called. This does not need to be done for all operations (use a white-box approach to determine if operations may use different code paths to choose the driver).
-* At least one test should register the same driver structure with multiple lifetime values and check that the driver receives the expected lifetime value.
-
-Some methods only make sense as a group (for example a driver that provides the MAC methods must provide all or none). In those cases, test with all of them null and none of them null.
-
-#### SE driver inputs
-
-For each API function that can lead to a driver call (more precisely, for each driver method call site, but this is practically equivalent):
-
-* Wherever the specification guarantees parameters that satisfy certain preconditions, check these preconditions whenever practical.
-* If the API function can take parameters that are invalid and must not reach the driver, call the API function with such parameters and verify that the driver method is not called.
-* Check that the expected inputs reach the driver. This may be implicit in a test that checks the outputs if the only realistic way to obtain the correct outputs is to start from the expected inputs (as is often the case for cryptographic material, but not for metadata).
-
-#### SE driver outputs
-
-For each API function that leads to a driver call, call it with parameters that cause a driver to be invoked and check how Mbed Crypto handles the outputs.
-
-* Correct outputs.
-* Incorrect outputs such as an invalid output length.
-* Expected errors (e.g. `PSA_ERROR_INVALID_SIGNATURE` from a signature verification method).
-* Unexpected errors. At least test that if the driver returns `PSA_ERROR_GENERIC_ERROR`, this is propagated correctly.
-
-Key creation functions invoke multiple methods and need more complex error handling:
-
-* Check the consequence of errors detected at each stage (slot number allocation or validation, key creation method, storage accesses).
-* Check that the storage ends up in the expected state. At least make sure that no intermediate file remains after a failure.
-
-#### Persistence of SE keys
-
-The following tests must be performed at least one for each key creation method (import, generate, ...).
-
-* Test that keys in a secure element survive `psa_close_key(); psa_open_key()`.
-* Test that keys in a secure element survive `mbedtls_psa_crypto_free(); psa_crypto_init()`.
-* Test that the driver's persistent data survives `mbedtls_psa_crypto_free(); psa_crypto_init()`.
-* Test that `psa_destroy_key()` does not leave any trace of the key.
-
-#### Resilience for SE drivers
-
-Creating or removing a key in a secure element involves multiple storage modifications (M<sub>1</sub>, ..., M<sub>n</sub>). If the operation is interrupted by a reset at any point, it must be either rolled back or completed.
-
-* For each potential interruption point (before M<sub>1</sub>, between M<sub>1</sub> and M<sub>2</sub>, ..., after M<sub>n</sub>), call `mbedtls_psa_crypto_free(); psa_crypto_init()` at that point and check that this either rolls back or completes the operation that was started.
-* This must be done for each key creation method and for key destruction.
-* This must be done for each possible flow, including error cases (e.g. a key creation that fails midway due to `OUT_OF_MEMORY`).
-* The recovery during `psa_crypto_init` can itself be interrupted. Test those interruptions too.
-* Two things need to be tested: the key that is being created or destroyed, and the driver's persistent storage.
-* Check both that the storage has the expected content (this can be done by e.g. using a key that is supposed to be present) and does not have any unexpected content (for keys, this can be done by checking that `psa_open_key` fails with `PSA_ERRROR_DOES_NOT_EXIST`).
-
-This requires instrumenting the storage implementation, either to force it to fail at each point or to record successive storage states and replay each of them. Each `psa_its_xxx` function call is assumed to be atomic.
-
-### SE driver system tests
-
-#### Real-world use case
-
-We must have at least one driver that is close to real-world conditions:
-
-* With its own source tree.
-* Running on actual hardware.
-* Run the full driver validation test suite (which does not yet exist).
-* Run at least one test application (e.g. the Mbed OS TLS example).
-
-This requirement shall be fulfilled by the [Microchip ATECC508A driver](https://github.com/ARMmbed/mbed-os-atecc608a/).
-
-#### Complete driver
-
-We should have at least one driver that covers the whole interface:
-
-* With its own source tree.
-* Implementing all the methods.
-* Run the full driver validation test suite (which does not yet exist).
-
-A PKCS#11 driver would be a good candidate. It would be useful as part of our product offering.
-
-## Accelerator driver interface
-
-The accelerator driver interface is defined by [`psa/crypto_accel_driver.h`](../../../include/psa/crypto_accel_driver.h).
-
-TODO
-
-## Entropy driver interface
-
-The entropy driver interface is defined by [`psa/crypto_entropy_driver.h`](../../../include/psa/crypto_entropy_driver.h).
-
-TODO

docs/architecture/testing/invasive-testing.md

@@ -1,367 +0,0 @@
-# Mbed TLS invasive testing strategy
-
-## Introduction
-
-In Mbed TLS, we use black-box testing as much as possible: test the documented behavior of the product, in a realistic environment. However this is not always sufficient.
-
-The goal of this document is to identify areas where black-box testing is insufficient and to propose solutions.
-
-This is a test strategy document, not a test plan. A description of exactly what is tested is out of scope.
-
-This document is structured as follows:
-
-* [“Rules”](#rules) gives general rules and is written for brevity.
-* [“Requirements”](#requirements) explores the reasons why invasive testing is needed and how it should be done.
-* [“Possible approaches”](#possible-approaches) discusses some general methods for non-black-box testing.
-* [“Solutions”](#solutions) explains how we currently solve, or intend to solve, specific problems.
-
-### TLS
-
-This document currently focuses on data structure manipulation and storage, which is what the crypto/keystore and X.509 parts of the library are about. More work is needed to fully take TLS into account.
-
-## Rules
-
-Always follow these rules unless you have a good reason not to. If you deviate, document the rationale somewhere.
-
-See the section [“Possible approaches”](#possible-approaches) for a rationale.
-
-### Interface design for testing
-
-Do not add test-specific interfaces if there's a practical way of doing it another way. All public interfaces should be useful in at least some configurations. Features with a significant impact on the code size or attack surface should have a compile-time guard.
-
-### Reliance on internal details
-
-In unit tests and in test programs, it's ok to include header files from `library/`. Do not define non-public interfaces in public headers (`include/mbedtls` has `*_internal.h` headers for legacy reasons, but this approach is deprecated). In contrast, sample programs must not include header files from `library/`.
-
-Sometimes it makes sense to have unit tests on functions that aren't part of the public API. Declare such functions in `library/*.h` and include the corresponding header in the test code. If the function should be `static` for optimization but can't be `static` for testing, declare it as `MBEDTLS_STATIC_TESTABLE`, and make the tests that use it depend on `MBEDTLS_TEST_HOOKS` (see [“rules for compile-time options”](#rules-for-compile-time-options)).
-
-If test code or test data depends on internal details of the library and not just on its documented behavior, add a comment in the code that explains the dependency. For example:
-
-> ```
-> /* This test file is specific to the ITS implementation in PSA Crypto
->  * on top of stdio. It expects to know what the stdio name of a file is
->  * based on its keystore name.
->  */
-> ```
-
-> ```
-> # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes
-> # and not expected to be raised any time soon) is less than the maximum
-> # output from HKDF-SHA512 (255*64 = 16320 bytes).
-> ```
-
-### Rules for compile-time options
-
-If the most practical way to test something is to add code to the product that is only useful for testing, do so, but obey the following rules. For more information, see the [rationale](#guidelines-for-compile-time-options).
-
-* **Only use test-specific code when necessary.** Anything that can be tested through the documented API must be tested through the documented API.
-* **Test-specific code must be guarded by `#if defined(MBEDTLS_TEST_HOOKS)`**. Do not create fine-grained guards for test-specific code.
-* **Do not use `MBEDTLS_TEST_HOOKS` for security checks or assertions.** Security checks belong in the product.
-* **Merely defining `MBEDTLS_TEST_HOOKS` must not change the behavior**. It may define extra functions. It may add fields to structures, but if so, make it very clear that these fields have no impact on non-test-specific fields.
-* **Where tests must be able to change the behavior, do it by function substitution.** See [“rules for function substitution”](#rules-for-function-substitution) for more details.
-
-#### Rules for function substitution
-
-This section explains how to replace a library function `mbedtls_foo()` by alternative code for test purposes. That is, library code calls `mbedtls_foo()`, and there is a mechanism to arrange for these calls to invoke different code.
-
-Often `mbedtls_foo` is a macro which is defined to be a system function (like `mbedtls_calloc` or `mbedtls_fopen`), which we replace to mock or wrap the system function. This is useful to simulate I/O failure, for example. Note that if the macro can be replaced at compile time to support alternative platforms, the test code should be compatible with this compile-time configuration so that it works on these alternative platforms as well.
-
-Sometimes the substitutable function is a `static inline` function that does nothing (not a macro, to avoid accidentally skipping side effects in its parameters), to provide a hook for test code; such functions should have a name that starts with the prefix `mbedtls_test_hook_`. In such cases, the function should generally not modify its parameters, so any pointer argument should be const. The function should return void.
-
-With `MBEDTLS_TEST_HOOKS` set, `mbedtls_foo` is a global variable of function pointer type. This global variable is initialized to the system function, or to a function that does nothing. The global variable is defined in a header in the `library` directory such as `psa_crypto_invasive.h`. This is similar to the platform function configuration mechanism with `MBEDTLS_PLATFORM_xxx_ALT`.
-
-In unit test code that needs to modify the internal behavior:
-
-* The test function (or the whole test file) must depend on `MBEDTLS_TEST_HOOKS`.
-* At the beginning of the test function, set the global function pointers to the desired value.
-* In the test function's cleanup code, restore the global function pointers to their default value.
-
-## Requirements
-
-### General goals
-
-We need to balance the following goals, which are sometimes contradictory.
-
-* Coverage: we need to test behaviors which are not easy to trigger by using the API or which cannot be triggered deterministically, for example I/O failures.
-* Correctness: we want to test the actual product, not a modified version, since conclusions drawn from a test of a modified product may not apply to the real product.
-* Effacement: the product should not include features that are solely present for test purposes, since these increase the attack surface and the code size.
-* Portability: tests should work on every platform. Skipping tests on certain platforms may hide errors that are only apparent on such platforms.
-* Maintainability: tests should only enforce the documented behavior of the product, to avoid extra work when the product's internal or implementation-specific behavior changes. We should also not give the impression that whatever the tests check is guaranteed behavior of the product which cannot change in future versions.
-
-Where those goals conflict, we should at least mitigate the goals that cannot be fulfilled, and document the architectural choices and their rationale.
-
-### Problem areas
-
-#### Allocation
-
-Resource allocation can fail, but rarely does so in a typical test environment. How does the product cope if some allocations fail?
-
-Resources include:
-
-* Memory.
-* Files in storage (PSA API only — in the Mbed TLS API, black-box unit tests are sufficient).
-* Key slots (PSA API only).
-* Key slots in a secure element (PSA SE HAL).
-* Communication handles (PSA crypto service only).
-
-#### Storage
-
-Storage can fail, either due to hardware errors or to active attacks on trusted storage. How does the code cope if some storage accesses fail?
-
-We also need to test resilience: if the system is reset during an operation, does it restart in a correct state?
-
-#### Cleanup
-
-When code should clean up resources, how do we know that they have truly been cleaned up?
-
-* Zeroization of confidential data after use.
-* Freeing memory.
-* Freeing key slots.
-* Freeing key slots in a secure element.
-* Deleting files in storage (PSA API only).
-
-#### Internal data
-
-Sometimes it is useful to peek or poke internal data.
-
-* Check consistency of internal data (e.g. output of key generation).
-* Check the format of files (which matters so that the product can still read old files after an upgrade).
-* Inject faults and test corruption checks inside the product.
-
-## Possible approaches
-
-Key to requirement tables:
-
-* ++ requirement is fully met
-* \+ requirement is mostly met
-* ~ requirement is partially met but there are limitations
-* ! requirement is somewhat problematic
-* !! requirement is very problematic
-
-### Fine-grained public interfaces
-
-We can include all the features we want to test in the public interface. Then the tests can be truly black-box. The limitation of this approach is that this requires adding a lot of interfaces that are not useful in production. These interfaces have costs: they increase the code size, the attack surface, and the testing burden (exponentially, because we need to test all these interfaces in combination).
-
-As a rule, we do not add public interfaces solely for testing purposes. We only add public interfaces if they are also useful in production, at least sometimes. For example, the main purpose of `mbedtls_psa_crypto_free` is to clean up all resources in tests, but this is also useful in production in some applications that only want to use PSA Crypto during part of their lifetime.
-
-Mbed TLS traditionally has very fine-grained public interfaces, with many platform functions that can be substituted (`MBEDTLS_PLATFORM_xxx` macros). PSA Crypto has more opacity and less platform substitution macros.
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ~ Many useful tests are not reasonably achievable |
-| Correctness | ++ Ideal |
-| Effacement | !! Requires adding many otherwise-useless interfaces |
-| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
-| Maintainability | !! Combinatorial explosion on the testing burden |
-|                 | ! Public interfaces must remain for backward compatibility even if the test architecture changes |
-
-### Fine-grained undocumented interfaces
-
-We can include all the features we want to test in undocumented interfaces. Undocumented interfaces are described in public headers for the sake of the C compiler, but are described as “do not use” in comments (or not described at all) and are not included in Doxygen-rendered documentation. This mitigates some of the downsides of [fine-grained public interfaces](#fine-grained-public-interfaces), but not all. In particular, the extra interfaces do increase the code size, the attack surface and the test surface.
-
-Mbed TLS traditionally has a few internal interfaces, mostly intended for cross-module abstraction leakage rather than for testing. For the PSA API, we favor [internal interfaces](#internal-interfaces).
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ~ Many useful tests are not reasonably achievable |
-| Correctness | ++ Ideal |
-| Effacement | !! Requires adding many otherwise-useless interfaces |
-| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
-| Maintainability | ! Combinatorial explosion on the testing burden |
-
-### Internal interfaces
-
-We can write tests that call internal functions that are not exposed in the public interfaces. This is nice when it works, because it lets us test the unchanged product without compromising the design of the public interface.
-
-A limitation is that these interfaces must exist in the first place. If they don't, this has mostly the same downside as public interfaces: the extra interfaces increase the code size and the attack surface for no direct benefit to the product.
-
-Another limitation is that internal interfaces need to be used correctly. We may accidentally rely on internal details in the tests that are not necessarily always true (for example that are platform-specific). We may accidentally use these internal interfaces in ways that don't correspond to the actual product.
-
-This approach is mostly portable since it only relies on C interfaces. A limitation is that the test-only interfaces must not be hidden at link time (but link-time hiding is not something we currently do). Another limitation is that this approach does not work for users who patch the library by replacing some modules; this is a secondary concern since we do not officially offer this as a feature.
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ~ Many useful tests require additional internal interfaces |
-| Correctness | + Does not require a product change |
-|             | ~ The tests may call internal functions in a way that does not reflect actual usage inside the product |
-| Effacement | ++ Fine as long as the internal interfaces aren't added solely for test purposes |
-| Portability | + Fine as long as we control how the tests are linked |
-|             | ~ Doesn't work if the users rewrite an internal module |
-| Maintainability | + Tests interfaces that are documented; dependencies in the tests are easily noticed when changing these interfaces |
-
-### Static analysis
-
-If we guarantee certain properties through static analysis, we don't need to test them. This puts some constraints on the properties:
-
-* We need to have confidence in the specification (but we can gain this confidence by evaluating the specification on test data).
-* This does not work for platform-dependent properties unless we have a formal model of the platform.
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ~ Good for platform-independent properties, if we can guarantee them statically |
-| Correctness | + Good as long as we have confidence in the specification |
-| Effacement | ++ Zero impact on the code |
-| Portability | ++ Zero runtime burden |
-| Maintainability | ~ Static analysis is hard, but it's also helpful |
-
-### Compile-time options
-
-If there's code that we want to have in the product for testing, but not in production, we can add a compile-time option to enable it. This is very powerful and usually easy to use, but comes with a major downside: we aren't testing the same code anymore.
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ++ Most things can be tested that way |
-| Correctness | ! Difficult to ensure that what we test is what we run |
-| Effacement | ++ No impact on the product when built normally or on the documentation, if done right |
-|             | ! Risk of getting “no impact” wrong |
-| Portability | ++ It's just C code so it works everywhere |
-|             | ~ Doesn't work if the users rewrite an internal module |
-| Maintainability | + Test interfaces impact the product source code, but at least they're clearly marked as such in the code |
-
-#### Guidelines for compile-time options
-
-* **Minimize the number of compile-time options.**<br>
-  Either we're testing or we're not. Fine-grained options for testing would require more test builds, especially if combinatorics enters the play.
-* **Merely enabling the compile-time option should not change the behavior.**<br>
-  When building in test mode, the code should have exactly the same behavior. Changing the behavior should require some action at runtime (calling a function or changing a variable).
-* **Minimize the impact on code**.<br>
-  We should not have test-specific conditional compilation littered through the code, as that makes the code hard to read.
-
-### Runtime instrumentation
-
-Some properties can be tested through runtime instrumentation: have the compiler or a similar tool inject something into the binary.
-
-* Sanitizers check for certain bad usage patterns (ASan, MSan, UBSan, Valgrind).
-* We can inject external libraries at link time. This can be a way to make system functions fail.
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ! Limited scope |
-| Correctness | + Instrumentation generally does not affect the program's functional behavior |
-| Effacement | ++ Zero impact on the code |
-| Portability | ~ Depends on the method |
-| Maintainability | ~ Depending on the instrumentation, this may require additional builds and scripts |
-|                 | + Many properties come for free, but some require effort (e.g. the test code itself must be leak-free to avoid false positives in a leak detector) |
-
-### Debugger-based testing
-
-If we want to do something in a test that the product isn't capable of doing, we can use a debugger to read or modify the memory, or hook into the code at arbitrary points.
-
-This is a very powerful approach, but it comes with limitations:
-
-* The debugger may introduce behavior changes (e.g. timing). If we modify data structures in memory, we may do so in a way that the code doesn't expect.
-* Due to compiler optimizations, the memory may not have the layout that we expect.
-* Writing reliable debugger scripts is hard. We need to have confidence that we're testing what we mean to test, even in the face of compiler optimizations. Languages such as gdb make it hard to automate even relatively simple things such as finding the place(s) in the binary corresponding to some place in the source code.
-* Debugger scripts are very much non-portable.
-
-| Requirement | Analysis |
-| ----------- | -------- |
-| Coverage | ++ The sky is the limit |
-| Correctness | ++ The code is unmodified, and tested as compiled (so we even detect compiler-induced bugs) |
-|             | ! Compiler optimizations may hinder |
-|             | ~ Modifying the execution may introduce divergence |
-| Effacement | ++ Zero impact on the code |
-| Portability | !! Not all environments have a debugger, and even if they do, we'd need completely different scripts for every debugger |
-| Maintainability | ! Writing reliable debugger scripts is hard |
-|                 | !! Very tight coupling with the details of the source code and even with the compiler |
-
-## Solutions
-
-This section lists some strategies that are currently used for invasive testing, or planned to be used. This list is not intended to be exhaustive.
-
-### Memory management
-
-#### Zeroization testing
-
-Goal: test that `mbedtls_platform_zeroize` does wipe the memory buffer.
-
-Solution ([debugger](#debugger-based-testing)): implemented in `tests/scripts/test_zeroize.gdb`.
-
-Rationale: this cannot be tested by adding C code, because the danger is that the compiler optimizes the zeroization away, and any C code that observes the zeroization would cause the compiler not to optimize it away.
-
-#### Memory cleanup
-
-Goal: test the absence of memory leaks.
-
-Solution ([instrumentation](#runtime-instrumentation)): run tests with ASan. (We also use Valgrind, but it's slower than ASan, so we favor ASan.)
-
-Since we run many test jobs with a memory leak detector, each test function or test program must clean up after itself. Use the cleanup code (after the `exit` label in test functions) to free any memory that the function may have allocated.
-
-#### Robustness against memory allocation failure
-
-Solution: TODO. We don't test this at all at this point.
-
-#### PSA key store memory cleanup
-
-Goal: test the absence of resource leaks in the PSA key store code, in particular that `psa_close_key` and `psa_destroy_key` work correctly.
-
-Solution ([internal interface](#internal-interfaces)): in most tests involving PSA functions, the cleanup code explicitly calls `PSA_DONE()` instead of `mbedtls_psa_crypto_free()`. `PSA_DONE` fails the test if the key store in memory is not empty.
-
-Note there must also be tests that call `mbedtls_psa_crypto_free` with keys still open, to verify that it does close all keys.
-
-`PSA_DONE` is a macro defined in `psa_crypto_helpers.h` which uses `mbedtls_psa_get_stats()` to get information about the keystore content before calling `mbedtls_psa_crypto_free()`. This feature is mostly but not exclusively useful for testing, and may be moved under `MBEDTLS_TEST_HOOKS`.
-
-### PSA storage
-
-#### PSA storage cleanup on success
-
-Goal: test that no stray files are left over in the key store after a test that succeeded.
-
-Solution: TODO. Currently the various test suites do it differently.
-
-#### PSA storage cleanup on failure
-
-Goal: ensure that no stray files are left over in the key store even if a test has failed (as that could cause other tests to fail).
-
-Solution: TODO. Currently the various test suites do it differently.
-
-#### PSA storage resilience
-
-Goal: test the resilience of PSA storage against power failures.
-
-Solution: TODO.
-
-See the [secure element driver interface test strategy](driver-interface-test-strategy.html) for more information.
-
-#### Corrupted storage
-
-Goal: test the robustness against corrupted storage.
-
-Solution ([internal interface](#internal-interfaces)): call `psa_its` functions to modify the storage.
-
-#### Storage read failure
-
-Goal: test the robustness against read errors.
-
-Solution: TODO
-
-#### Storage write failure
-
-Goal: test the robustness against write errors (`STORAGE_FAILURE` or `INSUFFICIENT_STORAGE`).
-
-Solution: TODO
-
-#### Storage format stability
-
-Goal: test that the storage format does not change between versions (or if it does, an upgrade path must be provided).
-
-Solution ([internal interface](#internal-interfaces)): call internal functions to inspect the content of the file.
-
-Note that the storage format is defined not only by the general layout, but also by the numerical values of encodings for key types and other metadata. For numerical values, there is a risk that we would accidentally modify a single value or a few values, so the tests should be exhaustive. This probably requires some compile-time analysis (perhaps the automation for `psa_constant_names` can be used here). TODO
-
-### Other fault injection
-
-#### PSA crypto init failure
-
-Goal: test the failure of `psa_crypto_init`.
-
-Solution ([compile-time option](#compile-time-options)): replace entropy initialization functions by functions that can fail. This is the only failure point for `psa_crypto_init` that is present in all builds.
-
-When we implement the PSA entropy driver interface, this should be reworked to use the entropy driver interface.
-
-#### PSA crypto data corruption
-
-The PSA crypto subsystem has a few checks to detect corrupted data in memory. We currently don't have a way to exercise those checks.
-
-Solution: TODO. To corrupt a multipart operation structure, we can do it by looking inside the structure content, but only when running without isolation. To corrupt the key store, we would need to add a function to the library or to use a debugger.
-

docs/architecture/testing/test-framework.md

@@ -1,58 +0,0 @@
-# Mbed TLS test framework
-
-This document is an overview of the Mbed TLS test framework and test tools.
-
-This document is incomplete. You can help by expanding it.
-
-## Unit tests
-
-See <https://tls.mbed.org/kb/development/test_suites>
-
-### Unit test descriptions
-
-Each test case has a description which succinctly describes for a human audience what the test does. The first non-comment line of each paragraph in a `.data` file is the test description. The following rules and guidelines apply:
-
-* Test descriptions may not contain semicolons, line breaks and other control characters, or non-ASCII characters. <br>
-  Rationale: keep the tools that process test descriptions (`generate_test_code.py`, [outcome file](#outcome-file) tools) simple.
-* Test descriptions must be unique within a `.data` file. If you can't think of a better description, the convention is to append `#1`, `#2`, etc. <br>
-  Rationale: make it easy to relate a failure log to the test data. Avoid confusion between cases in the [outcome file](#outcome-file).
-* Test descriptions should be a maximum of **66 characters**. <br>
-  Rationale: 66 characters is what our various tools assume (leaving room for 14 more characters on an 80-column line). Longer descriptions may be truncated or may break a visual alignment. <br>
-  We have a lot of test cases with longer descriptions, but they should be avoided. At least please make sure that the first 66 characters describe the test uniquely.
-* Make the description descriptive. “foo: x=2, y=4” is more descriptive than “foo #2”. “foo: 0<x<y, both even” is even better if these inequalities and parities are why this particular test data was chosen.
-* Avoid changing the description of an existing test case without a good reason. This breaks the tracking of failures across CI runs, since this tracking is based on the descriptions.
-
-`tests/scripts/check_test_cases.py` enforces some rules and warns if some guidelines are violated.
-
-## TLS tests
-
-### SSL extension tests
-
-#### SSL test case descriptions
-
-Each test case in `ssl-opt.sh` has a description which succinctly describes for a human audience what the test does. The test description is the first parameter to `run_tests`.
-
-The same rules and guidelines apply as for [unit test descriptions](#unit-test-descriptions). In addition, the description must be written on the same line as `run_test`, in double quotes, for the sake of `check_test_cases.py`.
-
-## Running tests
-
-### Outcome file
-
-#### Generating an outcome file
-
-Unit tests and `ssl-opt.sh` record the outcome of each test case in a **test outcome file**. This feature is enabled if the environment variable `MBEDTLS_TEST_OUTCOME_FILE` is set. Set it to the path of the desired file.
-
-If you run `all.sh --outcome-file test-outcome.csv`, this collects the outcome of all the test cases in `test-outcome.csv`.
-
-#### Outcome file format
-
-The outcome file is in a CSV format using `;` (semicolon) as the delimiter and no quoting. This means that fields may not contain newlines or semicolons. There is no title line.
-
-The outcome file has 6 fields:
-
-* **Platform**: a description of the platform, e.g. `Linux-x86_64` or `Linux-x86_64-gcc7-msan`.
-* **Configuration**: a unique description of the configuration (`config.h`).
-* **Test suite**: `test_suite_xxx` or `ssl-opt`.
-* **Test case**: the description of the test case.
-* **Result**: one of `PASS`, `SKIP` or `FAIL`.
-* **Cause**: more information explaining the result.

docs/architecture/tls13-experimental.md

@@ -1,49 +0,0 @@
-TLS 1.3 Experimental Developments
-=================================
-
-Overview
---------
-
-Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development.
-Stable parts of this prototype that can be independently tested are being successively
-upstreamed under the guard of the following macro:
-
-```
-MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
-```
-
-This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable
-implementation of the TLS 1.3 protocol is available.
-
-See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h)
-for more information.
-
-Status
-------
-
-The following lists which parts of the TLS 1.3 prototype have already been upstreamed
-together with their level of testing:
-
-* TLS 1.3 record protection mechanisms
-
-  The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended
-  to support the modified TLS 1.3 record protection mechanism, including modified computation
-  of AAD, IV, and the introduction of a flexible padding.
-
-  Those record protection routines have unit tests in `test_suite_ssl` alongside the
-  tests for the other record protection routines.
-
-  TODO: Add some test vectors from RFC 8448.
-
-- The HKDF key derivation function on which the TLS 1.3 key schedule is based,
-  is already present as an independent module controlled by `MBEDTLS_HKDF_C`
-  independently of the development of the TLS 1.3 prototype.
-
-- The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446):
-  * HKDF-Expand-Label
-  * Derive-Secret
-  - Secret evolution
-  * The traffic {Key,IV} generation from secret
-  Those functions are implemented in `library/ssl_tls13_keys.c` and
-  tested in `test_suite_ssl` using test vectors from RFC 8448 and
-  https://tls13.ulfheim.net/.

docs/getting_started.md

@@ -1,894 +0,0 @@
-## Getting started with Mbed Crypto
-
-### What is Mbed Crypto?
-
-Mbed Crypto is an open source cryptographic library that supports a wide range of cryptographic operations, including:
-* Key management
-* Hashing
-* Symmetric cryptography
-* Asymmetric cryptography
-* Message authentication (MAC)
-* Key generation and derivation
-* Authenticated encryption with associated data (AEAD)
-
-The Mbed Crypto library is a reference implementation of the cryptography interface of the Arm Platform Security Architecture (PSA). It is written in portable C.
-
-The Mbed Crypto library is distributed under the Apache License, version 2.0.
-
-#### Platform Security Architecture (PSA)
-
-Arm's Platform Security Architecture (PSA) is a holistic set of threat models,
-security analyses, hardware and firmware architecture specifications, and an open source firmware reference implementation. PSA provides a recipe, based on industry best practice, that enables you to design security into both hardware and firmware consistently. Part of the API provided by PSA is the cryptography interface, which provides access to a set of primitives.
-
-### Using Mbed Crypto
-
-* [Getting the Mbed Crypto library](#getting-the-mbed-crypto-library)
-* [Building the Mbed Crypto library](#building-the-mbed-crypto-library)
-* [Using the Mbed Crypto library](#using-the-mbed-crypto-library)
-* [Importing a key](#importing-a-key)
-* [Signing a message using RSA](#signing-a-message-using-RSA)
-* [Encrypting or decrypting using symmetric ciphers](#encrypting-or-decrypting-using-symmetric-ciphers)
-* [Hashing a message](#hashing-a-message)
-* [Deriving a new key from an existing key](#deriving-a-new-key-from-an-existing-key)
-* [Generating a random value](#generating-a-random-value)
-* [Authenticating and encrypting or decrypting a message](#authenticating-and-encrypting-or-decrypting-a-message)
-* [Generating and exporting keys](#generating-and-exporting-keys)
-* [More about the Mbed Crypto library](#more-about-the-mbed-crypto-library)
-
-### Getting the Mbed Crypto library
-
-Mbed Crypto releases are available in the [public GitHub repository](https://github.com/ARMmbed/mbed-crypto).
-
-### Building the Mbed Crypto library
-
-**Prerequisites to building the library with the provided makefiles:**
-* GNU Make.
-* A C toolchain (compiler, linker, archiver).
-* Python 2 or Python 3 (either works) to generate the test code.
-* Perl to run the tests.
-
-If you have a C compiler such as GCC or Clang, just run `make` in the top-level directory to build the library, a set of unit tests and some sample programs.
-
-To select a different compiler, set the `CC` variable to the name or path of the compiler and linker (default: `cc`) and set `AR` to a compatible archiver (default: `ar`); for example:
-```
-make CC=arm-linux-gnueabi-gcc AR=arm-linux-gnueabi-ar
-```
-The provided makefiles pass options to the compiler that assume a GCC-like command line syntax. To use a different compiler, you may need to pass different values for `CFLAGS`, `WARNINGS_CFLAGS` and `LDFLAGS`.
-
-To run the unit tests on the host machine, run `make test` from the top-level directory. If you are cross-compiling, copy the test executable from the `tests` directory to the target machine.
-
-### Using the Mbed Crypto library
-
-To use the Mbed Crypto APIs, call `psa_crypto_init()` before calling any other API. This initializes the library.
-
-### Importing a key
-
-To use a key for cryptography operations in Mbed Crypto, you need to first
-import it. The import operation returns the identifier of the key for use
-with other function calls.
-
-**Prerequisites to importing keys:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-
-This example shows how to import a key:
-```C
-void import_a_key(const uint8_t *key, size_t key_len)
-{
-    psa_status_t status;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_id_t key;
-
-    printf("Import an AES key...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Set key attributes */
-    psa_set_key_usage_flags(&attributes, 0);
-    psa_set_key_algorithm(&attributes, 0);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    psa_set_key_bits(&attributes, 128);
-
-    /* Import the key */
-    status = psa_import_key(&attributes, key, key_len, &key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to import key\n");
-        return;
-    }
-    printf("Imported a key\n");
-
-    /* Free the attributes */
-    psa_reset_key_attributes(&attributes);
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-}
-```
-
-### Signing a message using RSA
-
-Mbed Crypto supports encrypting, decrypting, signing and verifying messages using public key signature algorithms, such as RSA or ECDSA.
-
-**Prerequisites to performing asymmetric signature operations:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-* Have a valid key with appropriate attributes set:
-    * Usage flag `PSA_KEY_USAGE_SIGN_HASH` to allow signing.
-    * Usage flag `PSA_KEY_USAGE_VERIFY_HASH` to allow signature verification.
-    * Algorithm set to the desired signature algorithm.
-
-This example shows how to sign a hash that has already been calculated:
-```C
-void sign_a_message_using_rsa(const uint8_t *key, size_t key_len)
-{
-    psa_status_t status;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    uint8_t hash[32] = {0x50, 0xd8, 0x58, 0xe0, 0x98, 0x5e, 0xcc, 0x7f,
-                        0x60, 0x41, 0x8a, 0xaf, 0x0c, 0xc5, 0xab, 0x58,
-                        0x7f, 0x42, 0xc2, 0x57, 0x0a, 0x88, 0x40, 0x95,
-                        0xa9, 0xe8, 0xcc, 0xac, 0xd0, 0xf6, 0x54, 0x5c};
-    uint8_t signature[PSA_SIGNATURE_MAX_SIZE] = {0};
-    size_t signature_length;
-    psa_key_id_t key;
-
-    printf("Sign a message...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Set key attributes */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_SIGN_RAW);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
-    psa_set_key_bits(&attributes, 1024);
-
-    /* Import the key */
-    status = psa_import_key(&attributes, key, key_len, &key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to import key\n");
-        return;
-    }
-
-    /* Sign message using the key */
-    status = psa_sign_hash(key, PSA_ALG_RSA_PKCS1V15_SIGN_RAW,
-                           hash, sizeof(hash),
-                           signature, sizeof(signature),
-                           &signature_length);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to sign\n");
-        return;
-    }
-
-    printf("Signed a message\n");
-
-    /* Free the attributes */
-    psa_reset_key_attributes(&attributes);
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-}
-```
-
-### Using symmetric ciphers
-
-Mbed Crypto supports encrypting and decrypting messages using various symmetric cipher algorithms (both block and stream ciphers).
-
-**Prerequisites to working with the symmetric cipher API:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-* Have a symmetric key. This key's usage flags must include `PSA_KEY_USAGE_ENCRYPT` to allow encryption or `PSA_KEY_USAGE_DECRYPT` to allow decryption.
-
-**To encrypt a message with a symmetric cipher:**
-1. Allocate an operation (`psa_cipher_operation_t`) structure to pass to the cipher functions.
-1. Initialize the operation structure to zero or to `PSA_CIPHER_OPERATION_INIT`.
-1. Call `psa_cipher_encrypt_setup()` to specify the algorithm and the key to be used.
-1. Call either `psa_cipher_generate_iv()` or `psa_cipher_set_iv()` to generate or set the initialization vector (IV). We recommend calling `psa_cipher_generate_iv()`, unless you require a specific IV value.
-1. Call `psa_cipher_update()` with the message to encrypt. You may call this function multiple times, passing successive fragments of the message on successive calls.
-1. Call `psa_cipher_finish()` to end the operation and output the encrypted message.
-
-This example shows how to encrypt data using an AES (Advanced Encryption Standard) key in CBC (Cipher Block Chaining) mode with no padding (assuming all prerequisites have been fulfilled):
-```c
-void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
-{
-    enum {
-        block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(PSA_KEY_TYPE_AES),
-    };
-    psa_status_t status;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
-    uint8_t plaintext[block_size] = SOME_PLAINTEXT;
-    uint8_t iv[block_size];
-    size_t iv_len;
-    uint8_t output[block_size];
-    size_t output_len;
-    psa_key_id_t key;
-    psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
-
-    printf("Encrypt with cipher...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS)
-    {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Import a key */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
-    psa_set_key_algorithm(&attributes, alg);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    psa_set_key_bits(&attributes, 128);
-    status = psa_import_key(&attributes, key, key_len, &key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to import a key\n");
-        return;
-    }
-    psa_reset_key_attributes(&attributes);
-
-    /* Encrypt the plaintext */
-    status = psa_cipher_encrypt_setup(&operation, key, alg);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to begin cipher operation\n");
-        return;
-    }
-    status = psa_cipher_generate_iv(&operation, iv, sizeof(iv), &iv_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to generate IV\n");
-        return;
-    }
-    status = psa_cipher_update(&operation, plaintext, sizeof(plaintext),
-                               output, sizeof(output), &output_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to update cipher operation\n");
-        return;
-    }
-    status = psa_cipher_finish(&operation, output + output_len,
-                               sizeof(output) - output_len, &output_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to finish cipher operation\n");
-        return;
-    }
-    printf("Encrypted plaintext\n");
-
-    /* Clean up cipher operation context */
-    psa_cipher_abort(&operation);
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-}
-```
-
-**To decrypt a message with a symmetric cipher:**
-1. Allocate an operation (`psa_cipher_operation_t`) structure to pass to the cipher functions.
-1. Initialize the operation structure to zero or to `PSA_CIPHER_OPERATION_INIT`.
-1. Call `psa_cipher_decrypt_setup()` to specify the algorithm and the key to be used.
-1. Call `psa_cipher_set_iv()` with the IV for the decryption.
-1. Call `psa_cipher_update()` with the message to encrypt. You may call this function multiple times, passing successive fragments of the message on successive calls.
-1. Call `psa_cipher_finish()` to end the operation and output the decrypted message.
-
-This example shows how to decrypt encrypted data using an AES key in CBC mode with no padding
-(assuming all prerequisites have been fulfilled):
-```c
-void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
-{
-    enum {
-        block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(PSA_KEY_TYPE_AES),
-    };
-    psa_status_t status;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
-    psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
-    uint8_t ciphertext[block_size] = SOME_CIPHERTEXT;
-    uint8_t iv[block_size] = ENCRYPTED_WITH_IV;
-    uint8_t output[block_size];
-    size_t output_len;
-    psa_key_id_t key;
-
-    printf("Decrypt with cipher...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS)
-    {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Import a key */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
-    psa_set_key_algorithm(&attributes, alg);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    psa_set_key_bits(&attributes, 128);
-    status = psa_import_key(&attributes, key, key_len, &key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to import a key\n");
-        return;
-    }
-    psa_reset_key_attributes(&attributes);
-
-    /* Decrypt the ciphertext */
-    status = psa_cipher_decrypt_setup(&operation, key, alg);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to begin cipher operation\n");
-        return;
-    }
-    status = psa_cipher_set_iv(&operation, iv, sizeof(iv));
-    if (status != PSA_SUCCESS) {
-        printf("Failed to set IV\n");
-        return;
-    }
-    status = psa_cipher_update(&operation, ciphertext, sizeof(ciphertext),
-                               output, sizeof(output), &output_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to update cipher operation\n");
-        return;
-    }
-    status = psa_cipher_finish(&operation, output + output_len,
-                               sizeof(output) - output_len, &output_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to finish cipher operation\n");
-        return;
-    }
-    printf("Decrypted ciphertext\n");
-
-    /* Clean up cipher operation context */
-    psa_cipher_abort(&operation);
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-}
-```
-
-#### Handling cipher operation contexts
-
-After you've initialized the operation structure with a successful call to `psa_cipher_encrypt_setup()` or `psa_cipher_decrypt_setup()`, you can terminate the operation at any time by calling `psa_cipher_abort()`.
-
-The call to `psa_cipher_abort()` frees any resources associated with the operation, except for the operation structure itself.
-
-Mbed Crypto implicitly calls `psa_cipher_abort()` when:
-* A call to `psa_cipher_generate_iv()`, `psa_cipher_set_iv()` or `psa_cipher_update()` fails (returning any status other than `PSA_SUCCESS`).
-* A call to `psa_cipher_finish()` succeeds or fails.
-
-After an implicit or explicit call to `psa_cipher_abort()`, the operation structure is invalidated; in other words, you cannot reuse the operation structure for the same operation. You can, however, reuse the operation structure for a different operation by calling either `psa_cipher_encrypt_setup()` or `psa_cipher_decrypt_setup()` again.
-
-You must call `psa_cipher_abort()` at some point for any operation that is initialized successfully (by a successful call to `psa_cipher_encrypt_setup()` or `psa_cipher_decrypt_setup()`).
-
-Making multiple sequential calls to `psa_cipher_abort()` on an operation that is terminated (either implicitly or explicitly) is safe and has no effect.
-
-### Hashing a message
-
-Mbed Crypto lets you compute and verify hashes using various hashing
-algorithms.
-
-**Prerequisites to working with the hash APIs:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-
-**To calculate a hash:**
-1. Allocate an operation structure (`psa_hash_operation_t`) to pass to the hash functions.
-1. Initialize the operation structure to zero or to `PSA_HASH_OPERATION_INIT`.
-1. Call `psa_hash_setup()` to specify the hash algorithm.
-1. Call `psa_hash_update()` with the message to encrypt. You may call this function multiple times, passing successive fragments of the message on successive calls.
-1. Call `psa_hash_finish()` to calculate the hash, or `psa_hash_verify()` to compare the computed hash with an expected hash value.
-
-This example shows how to calculate the SHA-256 hash of a message:
-```c
-    psa_status_t status;
-    psa_algorithm_t alg = PSA_ALG_SHA_256;
-    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
-    unsigned char input[] = { 'a', 'b', 'c' };
-    unsigned char actual_hash[PSA_HASH_MAX_SIZE];
-    size_t actual_hash_len;
-
-    printf("Hash a message...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Compute hash of message  */
-    status = psa_hash_setup(&operation, alg);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to begin hash operation\n");
-        return;
-    }
-    status = psa_hash_update(&operation, input, sizeof(input));
-    if (status != PSA_SUCCESS) {
-        printf("Failed to update hash operation\n");
-        return;
-    }
-    status = psa_hash_finish(&operation, actual_hash, sizeof(actual_hash),
-                             &actual_hash_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to finish hash operation\n");
-        return;
-    }
-
-    printf("Hashed a message\n");
-
-    /* Clean up hash operation context */
-    psa_hash_abort(&operation);
-
-    mbedtls_psa_crypto_free();
-```
-
-This example shows how to verify the SHA-256 hash of a message:
-```c
-    psa_status_t status;
-    psa_algorithm_t alg = PSA_ALG_SHA_256;
-    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
-    unsigned char input[] = { 'a', 'b', 'c' };
-    unsigned char expected_hash[] = {
-        0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde,
-        0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
-        0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
-    };
-    size_t expected_hash_len = PSA_HASH_SIZE(alg);
-
-    printf("Verify a hash...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Verify message hash */
-    status = psa_hash_setup(&operation, alg);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to begin hash operation\n");
-        return;
-    }
-    status = psa_hash_update(&operation, input, sizeof(input));
-    if (status != PSA_SUCCESS) {
-        printf("Failed to update hash operation\n");
-        return;
-    }
-    status = psa_hash_verify(&operation, expected_hash, expected_hash_len);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to verify hash\n");
-        return;
-    }
-
-    printf("Verified a hash\n");
-
-    /* Clean up hash operation context */
-    psa_hash_abort(&operation);
-
-    mbedtls_psa_crypto_free();
-```
-
-The API provides the macro `PSA_HASH_SIZE`, which returns the expected hash length (in bytes) for the specified algorithm.
-
-#### Handling hash operation contexts
-
-After a successful call to `psa_hash_setup()`, you can terminate the operation at any time by calling `psa_hash_abort()`. The call to `psa_hash_abort()` frees any resources associated with the operation, except for the operation structure itself.
-
-Mbed Crypto implicitly calls `psa_hash_abort()` when:
-1. A call to `psa_hash_update()` fails (returning any status other than `PSA_SUCCESS`).
-1. A call to `psa_hash_finish()` succeeds or fails.
-1. A call to `psa_hash_verify()` succeeds or fails.
-
-After an implicit or explicit call to `psa_hash_abort()`, the operation structure is invalidated; in other words, you cannot reuse the operation structure for the same operation. You can, however, reuse the operation structure for a different operation by calling `psa_hash_setup()` again.
-
-You must call `psa_hash_abort()` at some point for any operation that is initialized successfully (by a successful call to `psa_hash_setup()`) .
-
-Making multiple sequential calls to `psa_hash_abort()` on an operation that has already been terminated (either implicitly or explicitly) is safe and has no effect.
-
-### Generating a random value
-
-Mbed Crypto can generate random data.
-
-**Prerequisites to generating random data:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-
-<span class="notes">**Note:** To generate a random key, use `psa_generate_key()` instead of `psa_generate_random()`.</span>
-
-This example shows how to generate ten bytes of random data by calling `psa_generate_random()`:
-```C
-    psa_status_t status;
-    uint8_t random[10] = { 0 };
-
-    printf("Generate random...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    status = psa_generate_random(random, sizeof(random));
-    if (status != PSA_SUCCESS) {
-        printf("Failed to generate a random value\n");
-        return;
-    }
-
-    printf("Generated random data\n");
-
-    /* Clean up */
-    mbedtls_psa_crypto_free();
-```
-
-### Deriving a new key from an existing key
-
-Mbed Crypto provides a key derivation API that lets you derive new keys from
-existing ones. The key derivation API has functions to take inputs, including
-other keys and data, and functions to generate outputs, such as new keys or
-other data.
-
-You must first initialize and set up a key derivation context,
-provided with a key and, optionally, other data. Then, use the key derivation context to either read derived data to a buffer or send derived data directly to a key slot.
-
-See the documentation for the particular algorithm (such as HKDF or the TLS1.2 PRF) for
-information about which inputs to pass when, and when you can obtain which outputs.
-
-**Prerequisites to working with the key derivation APIs:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-* Use a key with the appropriate attributes set:
-    * Usage flags set for key derivation (`PSA_KEY_USAGE_DERIVE`)
-    * Key type set to `PSA_KEY_TYPE_DERIVE`.
-    * Algorithm set to a key derivation algorithm
-      (for example, `PSA_ALG_HKDF(PSA_ALG_SHA_256)`).
-
-**To derive a new AES-CTR 128-bit encryption key into a given key slot using HKDF
-with a given key, salt and info:**
-
-1. Set up the key derivation context using the `psa_key_derivation_setup()`
-function, specifying the derivation algorithm `PSA_ALG_HKDF(PSA_ALG_SHA_256)`.
-1. Provide an optional salt with `psa_key_derivation_input_bytes()`.
-1. Provide info with `psa_key_derivation_input_bytes()`.
-1. Provide a secret with `psa_key_derivation_input_key()`, referencing a key that
-   can be used for key derivation.
-1. Set the key attributes desired for the new derived key. We'll set
-   the `PSA_KEY_USAGE_ENCRYPT` usage flag and the `PSA_ALG_CTR` algorithm for this
-   example.
-1. Derive the key by calling `psa_key_derivation_output_key()`.
-1. Clean up the key derivation context.
-
-At this point, the derived key slot holds a new 128-bit AES-CTR encryption key
-derived from the key, salt and info provided:
-```C
-    psa_status_t status;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    static const unsigned char key[] = {
-        0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-        0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-        0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-        0x0b };
-    static const unsigned char salt[] = {
-        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
-        0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c };
-    static const unsigned char info[] = {
-        0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6,
-        0xf7, 0xf8, 0xf9 };
-    psa_algorithm_t alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
-    psa_key_derivation_operation_t operation =
-        PSA_KEY_DERIVATION_OPERATION_INIT;
-    size_t derived_bits = 128;
-    size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
-    psa_key_id_t base_key;
-    psa_key_id_t derived_key;
-
-    printf("Derive a key (HKDF)...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Import a key for use in key derivation. If such a key has already been
-     * generated or imported, you can skip this part. */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
-    psa_set_key_algorithm(&attributes, alg);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
-    status = psa_import_key(&attributes, key, sizeof(key), &base_key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to import a key\n");
-        return;
-    }
-    psa_reset_key_attributes(&attributes);
-
-    /* Derive a key */
-    status = psa_key_derivation_setup(&operation, alg);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to begin key derivation\n");
-        return;
-    }
-    status = psa_key_derivation_set_capacity(&operation, capacity);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to set capacity\n");
-        return;
-    }
-    status = psa_key_derivation_input_bytes(&operation,
-                                            PSA_KEY_DERIVATION_INPUT_SALT,
-                                            salt, sizeof(salt));
-    if (status != PSA_SUCCESS) {
-        printf("Failed to input salt (extract)\n");
-        return;
-    }
-    status = psa_key_derivation_input_key(&operation,
-                                          PSA_KEY_DERIVATION_INPUT_SECRET,
-                                          base_key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to input key (extract)\n");
-        return;
-    }
-    status = psa_key_derivation_input_bytes(&operation,
-                                            PSA_KEY_DERIVATION_INPUT_INFO,
-                                            info, sizeof(info));
-    if (status != PSA_SUCCESS) {
-        printf("Failed to input info (expand)\n");
-        return;
-    }
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
-    psa_set_key_algorithm(&attributes, PSA_ALG_CTR);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    psa_set_key_bits(&attributes, 128);
-    status = psa_key_derivation_output_key(&attributes, &operation,
-                                           &derived_key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to derive key\n");
-        return;
-    }
-    psa_reset_key_attributes(&attributes);
-
-    printf("Derived key\n");
-
-    /* Clean up key derivation operation */
-    psa_key_derivation_abort(&operation);
-
-    /* Destroy the keys */
-    psa_destroy_key(derived_key);
-    psa_destroy_key(base_key);
-
-    mbedtls_psa_crypto_free();
-```
-
-### Authenticating and encrypting or decrypting a message
-
-Mbed Crypto provides a simple way to authenticate and encrypt with associated data (AEAD), supporting the `PSA_ALG_CCM` algorithm.
-
-**Prerequisites to working with the AEAD cipher APIs:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-* The key attributes for the key used for derivation must have the `PSA_KEY_USAGE_ENCRYPT` or `PSA_KEY_USAGE_DECRYPT` usage flags.
-
-This example shows how to authenticate and encrypt a message:
-```C
-    psa_status_t status;
-    static const uint8_t key[] = {
-        0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
-        0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF };
-    static const uint8_t nonce[] = {
-        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-        0x08, 0x09, 0x0A, 0x0B };
-    static const uint8_t additional_data[] = {
-        0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25,
-        0x20, 0xC3, 0x3C, 0x49, 0xFD, 0x70 };
-    static const uint8_t input_data[] = {
-        0xB9, 0x6B, 0x49, 0xE2, 0x1D, 0x62, 0x17, 0x41,
-        0x63, 0x28, 0x75, 0xDB, 0x7F, 0x6C, 0x92, 0x43,
-        0xD2, 0xD7, 0xC2 };
-    uint8_t *output_data = NULL;
-    size_t output_size = 0;
-    size_t output_length = 0;
-    size_t tag_length = 16;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_id_t key;
-
-    printf("Authenticate encrypt...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    output_size = sizeof(input_data) + tag_length;
-    output_data = (uint8_t *)malloc(output_size);
-    if (!output_data) {
-        printf("Out of memory\n");
-        return;
-    }
-
-    /* Import a key */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
-    psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    psa_set_key_bits(&attributes, 128);
-    status = psa_import_key(&attributes, key, sizeof(key), &key);
-    psa_reset_key_attributes(&attributes);
-
-    /* Authenticate and encrypt */
-    status = psa_aead_encrypt(key, PSA_ALG_CCM,
-                              nonce, sizeof(nonce),
-                              additional_data, sizeof(additional_data),
-                              input_data, sizeof(input_data),
-                              output_data, output_size,
-                              &output_length);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to authenticate and encrypt\n");
-        return;
-    }
-
-    printf("Authenticated and encrypted\n");
-
-    /* Clean up */
-    free(output_data);
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-```
-
-This example shows how to authenticate and decrypt a message:
-
-```C
-    psa_status_t status;
-    static const uint8_t key_data[] = {
-        0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
-        0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF };
-    static const uint8_t nonce[] = {
-        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-        0x08, 0x09, 0x0A, 0x0B };
-    static const uint8_t additional_data[] = {
-        0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25,
-        0x20, 0xC3, 0x3C, 0x49, 0xFD, 0x70 };
-    static const uint8_t input_data[] = {
-        0x20, 0x30, 0xE0, 0x36, 0xED, 0x09, 0xA0, 0x45, 0xAF, 0x3C, 0xBA, 0xEE,
-        0x0F, 0xC8, 0x48, 0xAF, 0xCD, 0x89, 0x54, 0xF4, 0xF6, 0x3F, 0x28, 0x9A,
-        0xA1, 0xDD, 0xB2, 0xB8, 0x09, 0xCD, 0x7C, 0xE1, 0x46, 0xE9, 0x98 };
-    uint8_t *output_data = NULL;
-    size_t output_size = 0;
-    size_t output_length = 0;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_id_t key;
-
-    printf("Authenticate decrypt...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    output_size = sizeof(input_data);
-    output_data = (uint8_t *)malloc(output_size);
-    if (!output_data) {
-        printf("Out of memory\n");
-        return;
-    }
-
-    /* Import a key */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
-    psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    psa_set_key_bits(&attributes, 128);
-    status = psa_import_key(&attributes, key_data, sizeof(key_data), &key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to import a key\n");
-        return;
-    }
-    psa_reset_key_attributes(&attributes);
-
-    /* Authenticate and decrypt */
-    status = psa_aead_decrypt(key, PSA_ALG_CCM,
-                              nonce, sizeof(nonce),
-                              additional_data, sizeof(additional_data),
-                              input_data, sizeof(input_data),
-                              output_data, output_size,
-                              &output_length);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to authenticate and decrypt %ld\n", status);
-        return;
-    }
-
-    printf("Authenticated and decrypted\n");
-
-    /* Clean up */
-    free(output_data);
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-```
-
-### Generating and exporting keys
-
-Mbed Crypto provides a simple way to generate a key or key pair.
-
-**Prerequisites to using key generation and export APIs:**
-* Initialize the library with a successful call to `psa_crypto_init()`.
-
-**To generate an ECDSA key:**
-1. Set the desired key attributes for key generation by calling
-   `psa_set_key_algorithm()` with the chosen ECDSA algorithm (such as
-   `PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256)`). You only want to export the public key, not the key pair (or private key); therefore, do not set `PSA_KEY_USAGE_EXPORT`.
-1. Generate a key by calling `psa_generate_key()`.
-1. Export the generated public key by calling `psa_export_public_key()`:
-```C
-    enum {
-        key_bits = 256,
-    };
-    psa_status_t status;
-    size_t exported_length = 0;
-    static uint8_t exported[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)];
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_id_t key;
-
-    printf("Generate a key pair...\t");
-    fflush(stdout);
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        printf("Failed to initialize PSA Crypto\n");
-        return;
-    }
-
-    /* Generate a key */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-    psa_set_key_algorithm(&attributes,
-                          PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256));
-    psa_set_key_type(&attributes,
-                     PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
-    psa_set_key_bits(&attributes, key_bits);
-    status = psa_generate_key(&attributes, &key);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to generate key\n");
-        return;
-    }
-    psa_reset_key_attributes(&attributes);
-
-    status = psa_export_public_key(key, exported, sizeof(exported),
-                                   &exported_length);
-    if (status != PSA_SUCCESS) {
-        printf("Failed to export public key %ld\n", status);
-        return;
-    }
-
-    printf("Exported a public key\n");
-
-    /* Destroy the key */
-    psa_destroy_key(key);
-
-    mbedtls_psa_crypto_free();
-```
-
-### More about the PSA Crypto API
-
-For more information about the PSA Crypto API, please see the [PSA Cryptography API Specification](https://armmbed.github.io/mbed-crypto/html/index.html).

docs/proposed/Makefile

@@ -1,25 +0,0 @@
-PANDOC = pandoc
-
-default: all
-
-all_markdown = \
-	       psa-conditional-inclusion-c.md \
-	       psa-driver-developer-guide.md \
-	       psa-driver-integration-guide.md \
-	       psa-driver-interface.md \
-	       # This line is intentionally left blank
-
-html: $(all_markdown:.md=.html)
-pdf: $(all_markdown:.md=.pdf)
-all: html pdf
-
-.SUFFIXES:
-.SUFFIXES: .md .html .pdf
-
-.md.html:
-	$(PANDOC) -o $@ $<
-.md.pdf:
-	$(PANDOC) -o $@ $<
-
-clean:
-	rm -f *.html *.pdf

docs/proposed/README

@@ -1,4 +0,0 @@
-The documents in this directory are proposed specifications for Mbed
-TLS features. They are not implemented yet, or only partially
-implemented. Please follow activity on the `development` branch of
-Mbed TLS if you are interested in these features.

docs/proposed/psa-conditional-inclusion-c.md

@@ -1,238 +0,0 @@
-Conditional inclusion of cryptographic mechanism through the PSA API in Mbed TLS
-================================================================================
-
-This document is a proposed interface for deciding at build time which cryptographic mechanisms to include in the PSA Cryptography interface.
-
-This is currently a proposal for Mbed TLS. It is not currently on track for standardization in PSA.
-
-Time-stamp: "2020/11/26 09:30:50 GMT"
-
-## Introduction
-
-### Purpose of this specification
-
-The [PSA Cryptography API specification](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface) specifies the interface between a PSA Cryptography implementation and an application. The interface defines a number of categories of cryptographic algorithms (hashes, MAC, signatures, etc.). In each category, a typical implementation offers many algorithms (e.g. for signatures: RSA-PKCS#1v1.5, RSA-PSS, ECDSA). When building the implementation for a specific use case, it is often desirable to include only a subset of the available cryptographic mechanisms, primarily in order to reduce the code footprint of the compiled system.
-
-The present document proposes a way for an application using the PSA cryptography interface to declare which mechanisms it requires.
-
-### Conditional inclusion of legacy cryptography modules
-
-Mbed TLS offers a way to select which cryptographic mechanisms are included in a build through its configuration file (`config.h`). This mechanism is based on two main sets of symbols: `MBEDTLS_xxx_C` controls the availability of the mechanism to the application, and `MBEDTLS_xxx_ALT` controls the availability of an alternative implementation, so the software implementation is only included if `MBEDTLS_xxx_C` is defined but not `MBEDTLS_xxx_ALT`.
-
-### PSA evolution
-
-In the PSA cryptography interface, the **core** (built-in implementations of cryptographic mechanisms) can be augmented with drivers. **Transparent drivers** replace the built-in implementation of a cryptographic mechanism (or, with **fallback**, the built-in implementation is tried if the driver only has partial support for the mechanism). **Opaque drivers** implement cryptographic mechanisms on keys which are stored in a separate domain such as a secure element, for which the core only does key management and dispatch using wrapped key blobs or key identifiers.
-
-The current model is difficult to adapt to the PSA interface for several reasons. The `MBEDTLS_xxx_ALT` symbols are somewhat inconsistent, and in particular do not work well for asymmetric cryptography. For example, many parts of the ECC code have no `MBEDTLS_xxx_ALT` symbol, so a platform with ECC acceleration that can perform all ECDSA and ECDH operations in the accelerator would still embark the `bignum` module and large parts of the `ecp_curves`, `ecp` and `ecdsa` modules. Also the availability of a transparent driver for a mechanism does not translate directly to `MBEDTLS_xxx` symbols.
-
-### Requirements
-
-[Req.interface] The application can declare which cryptographic mechanisms it needs.
-
-[Req.inclusion] If the application does not require a mechanism, a suitably configured Mbed TLS build must not include it. The granularity of mechanisms must work for typical use cases and has [acceptable limitations](#acceptable-limitations).
-
-[Req.drivers] If a PSA driver is available in the build, a suitably configured Mbed TLS build must not include the corresponding software code (unless a software fallback is needed).
-
-[Req.c] The configuration mechanism consists of C preprocessor definitions, and the build does not require tools other than a C compiler. This is necessary to allow building an application and Mbed TLS in development environments that do not allow third-party tools.
-
-[Req.adaptability] The implementation of the mechanism must be adaptable with future evolution of the PSA cryptography specifications and Mbed TLS. Therefore the interface must remain sufficiently simple and abstract.
-
-### Acceptable limitations
-
-[Limitation.matrix] If a mechanism is defined by a combination of algorithms and key types, for example a block cipher mode (CBC, CTR, CFB, …) and a block permutation (AES, CAMELLIA, ARIA, …), there is no requirement to include only specific combinations.
-
-[Limitation.direction] For mechanisms that have multiple directions (for example encrypt/decrypt, sign/verify), there is no requirement to include only one direction.
-
-[Limitation.size] There is no requirement to include only support for certain key sizes.
-
-[Limitation.multipart] Where there are multiple ways to perform an operation, for example single-part and multi-part, there is no mechanism to select only one or a subset of the possible ways.
-
-## Interface
-
-### PSA Crypto configuration file
-
-The PSA Crypto configuration file `psa/crypto_config.h` defines a series of symbols of the form `PSA_WANT_xxx` where `xxx` describes the feature that the symbol enables. The symbols are documented in the section [“PSA Crypto configuration symbols”](#psa-crypto-configuration-symbols) below.
-
-The symbol `MBEDTLS_PSA_CRYPTO_CONFIG` in `mbedtls/config.h` determines whether `psa/crypto_config.h` is used.
-
-* If `MBEDTLS_PSA_CRYPTO_CONFIG` is unset, which is the default at least in Mbed TLS 2.x versions, things are as they are today: the PSA subsystem includes generic code unconditionally, and includes support for specific mechanisms conditionally based on the existing `MBEDTLS_xxx_` symbols.
-* If `MBEDTLS_PSA_CRYPTO_CONFIG` is set, the necessary software implementations of cryptographic algorithms are included based on both the content of the PSA Crypto configuration file and the Mbed TLS configuration file. For example, the code in `aes.c` is enabled if either `mbedtls/config.h` contains `MBEDTLS_AES_C` or `psa/crypto_config.h` contains `PSA_WANT_KEY_TYPE_AES`.
-
-### PSA Crypto configuration symbols
-
-#### Configuration symbol syntax
-
-A PSA Crypto configuration symbol is a C preprocessor symbol whose name starts with `PSA_WANT_`.
-
-* If the symbol is not defined, the corresponding feature is not included.
-* If the symbol is defined to a preprocessor expression with the value `1`, the corresponding feature is included.
-* If the symbol is defined with a different value, the behavior is currently undefined and reserved for future use.
-
-#### Configuration symbol usage
-
-The presence of a symbol `PSA_WANT_xxx` in the Mbed TLS configuration determines whether a feature is available through the PSA API. These symbols should be used in any place that requires conditional compilation based on the availability of a cryptographic mechanism through the PSA API, including:
-
-* In Mbed TLS test code.
-* In Mbed TLS library code using `MBEDTLS_USE_PSA_CRYPTO`, for example in TLS to determine which cipher suites to enable.
-* In application code that provides additional features based on cryptographic capabilities, for example additional key parsing and formatting functions, or cipher suite availability for network protocols.
-
-#### Configuration symbol semantics
-
-If a feature is not requested for inclusion in the PSA Crypto configuration file, it may still be included in the build, either because the feature has been requested in some other way, or because the library does not support the exclusion of this feature. Mbed TLS should make a best effort to support the exclusion of all features, but in some cases this may be judged too much effort for too little benefit.
-
-#### Configuration symbols for key types
-
-For each constant or constructor macro of the form `PSA_KEY_TYPE_xxx`, the symbol **`PSA_WANT_KEY_TYPE_xxx`** indicates that support for this key type is desired.
-
-For asymmetric cryptography, `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR` determines whether private-key operations are desired, and `PSA_WANT_KEY_TYPE_xxx_PUBLIC_KEY` determines whether public-key operations are desired. `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR` implicitly enables `PSA_WANT_KEY_TYPE_xxx_PUBLIC_KEY`: there is no way to only include private-key operations (which typically saves little code).
-
-#### Configuration symbols for curves
-
-For elliptic curve key types, only the specified curves are included. To include a curve, include a symbol of the form **`PSA_WANT_ECC_family_size`**. For example: `PSA_WANT_ECC_SECP_R1_256` for secp256r1, `PSA_WANT_ECC_MONTGOMERY_CURVE25519`. It is an error to require an ECC key type but no curve, and Mbed TLS will reject this at compile time.
-
-#### Configuration symbols for algorithms
-
-For each constant or constructor macro of the form `PSA_ALG_xxx`, the symbol **`PSA_WANT_ALG_xxx`** indicates that support for this algorithm is desired.
-
-For parametrized algorithms, the `PSA_WANT_ALG_xxx` symbol indicates whether the base mechanism is supported. Parameters must themselves be included through their own `PSA_WANT_ALG_xxx` symbols. It is an error to include a base mechanism without at least one possible parameter, and Mbed TLS will reject this at compile time. For example, `PSA_WANT_ALG_ECDSA` requires the inclusion of randomized ECDSA for all hash algorithms whose corresponding symbol `PSA_WANT_ALG_xxx` is enabled.
-
-## Implementation
-
-### Additional non-public symbols
-
-#### Accounting for transparent drivers
-
-In addition to the [configuration symbols](#psa-crypto-configuration-symbols), we need two parallel or mostly parallel sets of symbols:
-
-* **`MBEDTLS_PSA_ACCEL_xxx`** indicates whether a fully-featured, fallback-free transparent driver is available.
-* **`MBEDTLS_PSA_BUILTIN_xxx`** indicates whether the software implementation is needed.
-
-`MBEDTLS_PSA_ACCEL_xxx` is one of the outputs of the transpilation of a driver description, alongside the glue code for calling the drivers.
-
-`MBEDTLS_PSA_BUILTIN_xxx` is enabled when `PSA_WANT_xxx` is enabled and `MBEDTLS_PSA_ACCEL_xxx` is disabled.
-
-These symbols are not part of the public interface of Mbed TLS towards applications or to drivers, regardless of whether the symbols are actually visible.
-
-### Architecture of symbol definitions
-
-#### New-style definition of configuration symbols
-
-When `MBEDTLS_PSA_CRYPTO_CONFIG` is set, the header file `mbedtls/config.h` needs to define all the `MBEDTLS_xxx_C` configuration symbols, including the ones deduced from the PSA Crypto configuration. It does this by including the new header file **`mbedtls/config_psa.h`**, which defines the `MBEDTLS_PSA_BUILTIN_xxx` symbols and deduces the corresponding `MBEDTLS_xxx_C` (and other) symbols.
-
-`mbedtls/config_psa.h` includes `psa/crypto_config.h`, the user-editable file that defines application requirements.
-
-#### Old-style definition of configuration symbols
-
-When `MBEDTLS_PSA_CRYPTO_CONFIG` is not set, the configuration of Mbed TLS works as before, and the inclusion of non-PSA code only depends on `MBEDTLS_xxx` symbols defined (or not) in `mbedtls/config.h`. Furthermore, the new header file **`mbedtls/config_psa.h`** deduces PSA configuration symbols (`PSA_WANT_xxx`, `MBEDTLS_PSA_BUILTIN_xxx`) from classic configuration symbols (`MBEDTLS_xxx`).
-
-The `PSA_WANT_xxx` definitions in `mbedtls/config_psa.h` are needed not only to build the PSA parts of the library, but also to build code that uses these parts. This includes structure definitions in `psa/crypto_struct.h`, size calculations in `psa/crypto_sizes.h`, and application code that's specific to a given cryptographic mechanism. In Mbed TLS itself, code under `MBEDTLS_USE_PSA_CRYPTO` and conditional compilation guards in tests and sample programs need `PSA_WANT_xxx`.
-
-Since some existing applications use a handwritten `mbedtls/config.h` or an edited copy of `mbedtls/config.h` from an earlier version of Mbed TLS, `mbedtls/config_psa.h` must be included via an already existing header that is not `mbedtls/config.h`, so it is included via `psa/crypto.h` (for example from `psa/crypto_platform.h`).
-
-#### Summary of definitions of configuration symbols
-
-Whether `MBEDTLS_PSA_CRYPTO_CONFIG` is set or not, `mbedtls/config_psa.h` includes `mbedtls/crypto_drivers.h`, a header file generated by the transpilation of the driver descriptions. It defines `MBEDTLS_PSA_ACCEL_xxx` symbols according to the availability of transparent drivers without fallback.
-
-The following table summarizes where symbols are defined depending on the configuration mode.
-
-* (U) indicates a symbol that is defined by the user (application).
-* (D) indicates a symbol that is deduced from other symbols by code that ships with Mbed TLS.
-* (G) indicates a symbol that is generated from driver descriptions.
-
-| Symbols                   | With `MBEDTLS_PSA_CRYPTO_CONFIG` | Without `MBEDTLS_PSA_CRYPTO_CONFIG` |
-| ------------------------- | -------------------------------- | ----------------------------------- |
-| `MBEDTLS_xxx_C`           | `mbedtls/config.h` (U) or        | `mbedtls/config.h` (U)              |
-|                           | `mbedtls/config_psa.h` (D)       |                                     |
-| `PSA_WANT_xxx`            | `psa/crypto_config.h` (U)        | `mbedtls/config_psa.h` (D)          |
-| `MBEDTLS_PSA_BUILTIN_xxx` | `mbedtls/config_psa.h` (D)       | `mbedtls/config_psa.h` (D)          |
-| `MBEDTLS_PSA_ACCEL_xxx`   | `mbedtls/crypto_drivers.h` (G)   | N/A                                 |
-
-#### Visibility of internal symbols
-
-Ideally, the `MBEDTLS_PSA_ACCEL_xxx` and `MBEDTLS_PSA_BUILTIN_xxx` symbols should not be visible to application code or driver code, since they are not part of the public interface of the library. However these symbols are needed to deduce whether to include library modules (for example `MBEDTLS_AES_C` has to be enabled if `MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES` is enabled), which makes it difficult to keep them private.
-
-#### Compile-time checks
-
-The header file **`library/psa_check_config.h`** applies sanity checks to the configuration, throwing `#error` if something is wrong.
-
-A mechanism similar to `mbedtls/check_config.h` detects errors such as enabling ECDSA but no curve.
-
-Since configuration symbols must be undefined or 1, any other value should trigger an `#error`.
-
-#### Automatic generation of preprocessor symbol manipulations
-
-A lot of the preprocessor symbol manipulation is systematic calculations that analyze the configuration. `mbedtls/config_psa.h` and `library/psa_check_config.h` should be generated automatically, in the same manner as `version_features.c`.
-
-### Structure of PSA Crypto library code
-
-#### Conditional inclusion of library entry points
-
-An entry point can be eliminated entirely if no algorithm requires it.
-
-#### Conditional inclusion of mechanism-specific code
-
-Code that is specific to certain key types or to certain algorithms must be guarded by the applicable symbols: `PSA_WANT_xxx` for code that is independent of the application, and `MBEDTLS_PSA_BUILTIN_xxx` for code that calls an Mbed TLS software implementation.
-
-## PSA standardization
-
-### JSON configuration mechanism
-
-At the time of writing, the preferred configuration mechanism for a PSA service is in JSON syntax. The translation from JSON to build instructions is not specified by PSA.
-
-For PSA Crypto, the preferred configuration mechanism would be similar to capability specifications of transparent drivers. The same JSON properties that are used to mean “this driver can perform that mechanism” in a driver description would be used to mean “the application wants to perform that mechanism” in the application configuration.
-
-### From JSON to C
-
-The JSON capability language allows a more fine-grained selection than the C mechanism proposed here. For example, it allows requesting only single-part mechanisms, only certain key sizes, or only certain combinations of algorithms and key types.
-
-The JSON capability language can be translated approximately to the boolean symbol mechanism proposed here. The approximation considers a feature to be enabled if any part of it is enabled. For example, if there is a capability for AES-CTR and one for CAMELLIA-GCM, the translation to boolean symbols will also include AES-GCM and CAMELLIA-CTR. If there is a capability for AES-128, the translation will also include AES-192 and AES-256.
-
-The boolean symbol mechanism proposed here can be translated to a list of JSON capabilities: for each included algorithm, include a capability with that algorithm, the key types that apply to that algorithm, no size restriction, and all the entry points that apply to that algorithm.
-
-## Open questions
-
-### Open questions about the interface
-
-#### Naming of symbols
-
-The names of [elliptic curve symbols](#configuration-symbols-for-curves) are a bit weird: `SECP_R1_256` instead of `SECP256R1`. Should we make them more classical, but less systematic?
-
-#### Impossible combinations
-
-What does it mean to have `PSA_WANT_ALG_ECDSA` enabled but with only Curve25519? Is it a mandatory error?
-
-#### Diffie-Hellman
-
-Way to request only specific groups? Not a priority: constrained devices don't do FFDH. Specify it as may change in future versions.
-
-#### Coexistence with the current Mbed TLS configuration
-
-The two mechanisms have very different designs. Is there serious potential for confusion? Do we understand how the combinations work?
-
-### Open questions about the design
-
-#### Algorithms without a key type or vice versa
-
-Is it realistic to mandate a compile-time error if a key type is required, but no matching algorithm, or vice versa? Is it always the right thing, for example if there is an opaque driver that manipulates this key type?
-
-#### Opaque-only mechanisms
-
-If a mechanism should only be supported in an opaque driver, what does the core need to know about it? Do we have all the information we need?
-
-This is especially relevant to suppress a mechanism completely if there is no matching algorithm. For example, if there is no transparent implementation of RSA or ECDSA, `psa_sign_hash` and `psa_verify_hash` may still be needed if there is an opaque signature driver.
-
-### Open questions about the implementation
-
-#### Testability
-
-Is this proposal decently testable? There are a lot of combinations. What combinations should we test?
-
-<!--
-Local Variables:
-time-stamp-line-limit: 40
-time-stamp-start: "Time-stamp: *\""
-time-stamp-end: "\""
-time-stamp-format: "%04Y/%02m/%02d %02H:%02M:%02S %Z"
-time-stamp-time-zone: "GMT"
-End:
--->

docs/proposed/psa-driver-developer-guide.md

@@ -1,45 +0,0 @@
-PSA Cryptoprocessor driver developer's guide
-============================================
-
-**This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.**
-
-This document describes how to write drivers of cryptoprocessors such as accelerators and secure elements for the PSA cryptography subsystem of Mbed TLS.
-
-This document focuses on behavior that is specific to Mbed TLS. For a reference of the interface between Mbed TLS and drivers, refer to the [PSA Cryptoprocessor Driver Interface specification](psa-driver-interface.html).
-
-The interface is not fully implemented in Mbed TLS yet and is disabled by default. You can enable the experimental work in progress by setting `MBEDTLS_PSA_CRYPTO_DRIVERS` in the compile-time configuration. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code when `MBEDTLS_PSA_CRYPTO_DRIVERS` is enabled.
-
-## Introduction
-
-### Purpose
-
-The PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware.
-
-There are two types of drivers:
-
-* **Transparent** drivers implement cryptographic operations on keys that are provided in cleartext at the beginning of each operation. They are typically used for hardware **accelerators**. When a transparent driver is available for a particular combination of parameters (cryptographic algorithm, key type and size, etc.), it is used instead of the default software implementation. Transparent drivers can also be pure software implementations that are distributed as plug-ins to a PSA Crypto implementation.
-* **Opaque** drivers implement cryptographic operations on keys that can only be used inside a protected environment such as a **secure element**, a hardware security module, a smartcard, a secure enclave, etc. An opaque driver is invoked for the specific key location that the driver is registered for: the dispatch is based on the key's lifetime.
-
-### Deliverables for a driver
-
-To write a driver, you need to implement some functions with C linkage, and to declare these functions in a **driver description file**. The driver description file declares which functions the driver implements and what cryptographic mechanisms they support. Depending on the driver type, you may also need to define some C types and macros in a header file.
-
-The concrete syntax for a driver description file is JSON. The structure of this JSON file is specified in the section [“Driver description syntax”](psa-driver-interface.html#driver-description-syntax) of the PSA cryptography driver interface specification.
-
-A driver therefore consists of:
-
-* A driver description file (in JSON format).
-* C header files defining the types required by the driver description. The names of these header files is declared in the driver description file.
-* An object file compiled for the target platform defining the functions required by the driver description. Implementations may allow drivers to be provided as source files and compiled with the core instead of being pre-compiled.
-
-## Driver C interfaces
-
-Mbed TLS calls driver entry points [as specified in the PSA Cryptography Driver Interface specification](psa-driver-interface.html#driver-entry-points) except as otherwise indicated in this section.
-
-## Building and testing your driver
-
-<!-- TODO -->
-
-## Dependencies on the Mbed TLS configuration
-
-<!-- TODO -->

docs/proposed/psa-driver-integration-guide.md

@@ -1,45 +0,0 @@
-Building Mbed TLS with PSA cryptoprocessor drivers
-==================================================
-
-**This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.**
-
-This document describes how to build Mbed TLS with additional cryptoprocessor drivers that follow the PSA cryptoprocessor driver interface.
-
-The interface is not fully implemented in Mbed TLS yet and is disabled by default. You can enable the experimental work in progress by setting `MBEDTLS_PSA_CRYPTO_DRIVERS` in the compile-time configuration. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code when `MBEDTLS_PSA_CRYPTO_DRIVERS` is enabled.
-
-## Introduction
-
-The PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware.
-
-Note that such drivers are only available through the PSA cryptography API (crypto functions beginning with `psa_`, and X.509 and TLS interfaces that reference PSA types).
-
-Concretely speaking, a driver consists of one or more **driver description files** in JSON format and some code to include in the build. The driver code can either be provided in binary form as additional object file to link, or in source form.
-
-## How to build Mbed TLS with drivers
-
-To build Mbed TLS with drivers:
-
-1. Activate `MBEDTLS_PSA_CRYPTO_DRIVERS` in the library configuration.
-
-    ```
-    cd /path/to/mbedtls
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
-    ```
-
-2. Pass the driver description files through the Make variable `PSA_DRIVERS` when building the library.
-
-    ```
-    cd /path/to/mbedtls
-    make PSA_DRIVERS="/path/to/acme/driver.json /path/to/nadir/driver.json" lib
-    ```
-
-3. Link your application with the implementation of the driver functions.
-
-    ```
-    cd /path/to/application
-    ld myapp.o -L/path/to/acme -lacmedriver -L/path/to/nadir -lnadirdriver -L/path/to/mbedtls -lmbedcrypto
-    ```
-
-<!-- TODO: what if the driver is provided as C source code? -->
-
-<!-- TODO: what about additional include files? -->

docs/proposed/psa-driver-interface.md

@@ -1,790 +0,0 @@
-PSA Cryptoprocessor Driver Interface
-====================================
-
-This document describes an interface for cryptoprocessor drivers in the PSA cryptography API. This interface complements the [PSA Cryptography API specification](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface), which describes the interface between a PSA Cryptography implementation and an application.
-
-This specification is work in progress and should be considered to be in a beta stage. There is ongoing work to implement this interface in Mbed TLS, which is the reference implementation of the PSA Cryptography API. At this stage, Arm does not expect major changes, but minor changes are expected based on experience from the first implementation and on external feedback.
-
-Time-stamp: "2020/11/24 11:03:32 GMT"
-
-## Introduction
-
-### Purpose of the driver interface
-
-The PSA Cryptography API defines an interface that allows applications to perform cryptographic operations in a uniform way regardless of how the operations are performed. Under the hood, different keys may be stored and used in different hardware or in different logical partitions, and different algorithms may involve different hardware or software components.
-
-The driver interface allows implementations of the PSA Cryptography API to be built compositionally. An implementation of the PSA Cryptography API is composed of a **core** and zero or more **drivers**. The core handles key management, enforces key usage policies, and dispatches cryptographic operations either to the applicable driver or to built-in code.
-
-Functions in the PSA Cryptography API invoke functions in the core. Code from the core calls drivers as described in the present document.
-
-### Types of drivers
-
-The PSA Cryptography driver interface supports two types of cryptoprocessors, and accordingly two types of drivers.
-
-* **Transparent** drivers implement cryptographic operations on keys that are provided in cleartext at the beginning of each operation. They are typically used for hardware **accelerators**. When a transparent driver is available for a particular combination of parameters (cryptographic algorithm, key type and size, etc.), it is used instead of the default software implementation. Transparent drivers can also be pure software implementations that are distributed as plug-ins to a PSA Cryptography implementation (for example, an alternative implementation with different performance characteristics, or a certified implementation).
-* **Opaque** drivers implement cryptographic operations on keys that can only be used inside a protected environment such as a **secure element**, a hardware security module, a smartcard, a secure enclave, etc. An opaque driver is invoked for the specific [key location](#lifetimes-and-locations) that the driver is registered for: the dispatch is based on the key's lifetime.
-
-### Requirements
-
-The present specification was designed to fulfill the following high-level requirements.
-
-[Req.plugins] It is possible to combine multiple drivers from different providers into the same implementation, without any prior arrangement other than choosing certain names and values from disjoint namespaces.
-
-[Req.compile] It is possible to compile the code of each driver and of the core separately, and link them together. A small amount of glue code may need to be compiled once the list of drivers is available.
-
-[Req.types] Support drivers for the following types of hardware: accelerators that operate on keys in cleartext; cryptoprocessors that can wrap keys with a built-in keys but not store user keys; and cryptoprocessors that store key material.
-
-[Req.portable] The interface between drivers and the core does not involve any platform-specific consideration. Driver calls are simple C function calls. Interactions with platform-specific hardware happen only inside the driver (and in fact a driver need not involve any hardware at all).
-
-[Req.location] Applications can tell which location values correspond to which secure element drivers.
-
-[Req.fallback] Accelerator drivers can specify that they do not fully support a cryptographic mechanism and that a fallback to core code may be necessary. Conversely, if an accelerator fully supports cryptographic mechanism, the core must be able to omit code for this mechanism.
-
-[Req.mechanisms] Drivers can specify which mechanisms they support. A driver's code will not be invoked for cryptographic mechanisms that it does not support.
-
-## Overview of drivers
-
-### Deliverables for a driver
-
-To write a driver, you need to implement some functions with C linkage, and to declare these functions in a **driver description file**. The driver description file declares which functions the driver implements and what cryptographic mechanisms they support. If the driver description references custom types, macros or constants, you also need to provide C header files defining those elements.
-
-The concrete syntax for a driver description file is JSON. The structure of this JSON file is specified in the section [“Driver description syntax”](#driver-description-syntax).
-
-A driver therefore consists of:
-
-* A driver description file (in JSON format).
-* C header files defining the types required by the driver description. The names of these header files are declared in the driver description file.
-* An object file compiled for the target platform defining the entry point functions specified by the driver description. Implementations may allow drivers to be provided as source files and compiled with the core instead of being pre-compiled.
-
-How to provide the driver description file, the C header files and the object code is implementation-dependent.
-
-### Driver description syntax
-
-The concrete syntax for a driver description file is JSON.
-
-#### Driver description list
-
-PSA Cryptography core implementations should support multiple drivers. The driver description files are passed to the implementation as an ordered list in an unspecified manner. This may be, for example, a list of file names passed on a command line, or a JSON list whose elements are individual driver descriptions.
-
-#### Driver description top-level element
-
-A driver description is a JSON object containing the following properties:
-
-* `"prefix"` (mandatory, string). This must be a valid prefix for a C identifier. All the types and functions provided by the driver have a name that starts with this prefix unless overridden with a `"name"` element in the applicable capability as described below.
-* `"type"` (mandatory, string). One of `"transparent"` or `"opaque"`.
-* `"headers"` (optional, array of strings). A list of header files. These header files must define the types, macros and constants referenced by the driver description. They may declare the entry point functions, but this is not required. They may include other PSA headers and standard headers of the platform. Whether they may include other headers is implementation-specific. If omitted, the list of headers is empty. The header files must be present at the specified location relative to a directory on the compiler's include path when compiling glue code between the core and the drivers.
-* `"capabilities"` (mandatory, array of [capabilities](#driver-description-capability)).
-A list of **capabilities**. Each capability describes a family of functions that the driver implements for a certain class of cryptographic mechanisms.
-* `"key_context"` (not permitted for transparent drivers, mandatory for opaque drivers): information about the [representation of keys](#key-format-for-opaque-drivers).
-* `"persistent_state_size"` (not permitted for transparent drivers, optional for opaque drivers, integer or string). The size in bytes of the [persistent state of the driver](#opaque-driver-persistent-state). This may be either a non-negative integer or a C constant expression of type `size_t`.
-* `"location"` (not permitted for transparent drivers, optional for opaque drivers, integer or string). The [location value](#lifetimes-and-locations) for which this driver is invoked. In other words, this determines the lifetimes for which the driver is invoked. This may be either a non-negative integer or a C constant expression of type `psa_key_location_t`.
-
-### Driver description capability
-
-#### Capability syntax
-
-A capability declares a family of functions that the driver implements for a certain class of cryptographic mechanisms. The capability specifies which key types and algorithms are covered and the names of the types and functions that implement it.
-
-A capability is a JSON object containing the following properties:
-
-* `"entry_points"` (mandatory, list of strings). Each element is the name of a [driver entry point](#driver-entry-points) or driver entry point family. An entry point is a function defined by the driver. If specified, the core will invoke this capability of the driver only when performing one of the specified operations. The driver must implement all the specified entry points, as well as the types if applicable.
-* `"algorithms"` (optional, list of strings). Each element is an [algorithm specification](#algorithm-specifications). If specified, the core will invoke this capability of the driver only when performing one of the specified algorithms. If omitted, the core will invoke this capability for all applicable algorithms.
-* `"key_types"` (optional, list of strings). Each element is a [key type specification](#key-type-specifications). If specified, the core will invoke this capability of the driver only for operations involving a key with one of the specified key types. If omitted, the core will invoke this capability of the driver for all applicable key types.
-* `"key_sizes"` (optional, list of integers). If specified, the core will invoke this capability of the driver only for operations involving a key with one of the specified key sizes. If omitted, the core will invoke this capability of the driver for all applicable key sizes. Key sizes are expressed in bits.
-* `"names"` (optional, object). A mapping from entry point names described by the `"entry_points"` property, to the name of the C function in the driver that implements the corresponding function. If a function is not listed here, name of the driver function that implements it is the driver's prefix followed by an underscore (`_`) followed by the function name. If this property is omitted, it is equivalent to an empty object (so each entry point *suffix* is implemented by a function called *prefix*`_`*suffix*).
-* `"fallback"` (optional for transparent drivers, not permitted for opaque drivers, boolean). If present and true, the driver may return `PSA_ERROR_NOT_SUPPORTED`, in which case the core should call another driver or use built-in code to perform this operation. If absent or false, the driver is expected to fully support the mechanisms described by this capability. See the section “[Fallback](#fallback)” for more information.
-
-#### Capability semantics
-
-When the PSA Cryptography implementation performs a cryptographic mechanism, it invokes available driver entry points as described in the section [“Driver entry points”](#driver-entry-points).
-
-A driver is considered available for a cryptographic mechanism that invokes a given entry point if all of the following conditions are met:
-
-* The driver specification includes a capability whose `"entry_points"` list either includes the entry point or includes an entry point family that includes the entry point.
-* If the mechanism involves an algorithm:
-    * either the capability does not have an `"algorithms"` property;
-    * or the value of the capability's `"algorithms"` property includes an [algorithm specification](#algorithm-specifications) that matches this algorithm.
-* If the mechanism involves a key:
-    * either the key is transparent (its location is `PSA_KEY_LOCATION_LOCAL_STORAGE`) and the driver is transparent;
-    * or the key is opaque (its location is not `PSA_KEY_LOCATION_LOCAL_STORAGE`) and the driver is an opaque driver whose location is the key's location.
-* If the mechanism involves a key:
-    * either the capability does not have a `"key_types"` property;
-    * or the value of the capability's `"key_types"` property includes a [key type specification](#key-type-specifications) that matches this algorithm.
-* If the mechanism involves a key:
-    * either the capability does not have a `"key_sizes"` property;
-    * or the value of the capability's `"key_sizes"` property includes the key's size.
-
-If a driver includes multiple applicable capabilities for a given combination of entry point, algorithm, key type and key size, and all the capabilities map the entry point to the same function name, the driver is considered available for this cryptographic mechanism. If a driver includes multiple applicable capabilities for a given combination of entry point, algorithm, key type and key size, and at least two of these capabilities map the entry point to the different function names, the driver specification is invalid.
-
-If multiple transparent drivers have applicable capabilities for a given combination of entry point, algorithm, key type and key size, the first matching driver in the [specification list](#driver-description-list) is invoked. If the capability has [fallback](#fallback) enabled and the first driver returns `PSA_ERROR_NOT_SUPPORTED`, the next matching driver is invoked, and so on.
-
-If multiple opaque drivers have the same location, the list of driver specifications is invalid.
-
-#### Capability examples
-
-Example 1: the following capability declares that the driver can perform deterministic ECDSA signatures (but not signature verification) using any hash algorithm and any curve that the core supports. If the prefix of this driver is `"acme"`, the function that performs the signature is called `acme_sign_hash`.
-```
-{
-    "entry_points": ["sign_hash"],
-    "algorithms": ["PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)"],
-}
-```
-
-Example 2: the following capability declares that the driver can perform deterministic ECDSA signatures using SHA-256 or SHA-384 with a SECP256R1 or SECP384R1 private key (with either hash being possible in combination with either curve). If the prefix of this driver is `"acme"`, the function that performs the signature is called `acme_sign_hash`.
-```
-{
-    "entry_points": ["sign_hash"],
-    "algorithms": ["PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256)",
-                   "PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384)"],
-    "key_types": ["PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP_R1)"],
-    "key_sizes": [256, 384]
-}
-```
-
-### Algorithm and key specifications
-
-#### Algorithm specifications
-
-An algorithm specification is a string consisting of a `PSA_ALG_xxx` macro that specifies a cryptographic algorithm or an algorithm wildcard policy defined by the PSA Cryptography API. If the macro takes arguments, the string must have the syntax of a C macro call and each argument must be an algorithm specification or a decimal or hexadecimal literal with no suffix, depending on the expected type of argument.
-
-Spaces are optional after commas. Whether other whitespace is permitted is implementation-specific.
-
-Valid examples:
-```
-PSA_ALG_SHA_256
-PSA_ALG_HMAC(PSA_ALG_SHA_256)
-PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256))
-PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH)
-```
-
-#### Key type specifications
-
-An algorithm specification is a string consisting of a `PSA_KEY_TYPE_xxx` macro that specifies a key type defined by the PSA Cryptography API. If the macro takes an argument, the string must have the syntax of a C macro call and each argument must be the name of a constant of suitable type (curve or group).
-
-The name `_` may be used instead of a curve or group to indicate that the capability concerns all curves or groups.
-
-Valid examples:
-```
-PSA_KEY_TYPE_AES
-PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP_R1)
-PSA_KEY_TYPE_ECC_KEY_PAIR(_)
-```
-
-### Driver entry points
-
-#### Overview of driver entry points
-
-Drivers define functions, each of which implements an aspect of a capability of a driver, such as a cryptographic operation, a part of a cryptographic operation, or a key management action. These functions are called the **entry points** of the driver. Most driver entry points correspond to a particular function in the PSA Cryptography API. For example, if a call to `psa_sign_hash()` is dispatched to a driver, it invokes the driver's `sign_hash` function.
-
-All driver entry points return a status of type `psa_status_t` which should use the status codes documented for PSA services in general and for PSA Cryptography in particular: `PSA_SUCCESS` indicates that the function succeeded, and `PSA_ERROR_xxx` values indicate that an error occurred.
-
-The signature of a driver entry point generally looks like the signature of the PSA Cryptography API that it implements, with some modifications. This section gives an overview of modifications that apply to whole classes of entry points. Refer to the reference section for each entry point or entry point family for details.
-
-* For entry points that operate on an existing key, the `psa_key_id_t` parameter is replaced by a sequence of three parameters that describe the key:
-    1. `const psa_key_attributes_t *attributes`: the key attributes.
-    2. `const uint8_t *key_buffer`: a key material or key context buffer.
-    3. `size_t key_buffer_size`: the size of the key buffer in bytes.
-
-    For transparent drivers, the key buffer contains the key material, in the same format as defined for `psa_export_key()` and `psa_export_public_key()` in the PSA Cryptography API. For opaque drivers, the content of the key buffer is entirely up to the driver.
-
-* For entry points that involve a multi-part operation, the operation state type (`psa_XXX_operation_t`) is replaced by a driver-specific operation state type (*prefix*`_XXX_operation_t`).
-
-* For entry points that are involved in key creation, the `psa_key_id_t *` output parameter is replaced by a sequence of parameters that convey the key context:
-    1. `uint8_t *key_buffer`: a buffer for the key material or key context.
-    2. `size_t key_buffer_size`: the size of the key buffer in bytes.
-    2. `size_t *key_buffer_length`: the length of the data written to the key buffer in bytes.
-
-Some entry points are grouped in families that must be implemented as a whole. If a driver supports an entry point family, it must provide all the entry points in the family.
-
-#### General considerations on driver entry point parameters
-
-Buffer parameters for driver entry points obey the following conventions:
-
-* An input buffer has the type `const uint8_t *` and is immediately followed by a parameter of type `size_t` that indicates the buffer size.
-* An output buffer has the type `uint8_t *` and is immediately followed by a parameter of type `size_t` that indicates the buffer size. A third parameter of type `size_t *` is provided to report the actual length of the data written in the buffer if the function succeeds.
-* An in-out buffer has the type `uint8_t *` and is immediately followed by a parameter of type `size_t` that indicates the buffer size. In-out buffers are only used when the input and the output have the same length.
-
-Buffers of size 0 may be represented with either a null pointer or a non-null pointer.
-
-Input buffers and other input-only parameters (`const` pointers) may be in read-only memory. Overlap is possible between input buffers, and between an input buffer and an output buffer, but not between two output buffers or between a non-buffer parameter and another parameter.
-
-#### Driver entry points for single-part cryptographic operations
-
-The following driver entry points perform a cryptographic operation in one shot (single-part operation):
-
-* `"hash_compute"` (transparent drivers only): calculation of a hash. Called by `psa_hash_compute()` and `psa_hash_compare()`. To verify a hash with `psa_hash_compare()`, the core calls the driver's `"hash_compute"` entry point and compares the result with the reference hash value.
-* `"mac_compute"`: calculation of a MAC. Called by `psa_mac_compute()` and possibly `psa_mac_verify()`. To verify a mac with `psa_mac_verify()`, the core calls an applicable driver's `"mac_verify"` entry point if there is one, otherwise the core calls an applicable driver's `"mac_compute"` entry point and compares the result with the reference MAC value.
-* `"mac_verify"`: verification of a MAC. Called by `psa_mac_verify()`. This entry point is mainly useful for drivers of secure elements that verify a MAC without revealing the correct MAC. Although transparent drivers may implement this entry point in addition to `"mac_compute"`, it is generally not useful because the core can call the `"mac_compute"` entry point and compare with the expected MAC value.
-* `"cipher_encrypt"`: unauthenticated symmetric cipher encryption. Called by `psa_cipher_encrypt()`.
-* `"cipher_decrypt"`: unauthenticated symmetric cipher decryption. Called by `psa_cipher_decrypt()`.
-* `"aead_encrypt"`: authenticated encryption with associated data. Called by `psa_aead_encrypt()`.
-* `"aead_decrypt"`: authenticated decryption with associated data. Called by `psa_aead_decrypt()`.
-* `"asymmetric_encrypt"`: asymmetric encryption. Called by `psa_asymmetric_encrypt()`.
-* `"asymmetric_decrypt"`: asymmetric decryption. Called by `psa_asymmetric_decrypt()`.
-* `"sign_hash"`: signature of an already calculated hash. Called by `psa_sign_hash()` and possibly `psa_sign_message()`. To sign a message with `psa_sign_message()`, the core calls an applicable driver's `"sign_message"` entry point if there is one, otherwise the core calls an applicable driver's `"hash_compute"` entry point followed by an applicable driver's `"sign_hash"` entry point.
-* `"verify_hash"`: verification of an already calculated hash. Called by `psa_verify_hash()` and possibly `psa_verify_message()`. To verify a message with `psa_verify_message()`, the core calls an applicable driver's `"verify_message"` entry point if there is one, otherwise the core calls an applicable driver's `"hash_compute"` entry point followed by an applicable driver's `"verify_hash"` entry point.
-* `"sign_message"`: signature of a message. Called by `psa_sign_message()`.
-* `"verify_message"`: verification of a message. Called by `psa_verify_message()`.
-* `"key_agreement"`: key agreement without a subsequent key derivation. Called by `psa_raw_key_agreement()` and possibly `psa_key_derivation_key_agreement()`.
-
-### Driver entry points for multi-part operations
-
-#### General considerations on multi-part operations
-
-The entry points that implement each step of a multi-part operation are grouped into a family. A driver that implements a multi-part operation must define all of the entry points in this family as well as a type that represents the operation context. The lifecycle of a driver operation context is similar to the lifecycle of an API operation context:
-
-1. The core initializes operation context objects to either all-bits-zero or to logical zero (`{0}`), at its discretion.
-1. The core calls the `xxx_setup` entry point for this operation family. If this fails, the core destroys the operation context object without calling any other driver entry point on it.
-1. The core calls other entry points that manipulate the operation context object, respecting the constraints.
-1. If any entry point fails, the core calls the driver's `xxx_abort` entry point for this operation family, then destroys the operation context object without calling any other driver entry point on it.
-1. If a “finish” entry point fails, the core destroys the operation context object without calling any other driver entry point on it. The finish entry points are: *prefix*`_mac_sign_finish`, *prefix*`_mac_verify_finish`, *prefix*`_cipher_fnish`, *prefix*`_aead_finish`, *prefix*`_aead_verify`.
-
-If a driver implements a multi-part operation but not the corresponding single-part operation, the core calls the driver's multipart operation entry points to perform the single-part operation.
-
-#### Multi-part operation entry point family `"hash_multipart"`
-
-This family corresponds to the calculation of a hash in multiple steps.
-
-This family applies to transparent drivers only.
-
-This family requires the following type and entry points:
-
-* Type `"hash_operation_t"`: the type of a hash operation context. It must be possible to copy a hash operation context byte by byte, therefore hash operation contexts must not contain any embedded pointers (except pointers to global data that do not change after the setup step).
-* `"hash_setup"`: called by `psa_hash_setup()`.
-* `"hash_update"`: called by `psa_hash_update()`.
-* `"hash_finish"`: called by `psa_hash_finish()` and `psa_hash_verify()`.
-* `"hash_abort"`: called by all multi-part hash functions of the PSA Cryptography API.
-
-To verify a hash with `psa_hash_verify()`, the core calls the driver's *prefix*`_hash_finish` entry point and compares the result with the reference hash value.
-
-For example, a driver with the prefix `"acme"` that implements the `"hash_multipart"` entry point family must define the following type and entry points (assuming that the capability does not use the `"names"` property to declare different type and entry point names):
-
-```
-typedef ... acme_hash_operation_t;
-psa_status_t acme_hash_setup(acme_hash_operation_t *operation,
-                             psa_algorithm_t alg);
-psa_status_t acme_hash_update(acme_hash_operation_t *operation,
-                              const uint8_t *input,
-                              size_t input_length);
-psa_status_t acme_hash_finish(acme_hash_operation_t *operation,
-                              uint8_t *hash,
-                              size_t hash_size,
-                              size_t *hash_length);
-psa_status_t acme_hash_abort(acme_hash_operation_t *operation);
-```
-
-#### Operation family `"mac_multipart"`
-
-TODO
-
-#### Operation family `"mac_verify_multipart"`
-
-TODO
-
-#### Operation family `"cipher_encrypt_multipart"`
-
-TODO
-
-#### Operation family `"cipher_decrypt_multipart"`
-
-TODO
-
-#### Operation family `"aead_encrypt_multipart"`
-
-TODO
-
-#### Operation family `"aead_decrypt_multipart"`
-
-TODO
-
-#### Operation family `"key_derivation"`
-
-This family requires the following type and entry points:
-
-* Type `"key_derivation_operation_t"`: the type of a key derivation operation context.
-* `"key_derivation_setup"`: called by `psa_key_derivation_setup()`.
-* `"key_derivation_set_capacity"`: called by `psa_key_derivation_set_capacity()`. The core will always enforce the capacity, therefore this function does not need to do anything for algorithms where the output stream only depends on the effective generated length and not on the capacity.
-* `"key_derivation_input_bytes"`: called by `psa_key_derivation_input_bytes()` and `psa_key_derivation_input_key()`. For transparent drivers, when processing a call to `psa_key_derivation_input_key()`, the core always calls the applicable driver's `"key_derivation_input_bytes"` entry point.
-* `"key_derivation_input_key"` (opaque drivers only)
-* `"key_derivation_output_bytes"`: called by `psa_key_derivation_output_bytes()`; also by `psa_key_derivation_output_key()` for transparent drivers.
-* `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()` for transparent drivers when deriving an asymmetric key pair, and also for opaque drivers.
-* `"key_derivation_abort"`: called by all key derivation functions of the PSA Cryptography API.
-
-TODO: key input and output for opaque drivers; deterministic key generation for transparent drivers
-
-TODO
-
-### Driver entry points for key management
-
-The driver entry points for key management differ significantly between [transparent drivers](#key-management-with-transparent-drivers) and [opaque drivers](#key-management-with-opaque-drivers). This section describes common elements. Refer to the applicable section for each driver type for more information.
-
-The entry points that create or format key data have the following prototypes for a driver with the prefix `"acme"`:
-
-```
-psa_status_t acme_import_key(const psa_key_attributes_t *attributes,
-                             const uint8_t *data,
-                             size_t data_length,
-                             uint8_t *key_buffer,
-                             size_t key_buffer_size,
-                             size_t *key_buffer_length,
-                             size_t *bits); // additional parameter, see below
-psa_status_t acme_generate_key(const psa_key_attributes_t *attributes,
-                               uint8_t *key_buffer,
-                               size_t key_buffer_size,
-                               size_t *key_buffer_length);
-```
-
-TODO: derivation, copy
-
-* The key attributes (`attributes`) have the same semantics as in the PSA Cryptography application interface.
-* For the `"import_key"` entry point, the input in the `data` buffer is either the export format or an implementation-specific format that the core documents as an acceptable input format for `psa_import_key()`.
-* The size of the key data buffer `key_buffer` is sufficient for the internal representation of the key. For a transparent driver, this is the key's [export format](#key-format-for-transparent-drivers). For an opaque driver, this is the size determined from the driver description and the key attributes, as specified in the section [“Key format for opaque drivers”](#key-format-for-opaque-drivers).
-* For an opaque driver with an `"allocate_key"` entry point, the content of the key data buffer on entry is the output of that entry point.
-* The `"import_key"` entry point must determine or validate the key size and set `*bits` as described in the section [“Key size determination on import”](#key-size-determination-on-import) below.
-
-All key creation entry points must ensure that the resulting key is valid as specified in the section [“Key validation”](#key-validation) below. This is primarily important for import entry points since the key data comes from the application.
-
-#### Key size determination on import
-
-The `"import_key"` entry point must determine or validate the key size.
-The PSA Cryptography API exposes the key size as part of the key attributes.
-When importing a key, the key size recorded in the key attributes can be either a size specified by the caller of the API (who may not be trusted), or `0` which indicates that the size must be calculated from the data.
-
-When the core calls the `"import_key"` entry point to process a call to `psa_import_key`, it passes an `attributes` structure such that `psa_get_key_bits(attributes)` is the size passed by the caller of `psa_import_key`. If this size is `0`, the `"import_key"` entry point must set the `bits` input-output parameter to the correct key size. The semantics of `bits` is as follows:
-
-* The core sets `*bits` to `psa_get_key_bits(attributes)` before calling the `"import_key"` entry point.
-* If `*bits == 0`, the driver must determine the key size from the data and set `*bits` to this size. If the key size cannot be determined from the data, the driver must return `PSA_ERROR_INVALID_ARGUMENT` (as of version 1.0 of the PSA Cryptography API specification, it is possible to determine the key size for all standard key types).
-* If `*bits != 0`, the driver must check the value of `*bits` against the data and return `PSA_ERROR_INVALID_ARGUMENT` if it does not match. If the driver entry point changes `*bits` to a different value but returns `PSA_SUCCESS`, the core will consider the key as invalid and the import will fail.
-
-#### Key validation
-
-Key creation entry points must produce valid key data. Key data is _valid_ if operations involving the key are guaranteed to work functionally and not to cause indirect security loss. Operation functions are supposed to receive valid keys, and should not have to check and report invalid keys. For example:
-
-* If a cryptographic mechanism is defined as having keying material of a certain size, or if the keying material involves integers that have to be in a certain range, key creation must ensure that the keying material has an appropriate size and falls within an appropriate range.
-* If a cryptographic operation involves a division by an integer which is provided as part of a key, key creation must ensure that this integer is nonzero.
-* If a cryptographic operation involves two keys A and B (or more), then the creation of A must ensure that using it does not risk compromising B. This applies even if A's policy does not explicitly allow a problematic operation, but A is exportable. In particular, public keys that can potentially be used for key agreement are considered invalid and must not be created if they risk compromising the private key.
-* On the other hand, it is acceptable for import to accept a key that cannot be verified as valid if using this key would at most compromise the key itself and material that is secured with this key. For example, RSA key import does not need to verify that the primes are actually prime. Key import may accept an insecure key if the consequences of the insecurity are no worse than a leak of the key prior to its import.
-
-With opaque drivers, the key context can only be used by code from the same driver, so key validity is primarily intended to report key creation errors at creation time rather than during an operation. With transparent drivers, the key context can potentially be used by code from a different provider, so key validity is critical for interoperability.
-
-This section describes some minimal validity requirements for standard key types.
-
-* For symmetric key types, check that the key size is suitable for the type.
-* For DES (`PSA_KEY_TYPE_DES`), additionally verify the parity bits.
-* For RSA (`PSA_KEY_TYPE_RSA_PUBLIC_KEY`, `PSA_KEY_TYPE_RSA_KEY_PAIR`), check the syntax of the key and make sanity checks on its components. TODO: what sanity checks? Value ranges (e.g. p < n), sanity checks such as parity, minimum and maximum size, what else?
-* For elliptic curve private keys (`PSA_KEY_TYPE_ECC_KEY_PAIR`), check the size and range. TODO: what else?
-* For elliptic curve public keys (`PSA_KEY_TYPE_ECC_PUBLIC_KEY`), check the size and range, and that the point is on the curve. TODO: what else?
-
-### Miscellaneous driver entry points
-
-#### Driver initialization
-
-A driver may declare an `"init"` entry point in a capability with no algorithm, key type or key size. If so, the core calls this entry point once during the initialization of the PSA Cryptography subsystem. If the init entry point of any driver fails, the initialization of the PSA Cryptography subsystem fails.
-
-When multiple drivers have an init entry point, the order in which they are called is unspecified. It is also unspecified whether other drivers' `"init"` entry points are called if one or more init entry point fails.
-
-On platforms where the PSA Cryptography implementation is a subsystem of a single application, the initialization of the PSA Cryptography subsystem takes place during the call to `psa_crypto_init()`. On platforms where the PSA Cryptography implementation is separate from the application or applications, the initialization of the PSA Cryptography subsystem takes place before or during the first time an application calls `psa_crypto_init()`.
-
-The init entry point does not take any parameter.
-
-### Combining multiple drivers
-
-To declare a cryptoprocessor can handle both cleartext and wrapped keys, you need to provide two driver descriptions, one for a transparent driver and one for an opaque driver. You can use the mapping in capabilities' `"names"` property to arrange for multiple driver entry points to map to the same C function.
-
-## Transparent drivers
-
-### Key format for transparent drivers
-
-The format of a key for transparent drivers is the same as in applications. Refer to the documentation of [`psa_export_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_key) and [`psa_export_public_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_public_key) in the PSA Cryptography API specification. For custom key types defined by an implementation, refer to the documentation of that implementation.
-
-### Key management with transparent drivers
-
-Transparent drivers may provide the following key management entry points:
-
-* [`"import_key"`](#key-import-with-transparent-drivers): called by `psa_import_key()`, only when importing a key pair or a public key (key such that `PSA_KEY_TYPE_IS_ASYMMETRIC` is true).
-* `"generate_key"`: called by `psa_generate_key()`, only when generating a key pair (key such that `PSA_KEY_TYPE_IS_KEY_PAIR` is true).
-* `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()`, only when deriving a key pair (key such that `PSA_KEY_TYPE_IS_KEY_PAIR` is true).
-* `"export_public_key"`: called by the core to obtain the public key of a key pair. The core may call this function at any time to obtain the public key, which can be for `psa_export_public_key()` but also at other times, including during a cryptographic operation that requires the public key such as a call to `psa_verify_message()` on a key pair object.
-
-Transparent drivers are not involved when exporting, copying or destroying keys, or when importing, generating or deriving symmetric keys.
-
-#### Key import with transparent drivers
-
-As discussed in [the general section about key management entry points](#driver-entry-points-for-key-management), the key import entry points has the following prototype for a driver with the prefix `"acme"`:
-```
-psa_status_t acme_import_key(const psa_key_attributes_t *attributes,
-                             const uint8_t *data,
-                             size_t data_length,
-                             uint8_t *key_buffer,
-                             size_t key_buffer_size,
-                             size_t *key_buffer_length,
-                             size_t *bits);
-```
-
-This entry point has several roles:
-
-1. Parse the key data in the input buffer `data`. The driver must support the export format for the key types that the entry point is declared for. It may support additional formats as specified in the description of [`psa_import_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_key) in the PSA Cryptography API specification.
-2. Validate the key data. The necessary validation is described in the section [“Key validation with transparent drivers”](#key-validation-with-transparent-drivers) above.
-3. [Determine the key size](#key-size-determination-on-import) and output it through `*bits`.
-4. Copy the validated key data from `data` to `key_buffer`. The output must be in the canonical format documented for [`psa_export_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_key) or [`psa_export_public_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_public_key), so if the input is not in this format, the entry point must convert it.
-
-### Fallback
-
-Sometimes cryptographic accelerators only support certain cryptographic mechanisms partially. The capability description language allows specifying some restrictions, including restrictions on key sizes, but it cannot cover all the possibilities that may arise in practice. Furthermore, it may be desirable to deploy the same binary image on different devices, only some of which have a cryptographic accelerators.
-For these purposes, a transparent driver can declare that it only supports a [capability](#driver-description-capability) partially, by setting the capability's `"fallback"` property to true.
-
-If a transparent driver entry point is part of a capability which has a true `"fallback"` property and returns `PSA_ERROR_NOT_SUPPORTED`, the core will call the next transparent driver that supports the mechanism, if there is one. The core considers drivers in the order given by the [driver description list](#driver-description-list).
-
-If all the available drivers have fallback enabled and return `PSA_ERROR_NOT_SUPPORTED`, the core will perform the operation using built-in code.
-As soon as a driver returns any value other than `PSA_ERROR_NOT_SUPPORTED` (`PSA_SUCCESS` or a different error code), this value is returned to the application, without attempting to call any other driver or built-in code.
-
-If a transparent driver entry point is part of a capability where the `"fallback"` property is false or omitted, the core should not include any other code for this capability, whether built in or in another transparent driver.
-
-## Opaque drivers
-
-Opaque drivers allow a PSA Cryptography implementation to delegate cryptographic operations to a separate environment that might not allow exporting key material in cleartext. The opaque driver interface is designed so that the core never inspects the representation of a key. The opaque driver interface is designed to support two subtypes of cryptoprocessors:
-
-* Some cryptoprocessors do not have persistent storage for individual keys. The representation of a key is the key material wrapped with a master key which is located in the cryptoprocessor and never exported from it. The core stores this wrapped key material on behalf of the cryptoprocessor.
-* Some cryptoprocessors have persistent storage for individual keys. The representation of a key is an identifier such as label or slot number. The core stores this identifier.
-
-### Key format for opaque drivers
-
-The format of a key for opaque drivers is an opaque blob. The content of this blob is fully up to the driver. The core merely stores this blob.
-
-Note that since the core stores the key context blob as it is in memory, it must only contain data that is meaningful after a reboot. In particular, it must not contain any pointers or transient handles.
-
-The `"key_context"` property in the [driver description](#driver-description-top-level-element) specifies how to calculate the size of the key context as a function of the key type and size. This is an object with the following properties:
-
-* `"base_size"` (integer or string, optional): this many bytes are included in every key context. If omitted, this value defaults to 0.
-* `"key_pair_size"` (integer or string, optional): this many bytes are included in every key context for a key pair. If omitted, this value defaults to 0.
-* `"public_key_size"` (integer or string, optional): this many bytes are included in every key context for a public key. If omitted, this value defaults to 0.
-* `"symmetric_factor"` (integer or string, optional): every key context for a symmetric key includes this many times the key size. If omitted, this value defaults to 0.
-* `"store_public_key"` (boolean, optional): If specified and true, for a key pair, the key context includes space for the public key. If omitted or false, no additional space is added for the public key.
-* `"size_function"` (string, optional): the name of a function that returns the number of bytes that the driver needs in a key context for a key. This may be a pointer to function. This must be a C identifier; more complex expressions are not permitted. If the core uses this function, it supersedes all the other properties.
-
-The integer properties must be C language constants. A typical value for `"base_size"` is `sizeof(acme_key_context_t)` where `acme_key_context_t` is a type defined in a driver header file.
-
-#### Size of a dynamically allocated key context
-
-If the core supports dynamic allocation for the key context and chooses to use it, and the driver specification includes the `"size_function"` property, the size of the key context is at least
-```
-size_function(key_type, key_bits)
-```
-where `size_function` is the function named in the `"size_function"` property, `key_type` is the key type and `key_bits` is the key size in bits. The prototype of the size function is
-```
-size_t size_function(psa_key_type_t key_type, size_t key_bits);
-```
-
-#### Size of a statically allocated key context
-
-If the core does not support dynamic allocation for the key context or chooses not to use it, or if the driver specification does not include the `"size_function"` property, the size of the key context for a key of type `key_type` and of size `key_bits` bits is:
-
-* For a key pair (`PSA_KEY_TYPE_IS_KEY_PAIR(key_type)` is true):
-    ```
-    base_size + key_pair_size + public_key_overhead
-    ```
-    where `public_key_overhead = PSA_EXPORT_PUBLIC_KEY_MAX_SIZE(key_type, key_bits)` if the `"store_public_key"` property is true and `public_key_overhead = 0` otherwise.
-
-* For a public key (`PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)` is true):
-    ```
-    base_size + public_key_size
-    ```
-
-* For a symmetric key (not a key pair or public key):
-    ```
-    base_size + symmetric_factor * key_bytes
-    ```
-    where `key_bytes = ((key_bits + 7) / 8)` is the key size in bytes.
-
-#### Key context size for a secure element with storage
-
-If the key is stored in the secure element and the driver only needs to store a label for the key, use `"base_size"` as the size of the label plus any other metadata that the driver needs to store, and omit the other properties.
-
-If the key is stored in the secure element, but the secure element does not store the public part of a key pair and cannot recompute it on demand, additionally use the `"store_public_key"` property with the value `true`. Note that this only influences the size of the key context: the driver code must copy the public key to the key context and retrieve it on demand in its `export_public_key` entry point.
-
-#### Key context size for a secure element without storage
-
-If the key is stored in wrapped form outside the secure element, and the wrapped form of the key plus any metadata has up to *N* bytes of overhead, use *N* as the value of the `"base_size"` property and set the `"symmetric_factor"` property to 1. Set the `"key_pair_size"` and `"public_key_size"` properties appropriately for the largest supported key pair and the largest supported public key respectively.
-
-### Key management with opaque drivers
-
-Opaque drivers may provide the following key management entry points:
-
-* `"export_key"`: called by `psa_export_key()`, or by `psa_copy_key()` when copying a key from or to a different [location](#lifetimes-and-locations).
-* `"export_public_key"`: called by the core to obtain the public key of a key pair. The core may call this entry point at any time to obtain the public key, which can be for `psa_export_public_key()` but also at other times, including during a cryptographic operation that requires the public key such as a call to `psa_verify_message()` on a key pair object.
-* `"import_key"`: called by `psa_import_key()`, or by `psa_copy_key()` when copying a key from another location.
-* `"generate_key"`: called by `psa_generate_key()`.
-* `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()`.
-* `"copy_key"`: called by `psa_copy_key()` when copying a key within the same [location](#lifetimes-and-locations).
-
-In addition, secure elements that store the key material internally must provide the following two entry points:
-
-* `"allocate_key"`: called by `psa_import_key()`, `psa_generate_key()`, `psa_key_derivation_output_key()` or `psa_copy_key()` before creating a key in the location of this driver.
-* `"destroy_key"`: called by `psa_destroy_key()`.
-
-#### Key creation in a secure element without storage
-
-This section describes the key creation process for secure elements that do not store the key material. The driver must obtain a wrapped form of the key material which the core will store. A driver for such a secure element has no `"allocate_key"` or `"destroy_key"` entry point.
-
-When creating a key with an opaque driver which does not have an `"allocate_key"` or `"destroy_key"` entry point:
-
-1. The core allocates memory for the key context.
-2. The core calls the driver's import, generate, derive or copy entry point.
-3. The core saves the resulting wrapped key material and any other data that the key context may contain.
-
-To destroy a key, the core simply destroys the wrapped key material, without invoking driver code.
-
-#### Key management in a secure element with storage
-
-This section describes the key creation and key destruction processes for secure elements that have persistent storage for the key material. A driver for such a secure element has two mandatory entry points:
-
-* `"allocate_key"`: this function obtains an internal identifier for the key. This may be, for example, a unique label or a slot number.
-* `"destroy_key"`: this function invalidates the internal identifier and destroys the associated key material.
-
-These functions have the following prototypes for a driver with the prefix `"acme"`:
-```
-psa_status_t acme_allocate_key(const psa_key_attributes_t *attributes,
-                               uint8_t *key_buffer,
-                               size_t key_buffer_size);
-psa_status_t acme_destroy_key(const psa_key_attributes_t *attributes,
-                              const uint8_t *key_buffer,
-                              size_t key_buffer_size);
-```
-
-When creating a persistent key with an opaque driver which has an `"allocate_key"` entry point:
-
-1. The core calls the driver's `"allocate_key"` entry point. This function typically allocates an internal identifier for the key without modifying the state of the secure element and stores the identifier in the key context. This function should not modify the state of the secure element. It may modify the copy of the persistent state of the driver in memory.
-
-1. The core saves the key context to persistent storage.
-
-1. The core calls the driver's key creation entry point.
-
-1. The core saves the updated key context to persistent storage.
-
-If a failure occurs after the `"allocate_key"` step but before the call to the second driver entry point, the core will do one of the following:
-
-* Fail the creation of the key without indicating this to the driver. This can happen, in particular, if the device loses power immediately after the key allocation entry point returns.
-* Call the driver's `"destroy_key"` entry point.
-
-To destroy a key, the core calls the driver's `"destroy_key"` entry point.
-
-Note that the key allocation and destruction entry points must not rely solely on the key identifier in the key attributes to identify a key. Some implementations of the PSA Cryptography API store keys on behalf of multiple clients, and different clients may use the same key identifier to designate different keys. The manner in which the core distinguishes keys that have the same identifier but are part of the key namespace for different clients is implementation-dependent and is not accessible to drivers. Some typical strategies to allocate an internal key identifier are:
-
-* Maintain a set of free slot numbers which is stored either in the secure element or in the driver's persistent storage. To allocate a key slot, find a free slot number, mark it as occupied and store the number in the key context. When the key is destroyed, mark the slot number as free.
-* Maintain a monotonic counter with a practically unbounded range in the secure element or in the driver's persistent storage. To allocate a key slot, increment the counter and store the current value in the key context. Destroying a key does not change the counter.
-
-TODO: explain constraints on how the driver updates its persistent state for resilience
-
-TODO: some of the above doesn't apply to volatile keys
-
-#### Key creation entry points in opaque drivers
-
-The key creation entry points have the following prototypes for a driver with the prefix `"acme"`:
-
-```
-psa_status_t acme_import_key(const psa_key_attributes_t *attributes,
-                             const uint8_t *data,
-                             size_t data_length,
-                             uint8_t *key_buffer,
-                             size_t key_buffer_size,
-                             size_t *key_buffer_length,
-                             size_t *bits);
-psa_status_t acme_generate_key(const psa_key_attributes_t *attributes,
-                               uint8_t *key_buffer,
-                               size_t key_buffer_size,
-                               size_t *key_buffer_length);
-```
-
-If the driver has an [`"allocate_key"` entry point](#key-management-in-a-secure-element-with-storage), the core calls the `"allocate_key"` entry point with the same attributes on the same key buffer before calling the key creation entry point.
-
-TODO: derivation, copy
-
-#### Key export entry points in opaque drivers
-
-The key export entry points have the following prototypes for a driver with the prefix `"acme"`:
-
-```
-psa_status_t acme_export_key(const psa_key_attributes_t *attributes,
-                             const uint8_t *key_buffer,
-                             size_t key_buffer_size,
-                             uint8_t *data,
-                             size_t data_size,
-                             size_t *data_length);
-psa_status_t acme_export_public_key(const psa_key_attributes_t *attributes,
-                                    const uint8_t *key_buffer,
-                                    size_t key_buffer_size,
-                                    uint8_t *data,
-                                    size_t data_size,
-                                    size_t *data_length);
-```
-
-The core will only call `acme_export_public_key` on a private key. Drivers implementers may choose to store the public key in the key context buffer or to recalculate it on demand. If the key context includes the public key, it needs to have an adequate size; see [“Key format for opaque drivers”](#key-format-for-opaque-drivers).
-
-The core guarantees that the size of the output buffer (`data_size`) is sufficient to export any key with the given attributes. The driver must set `*data_length` to the exact size of the exported key.
-
-### Opaque driver persistent state
-
-The core maintains persistent state on behalf of an opaque driver. This persistent state consists of a single byte array whose size is given by the `"persistent_state_size"` property in the [driver description](#driver-description-top-level-element).
-
-The core loads the persistent state in memory before it calls the driver's [init entry point](#driver-initialization). It is adjusted to match the size declared by the driver, in case a driver upgrade changes the size:
-
-* The first time the driver is loaded on a system, the persistent state is all-bits-zero.
-* If the stored persistent state is smaller than the declared size, the core pads the persistent state with all-bits-zero at the end.
-* If the stored persistent state is larger than the declared size, the core truncates the persistent state to the declared size.
-
-The core provides the following callback functions, which an opaque driver may call while it is processing a call from the driver:
-```
-psa_status_t psa_crypto_driver_get_persistent_state(uint_8_t **persistent_state_ptr);
-psa_status_t psa_crypto_driver_commit_persistent_state(size_t from, size_t length);
-```
-
-`psa_crypto_driver_get_persistent_state` sets `*persistent_state_ptr` to a pointer to the first byte of the persistent state. This pointer remains valid during a call to a driver entry point. Once the entry point returns, the pointer is no longer valid. The core guarantees that calls to `psa_crypto_driver_get_persistent_state` within the same entry point return the same address for the persistent state, but this address may change between calls to an entry point.
-
-`psa_crypto_driver_commit_persistent_state` updates the persistent state in persistent storage. Only the portion at byte offsets `from` inclusive to `from + length` exclusive is guaranteed to be updated; it is unspecified whether changes made to other parts of the state are taken into account. The driver must call this function after updating the persistent state in memory and before returning from the entry point, otherwise it is unspecified whether the persistent state is updated.
-
-The core will not update the persistent state in storage while an entry point is running except when the entry point calls `psa_crypto_driver_commit_persistent_state`. It may update the persistent state in storage after an entry point returns.
-
-In a multithreaded environment, the driver may only call these two functions from the thread that is executing the entry point.
-
-## How to use drivers from an application
-
-### Using transparent drivers
-
-Transparent drivers linked into the library are automatically used for the mechanisms that they implement.
-
-### Using opaque drivers
-
-Each opaque driver is assigned a [location](#lifetimes-and-locations). The driver is invoked for all actions that use a key in that location. A key's location is indicated by its lifetime. The application chooses the key's lifetime when it creates the key.
-
-For example, the following snippet creates an AES-GCM key which is only accessible inside the secure element designated by the location `PSA_KEY_LOCATION_acme`.
-```
-psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-        PSA_KEY_PERSISTENCE_DEFAULT, PSA_KEY_LOCATION_acme));
-psa_set_key_identifer(&attributes, 42);
-psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-psa_set_key_size(&attributes, 128);
-psa_set_key_algorithm(&attributes, PSA_ALG_GCM);
-psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
-psa_key_id_t key;
-psa_generate_key(&attributes, &key);
-```
-
-## Using opaque drivers from an application
-
-### Lifetimes and locations
-
-The PSA Cryptography API, version 1.0.0, defines [lifetimes](https://armmbed.github.io/mbed-crypto/html/api/keys/attributes.html?highlight=psa_key_lifetime_t#c.psa_key_lifetime_t) as an attribute of a key that indicates where the key is stored and which application and system actions will create and destroy it. The lifetime is expressed as a 32-bit value (`typedef uint32_t psa_key_lifetime_t`). An upcoming version of the PSA Cryptography API defines more structure for lifetime values to separate these two aspects of the lifetime:
-
-* Bits 0–7 are a _persistence level_. This value indicates what device management actions can cause it to be destroyed. In particular, it indicates whether the key is volatile or persistent.
-* Bits 8–31 are a _location indicator_. This value indicates where the key material is stored and where operations on the key are performed. Location values can be stored in a variable of type `psa_key_location_t`.
-
-An opaque driver is attached to a specific location. Keys in the default location (`PSA_KEY_LOCATION_LOCAL_STORAGE = 0`) are transparent: the core has direct access to the key material. For keys in a location that is managed by an opaque driver, only the secure element has access to the key material and can perform operations on the key, while the core only manipulates a wrapped form of the key or an identifier of the key.
-
-### Creating a key in a secure element
-
-The core defines a compile-time constant for each opaque driver indicating its location called `PSA_KEY_LOCATION_`*prefix* where *prefix* is the value of the `"prefix"` property in the driver description. For convenience, Mbed TLS also declares a compile-time constant for the corresponding lifetime with the default persistence called `PSA_KEY_LIFETIME_`*prefix*. Therefore, to declare an opaque key in the location with the prefix `foo` with the default persistence, call `psa_set_key_lifetime` during the key creation as follows:
-```
-psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_foo);
-```
-
-To declare a volatile key:
-```
-psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-        PSA_KEY_LOCATION_foo,
-        PSA_KEY_PERSISTENCE_VOLATILE));
-```
-
-Generally speaking, to declare a key with a specified persistence:
-```
-psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-        PSA_KEY_LOCATION_foo,
-        persistence));
-```
-
-## Open questions
-
-### Driver declarations
-
-#### Declaring driver entry points
-
-The core may want to provide declarations for the driver entry points so that it can compile code using them. At the time of writing this paragraph, the driver headers must define types but there is no obligation for them to declare functions. The core knows what the function names and argument types are, so it can generate prototypes.
-
-It should be ok for driver functions to be function-like macros or function pointers.
-
-#### Driver location values
-
-How does a driver author decide which location values to use? It should be possible to combine drivers from different sources. Use the same vendor assignment as for PSA services?
-
-Can the driver assembly process generate distinct location values as needed? This can be convenient, but it's also risky: if you upgrade a device, you need the location values to be the same between builds.
-
-The current plan is for Arm to maintain a registry of vendors and assign a location namespace to each vendor. Parts of the namespace would be reserved for implementations and integrators.
-
-#### Multiple transparent drivers
-
-When multiple transparent drivers implement the same mechanism, which one is called? The first one? The last one? Unspecified? Or is this an error (excluding capabilities with fallback enabled)?
-
-The current choice is that the first one is used, which allows having a preference order on drivers, but may mask integration errors.
-
-### Driver function interfaces
-
-#### Driver function parameter conventions
-
-Should 0-size buffers be guaranteed to have a non-null pointers?
-
-Should drivers really have to cope with overlap?
-
-Should the core guarantee that the output buffer size has the size indicated by the applicable buffer size macro (which may be an overestimation)?
-
-### Partial computations in drivers
-
-#### Substitution points
-
-Earlier drafts of the driver interface had a concept of _substitution points_: places in the calculation where a driver may be called. Some hardware doesn't do the whole calculation, but only the “main” part. This goes both for transparent and opaque drivers. Some common examples:
-
-* A processor that performs the RSA exponentiation, but not the padding. The driver should be able to leverage the padding code in the core.
-* A processor that performs a block cipher operation only for a single block, or only in ECB mode, or only in CTR mode. The core would perform the block mode (CBC, CTR, CCM, ...).
-
-This concept, or some other way to reuse portable code such as specifying inner functions like `psa_rsa_pad` in the core, should be added to the specification.
-
-### Key management
-
-#### Mixing drivers in key derivation
-
-How does `psa_key_derivation_output_key` work when the extraction part and the expansion part use different drivers?
-
-#### Public key calculation
-
-ECC key pairs are represented as the private key value only. The public key needs to be calculated from that. Both transparent drivers and opaque drivers provide a function to calculate the public key (`"export_public_key"`).
-
-The specification doesn't mention when the public key might be calculated. The core may calculate it on creation, on demand, or anything in between. Opaque drivers have a choice of storing the public key in the key context or calculating it on demand and can convey whether the core should store the public key with the `"store_public_key"` property. Is this good enough or should the specification include non-functional requirements?
-
-#### Symmetric key validation with transparent drivers
-
-Should the entry point be called for symmetric keys as well?
-
-#### Support for custom import formats
-
-[“Driver entry points for key management”](#driver-entry-points-for-key-management) states that the input to `"import_key"` can be an implementation-defined format. Is this a good idea? It reduces driver portability, since a core that accepts a custom format would not work with a driver that doesn't accept this format. On the other hand, if a driver accepts a custom format, the core should let it through because the driver presumably handles it more efficiently (in terms of speed and code size) than the core could.
-
-Allowing custom formats also causes a problem with import: the core can't know the size of the key representation until it knows the bit-size of the key, but determining the bit-size of the key is part of the job of the `"import_key"` entry point. For standard key types, this could plausibly be an issue for RSA private keys, where an implementation might accept a custom format that omits the CRT parameters (or that omits *d*).
-
-### Opaque drivers
-
-#### Opaque driver persistent state
-
-The driver is allowed to update the state at any time. Is this ok?
-
-An example use case for updating the persistent state at arbitrary times is to renew a key that is used to encrypt communications between the application processor and the secure element.
-
-`psa_crypto_driver_get_persistent_state` does not identify the calling driver, so the driver needs to remember which driver it's calling. This may require a thread-local variable in a multithreaded core. Is this ok?
-
-<!--
-Local Variables:
-time-stamp-line-limit: 40
-time-stamp-start: "Time-stamp: *\""
-time-stamp-end: "\""
-time-stamp-format: "%04Y/%02m/%02d %02H:%02M:%02S %Z"
-time-stamp-time-zone: "GMT"
-End:
--->

doxygen/input/doc_encdec.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,6 +25,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**

doxygen/input/doc_hashing.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,6 +25,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**

doxygen/input/doc_mainpage.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,10 +25,31 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**
- * @mainpage mbed TLS v2.25.0 source code documentation
+ * @mainpage mbed TLS v2.16.10 source code documentation
  *
  * This documentation describes the internal structure of mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in

doxygen/input/doc_rng.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,6 +25,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**

doxygen/input/doc_ssltls.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,6 +25,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**

doxygen/input/doc_tcpip.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,6 +25,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**

doxygen/input/doc_x509.h

@@ -6,7 +6,13 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -19,6 +25,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /**

doxygen/mbedtls.doxyfile

@@ -28,7 +28,7 @@ DOXYFILE_ENCODING      = UTF-8
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
 
-PROJECT_NAME           = "mbed TLS v2.25.0"
+PROJECT_NAME           = "mbed TLS v2.16.10"
 
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or
@@ -1594,7 +1594,7 @@ SEARCH_INCLUDES        = YES
 # contain include files that are not input files but should be processed by
 # the preprocessor.
 
-INCLUDE_PATH           = ../include
+INCLUDE_PATH           =
 
 # You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
 # patterns (like *.h and *.hpp) to filter out the header-files in the

gpl-2.0.txt

@@ -0,0 +1,339 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

include/CMakeLists.txt

@@ -3,20 +3,14 @@ option(INSTALL_MBEDTLS_HEADERS "Install mbed TLS headers." ON)
 if(INSTALL_MBEDTLS_HEADERS)
 
     file(GLOB headers "mbedtls/*.h")
-    file(GLOB psa_headers "psa/*.h")
 
     install(FILES ${headers}
         DESTINATION include/mbedtls
         PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
 
-    install(FILES ${psa_headers}
-        DESTINATION include/psa
-        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
-
 endif(INSTALL_MBEDTLS_HEADERS)
 
 # Make config.h available in an out-of-source build. ssl-opt.sh requires it.
 if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     link_to_source(mbedtls)
-    link_to_source(psa)
 endif()

include/mbedtls/aes.h

@@ -22,7 +22,13 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -35,13 +41,34 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_AES_H
 #define MBEDTLS_AES_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

include/mbedtls/aesni.h

@@ -8,7 +8,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -21,17 +27,38 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_AESNI_H
 #define MBEDTLS_AESNI_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/aes.h"
+#include "aes.h"
 
 #define MBEDTLS_AESNI_AES      0x02000000u
 #define MBEDTLS_AESNI_CLMUL    0x00000002u

include/mbedtls/arc4.h

@@ -8,7 +8,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -22,12 +28,33 @@
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
  *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
  */
 #ifndef MBEDTLS_ARC4_H
 #define MBEDTLS_ARC4_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

include/mbedtls/aria.h

@@ -11,7 +11,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -24,13 +30,34 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_ARIA_H
 #define MBEDTLS_ARIA_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -38,7 +65,7 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#include "mbedtls/platform_util.h"
+#include "platform_util.h"
 
 #define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
 #define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */

include/mbedtls/asn1.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,12 +24,33 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_ASN1_H
 #define MBEDTLS_ASN1_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -31,7 +58,7 @@
 #include <stddef.h>
 
 #if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
+#include "bignum.h"
 #endif
 
 /**
@@ -50,7 +77,7 @@
 #define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062  /**< ASN1 tag was of an unexpected value. */
 #define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064  /**< Error when trying to determine the length or invalid length. */
 #define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066  /**< Actual length differs from expected length. */
-#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. */
+#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. (not used) */
 #define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A  /**< Memory allocation failed */
 #define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C  /**< Buffer too small when writing ASN.1 data structure. */
 
@@ -73,7 +100,6 @@
 #define MBEDTLS_ASN1_OCTET_STRING            0x04
 #define MBEDTLS_ASN1_NULL                    0x05
 #define MBEDTLS_ASN1_OID                     0x06
-#define MBEDTLS_ASN1_ENUMERATED              0x0A
 #define MBEDTLS_ASN1_UTF8_STRING             0x0C
 #define MBEDTLS_ASN1_SEQUENCE                0x10
 #define MBEDTLS_ASN1_SET                     0x11
@@ -88,18 +114,6 @@
 #define MBEDTLS_ASN1_CONSTRUCTED             0x20
 #define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
 
-/* Slightly smaller way to check if tag is a string tag
- * compared to canonical implementation. */
-#define MBEDTLS_ASN1_IS_STRING_TAG( tag )                                     \
-    ( ( tag ) < 32u && (                                                      \
-        ( ( 1u << ( tag ) ) & ( ( 1u << MBEDTLS_ASN1_BMP_STRING )       |     \
-                                ( 1u << MBEDTLS_ASN1_UTF8_STRING )      |     \
-                                ( 1u << MBEDTLS_ASN1_T61_STRING )       |     \
-                                ( 1u << MBEDTLS_ASN1_IA5_STRING )       |     \
-                                ( 1u << MBEDTLS_ASN1_UNIVERSAL_STRING ) |     \
-                                ( 1u << MBEDTLS_ASN1_PRINTABLE_STRING ) |     \
-                                ( 1u << MBEDTLS_ASN1_BIT_STRING ) ) ) != 0 ) )
-
 /*
  * Bit masks for each of the components of an ASN.1 tag as specified in
  * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
@@ -130,10 +144,6 @@
         ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) ||                \
           memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
 
-#define MBEDTLS_OID_CMP_RAW(oid_str, oid_buf, oid_buf_len)              \
-        ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf_len) ) ||             \
-          memcmp( (oid_str), (oid_buf), (oid_buf_len) ) != 0 )
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -191,342 +201,119 @@ mbedtls_asn1_named_data;
  * \brief       Get the length of an ASN.1 element.
  *              Updates the pointer to immediately behind the length.
  *
- * \param p     On entry, \c *p points to the first byte of the length,
- *              i.e. immediately after the tag.
- *              On successful completion, \c *p points to the first byte
- *              after the length, i.e. the first byte of the content.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param len   On successful completion, \c *len contains the length
- *              read from the ASN.1 input.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the value
  *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
- *              would end beyond \p end.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparseable.
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_OUT_OF_DATA on reaching
+ *              end of data, MBEDTLS_ERR_ASN1_INVALID_LENGTH if length is
+ *              unparseable.
  */
 int mbedtls_asn1_get_len( unsigned char **p,
-                          const unsigned char *end,
-                          size_t *len );
+                  const unsigned char *end,
+                  size_t *len );
 
 /**
- * \brief       Get the tag and length of the element.
- *              Check for the requested tag.
+ * \brief       Get the tag and length of the tag. Check for the requested tag.
  *              Updates the pointer to immediately behind the tag and length.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              after the length, i.e. the first byte of the content.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param len   On successful completion, \c *len contains the length
- *              read from the ASN.1 input.
- * \param tag   The expected tag.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the length
+ * \param tag   The expected tag
  *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the data does not start
- *              with the requested tag.
- * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
- *              would end beyond \p end.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparseable.
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if tag did
+ *              not match requested tag, or another specific ASN.1 error code.
  */
 int mbedtls_asn1_get_tag( unsigned char **p,
-                          const unsigned char *end,
-                          size_t *len, int tag );
+                  const unsigned char *end,
+                  size_t *len, int tag );
 
 /**
  * \brief       Retrieve a boolean ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param val   On success, the parsed value (\c 0 or \c 1).
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
  *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 BOOLEAN.
+ * \return      0 if successful or a specific ASN.1 error code.
  */
 int mbedtls_asn1_get_bool( unsigned char **p,
-                           const unsigned char *end,
-                           int *val );
+                   const unsigned char *end,
+                   int *val );
 
 /**
  * \brief       Retrieve an integer ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param val   On success, the parsed value.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
  *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 INTEGER.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
- *              not fit in an \c int.
+ * \return      0 if successful or a specific ASN.1 error code.
  */
 int mbedtls_asn1_get_int( unsigned char **p,
-                          const unsigned char *end,
-                          int *val );
-
-/**
- * \brief       Retrieve an enumerated ASN.1 tag and its value.
- *              Updates the pointer to immediately behind the full tag.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param val   On success, the parsed value.
- *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 ENUMERATED.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
- *              not fit in an \c int.
- */
-int mbedtls_asn1_get_enum( unsigned char **p,
-                           const unsigned char *end,
-                           int *val );
+                  const unsigned char *end,
+                  int *val );
 
 /**
  * \brief       Retrieve a bitstring ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p is equal to \p end.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param bs    On success, ::mbedtls_asn1_bitstring information about
- *              the parsed value.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param bs    The variable that will receive the value
  *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
- *              extra data after a valid BIT STRING.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 BIT STRING.
+ * \return      0 if successful or a specific ASN.1 error code.
  */
 int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
-                                mbedtls_asn1_bitstring *bs );
+                        mbedtls_asn1_bitstring *bs);
 
 /**
  * \brief       Retrieve a bitstring ASN.1 tag without unused bits and its
  *              value.
  *              Updates the pointer to the beginning of the bit/octet string.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              of the content of the BIT STRING.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param len   On success, \c *len is the length of the content in bytes.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   Length of the actual bit/octect string in bytes
  *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_DATA if the input starts with
- *              a valid BIT STRING with a nonzero number of unused bits.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 BIT STRING.
+ * \return      0 if successful or a specific ASN.1 error code.
  */
-int mbedtls_asn1_get_bitstring_null( unsigned char **p,
-                                     const unsigned char *end,
-                                     size_t *len );
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len );
 
 /**
- * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>".
- *              Updates the pointer to immediately behind the full sequence tag.
+ * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ *              Updated the pointer to immediately behind the full sequence tag.
  *
- * This function allocates memory for the sequence elements. You can free
- * the allocated memory with mbedtls_asn1_sequence_free().
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param cur   First variable in the chain to fill
+ * \param tag   Type of sequence
  *
- * \note        On error, this function may return a partial list in \p cur.
- *              You must set `cur->next = NULL` before calling this function!
- *              Otherwise it is impossible to distinguish a previously non-null
- *              pointer from a pointer to an object allocated by this function.
- *
- * \note        If the sequence is empty, this function does not modify
- *              \c *cur. If the sequence is valid and non-empty, this
- *              function sets `cur->buf.tag` to \p tag. This allows
- *              callers to distinguish between an empty sequence and
- *              a one-element sequence.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p is equal to \p end.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param cur   A ::mbedtls_asn1_sequence which this function fills.
- *              When this function returns, \c *cur is the head of a linked
- *              list. Each node in this list is allocated with
- *              mbedtls_calloc() apart from \p cur itself, and should
- *              therefore be freed with mbedtls_free().
- *              The list describes the content of the sequence.
- *              The head of the list (i.e. \c *cur itself) describes the
- *              first element, `*cur->next` describes the second element, etc.
- *              For each element, `buf.tag == tag`, `buf.len` is the length
- *              of the content of the content of the element, and `buf.p`
- *              points to the first byte of the content (i.e. immediately
- *              past the length of the element).
- *              Note that list elements may be allocated even on error.
- * \param tag   Each element of the sequence must have this tag.
- *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
- *              extra data after a valid SEQUENCE OF \p tag.
- * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts with
- *              an ASN.1 SEQUENCE in which an element has a tag that
- *              is different from \p tag.
- * \return      #MBEDTLS_ERR_ASN1_ALLOC_FAILED if a memory allocation failed.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 SEQUENCE.
+ * \return      0 if successful or a specific ASN.1 error code.
  */
 int mbedtls_asn1_get_sequence_of( unsigned char **p,
-                                  const unsigned char *end,
-                                  mbedtls_asn1_sequence *cur,
-                                  int tag );
-/**
- * \brief          Free a heap-allocated linked list presentation of
- *                 an ASN.1 sequence, including the first element.
- *
- * There are two common ways to manage the memory used for the representation
- * of a parsed ASN.1 sequence:
- * - Allocate a head node `mbedtls_asn1_sequence *head` with mbedtls_calloc().
- *   Pass this node as the `cur` argument to mbedtls_asn1_get_sequence_of().
- *   When you have finished processing the sequence,
- *   call mbedtls_asn1_sequence_free() on `head`.
- * - Allocate a head node `mbedtls_asn1_sequence *head` in any manner,
- *   for example on the stack. Make sure that `head->next == NULL`.
- *   Pass `head` as the `cur` argument to mbedtls_asn1_get_sequence_of().
- *   When you have finished processing the sequence,
- *   call mbedtls_asn1_sequence_free() on `head->cur`,
- *   then free `head` itself in the appropriate manner.
- *
- * \param seq      The address of the first sequence component. This may
- *                 be \c NULL, in which case this functions returns
- *                 immediately.
- */
-void mbedtls_asn1_sequence_free( mbedtls_asn1_sequence *seq );
-
-/**
- * \brief                Traverse an ASN.1 SEQUENCE container and
- *                       call a callback for each entry.
- *
- * This function checks that the input is a SEQUENCE of elements that
- * each have a "must" tag, and calls a callback function on the elements
- * that have a "may" tag.
- *
- * For example, to validate that the input is a SEQUENCE of `tag1` and call
- * `cb` on each element, use
- * ```
- * mbedtls_asn1_traverse_sequence_of(&p, end, 0xff, tag1, 0, 0, cb, ctx);
- * ```
- *
- * To validate that the input is a SEQUENCE of ANY and call `cb` on
- * each element, use
- * ```
- * mbedtls_asn1_traverse_sequence_of(&p, end, 0, 0, 0, 0, cb, ctx);
- * ```
- *
- * To validate that the input is a SEQUENCE of CHOICE {NULL, OCTET STRING}
- * and call `cb` on each element that is an OCTET STRING, use
- * ```
- * mbedtls_asn1_traverse_sequence_of(&p, end, 0xfe, 0x04, 0xff, 0x04, cb, ctx);
- * ```
- *
- * The callback is called on the elements with a "may" tag from left to
- * right. If the input is not a valid SEQUENCE of elements with a "must" tag,
- * the callback is called on the elements up to the leftmost point where
- * the input is invalid.
- *
- * \warning              This function is still experimental and may change
- *                       at any time.
- *
- * \param p              The address of the pointer to the beginning of
- *                       the ASN.1 SEQUENCE header. This is updated to
- *                       point to the end of the ASN.1 SEQUENCE container
- *                       on a successful invocation.
- * \param end            The end of the ASN.1 SEQUENCE container.
- * \param tag_must_mask  A mask to be applied to the ASN.1 tags found within
- *                       the SEQUENCE before comparing to \p tag_must_value.
- * \param tag_must_val   The required value of each ASN.1 tag found in the
- *                       SEQUENCE, after masking with \p tag_must_mask.
- *                       Mismatching tags lead to an error.
- *                       For example, a value of \c 0 for both \p tag_must_mask
- *                       and \p tag_must_val means that every tag is allowed,
- *                       while a value of \c 0xFF for \p tag_must_mask means
- *                       that \p tag_must_val is the only allowed tag.
- * \param tag_may_mask   A mask to be applied to the ASN.1 tags found within
- *                       the SEQUENCE before comparing to \p tag_may_value.
- * \param tag_may_val    The desired value of each ASN.1 tag found in the
- *                       SEQUENCE, after masking with \p tag_may_mask.
- *                       Mismatching tags will be silently ignored.
- *                       For example, a value of \c 0 for \p tag_may_mask and
- *                       \p tag_may_val means that any tag will be considered,
- *                       while a value of \c 0xFF for \p tag_may_mask means
- *                       that all tags with value different from \p tag_may_val
- *                       will be ignored.
- * \param cb             The callback to trigger for each component
- *                       in the ASN.1 SEQUENCE that matches \p tag_may_val.
- *                       The callback function is called with the following
- *                       parameters:
- *                       - \p ctx.
- *                       - The tag of the current element.
- *                       - A pointer to the start of the current element's
- *                         content inside the input.
- *                       - The length of the content of the current element.
- *                       If the callback returns a non-zero value,
- *                       the function stops immediately,
- *                       forwarding the callback's return value.
- * \param ctx            The context to be passed to the callback \p cb.
- *
- * \return               \c 0 if successful the entire ASN.1 SEQUENCE
- *                       was traversed without parsing or callback errors.
- * \return               #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input
- *                       contains extra data after a valid SEQUENCE
- *                       of elements with an accepted tag.
- * \return               #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts
- *                       with an ASN.1 SEQUENCE in which an element has a tag
- *                       that is not accepted.
- * \return               An ASN.1 error code if the input does not start with
- *                       a valid ASN.1 SEQUENCE.
- * \return               A non-zero error code forwarded from the callback
- *                       \p cb in case the latter returns a non-zero value.
- */
-int mbedtls_asn1_traverse_sequence_of(
-    unsigned char **p,
-    const unsigned char *end,
-    unsigned char tag_must_mask, unsigned char tag_must_val,
-    unsigned char tag_may_mask, unsigned char tag_may_val,
-    int (*cb)( void *ctx, int tag,
-               unsigned char* start, size_t len ),
-    void *ctx );
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag);
 
 #if defined(MBEDTLS_BIGNUM_C)
 /**
- * \brief       Retrieve an integer ASN.1 tag and its value.
+ * \brief       Retrieve a MPI value from an integer ASN.1 tag.
  *              Updates the pointer to immediately behind the full tag.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param X     On success, the parsed value.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param X     The MPI that will receive the value
  *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 INTEGER.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
- *              not fit in an \c int.
- * \return      An MPI error code if the parsed value is too large.
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
  */
 int mbedtls_asn1_get_mpi( unsigned char **p,
-                          const unsigned char *end,
-                          mbedtls_mpi *X );
+                  const unsigned char *end,
+                  mbedtls_mpi *X );
 #endif /* MBEDTLS_BIGNUM_C */
 
 /**
@@ -534,14 +321,10 @@ int mbedtls_asn1_get_mpi( unsigned char **p,
  *              Updates the pointer to immediately behind the full
  *              AlgorithmIdentifier.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the AlgorithmIdentifier element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param alg   The buffer to receive the OID.
- * \param params The buffer to receive the parameters.
- *              This is zeroized if there are no parameters.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ * \param params The buffer to receive the params (if any)
  *
  * \return      0 if successful or a specific ASN.1 or MPI error code.
  */
@@ -555,12 +338,9 @@ int mbedtls_asn1_get_alg( unsigned char **p,
  *              Updates the pointer to immediately behind the full
  *              AlgorithmIdentifier.
  *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the AlgorithmIdentifier element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param alg   The buffer to receive the OID.
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
  *
  * \return      0 if successful or a specific ASN.1 or MPI error code.
  */
@@ -584,19 +364,15 @@ mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *
 /**
  * \brief       Free a mbedtls_asn1_named_data entry
  *
- * \param entry The named data entry to free.
- *              This function calls mbedtls_free() on
- *              `entry->oid.p` and `entry->val.p`.
+ * \param entry The named data entry to free
  */
 void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry );
 
 /**
- * \brief       Free all entries in a mbedtls_asn1_named_data list.
+ * \brief       Free all entries in a mbedtls_asn1_named_data list
+ *              Head will be set to NULL
  *
- * \param head  Pointer to the head of the list of named data entries to free.
- *              This function calls mbedtls_asn1_free_named_data() and
- *              mbedtls_free() on each list element and
- *              sets \c *head to \c NULL.
+ * \param head  Pointer to the head of the list of named data entries to free
  */
 void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head );
 

include/mbedtls/asn1write.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,17 +24,38 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/asn1.h"
+#include "asn1.h"
 
 #define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
     do                                                  \
@@ -98,7 +125,6 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
  * \param p         The reference to the current position pointer.
  * \param start     The start of the buffer, for bounds-checking.
  * \param X         The MPI to write.
- *                  It must be non-negative.
  *
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
@@ -183,28 +209,12 @@ int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start,
  * \param p         The reference to the current position pointer.
  * \param start     The start of the buffer, for bounds-checking.
  * \param val       The integer value to write.
- *                  It must be non-negative.
  *
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
 
-/**
- * \brief           Write an enum tag (#MBEDTLS_ASN1_ENUMERATED) and value
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param val       The integer value to write.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_enum( unsigned char **p, unsigned char *start, int val );
-
 /**
  * \brief           Write a string in ASN.1 format using a specific
  *                  string encoding tag.
@@ -247,7 +257,7 @@ int mbedtls_asn1_write_printable_string( unsigned char **p,
 
 /**
  * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
- *                  string encoding tag (#MBEDTLS_ASN1_UTF8_STRING).
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
  *
  * \note            This function works backwards in data buffer.
  *
@@ -298,28 +308,6 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
                                   const unsigned char *buf, size_t bits );
 
-/**
- * \brief           This function writes a named bitstring tag
- *                  (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format.
- *
- *                  As stated in RFC 5280 Appendix B, trailing zeroes are
- *                  omitted when encoding named bitstrings in DER.
- *
- * \note            This function works backwards within the data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer which is used for bounds-checking.
- * \param buf       The bitstring to write.
- * \param bits      The total number of bits in the bitstring.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_named_bitstring( unsigned char **p,
-                                        unsigned char *start,
-                                        const unsigned char *buf,
-                                        size_t bits );
-
 /**
  * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
  *                  and value in ASN.1 format.
@@ -347,13 +335,9 @@ int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
  *                  through (will be updated in case of a new entry).
  * \param oid       The OID to look for.
  * \param oid_len   The size of the OID.
- * \param val       The associated data to store. If this is \c NULL,
- *                  no data is copied to the new or existing buffer.
+ * \param val       The data to store (can be \c NULL if you want to fill
+ *                  it by hand).
  * \param val_len   The minimum length of the data buffer needed.
- *                  If this is 0, do not allocate a buffer for the associated
- *                  data.
- *                  If the OID was already present, enlarge, shrink or free
- *                  the existing buffer to fit \p val_len.
  *
  * \return          A pointer to the new / existing entry on success.
  * \return          \c NULL if if there was a memory allocation error.

include/mbedtls/base64.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,12 +24,33 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

include/mbedtls/bignum.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,12 +24,33 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_BIGNUM_H
 #define MBEDTLS_BIGNUM_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -127,8 +154,7 @@
         defined(__ppc64__) || defined(__powerpc64__)  || \
         defined(__ia64__)  || defined(__alpha__)      || \
         ( defined(__sparc__) && defined(__arch64__) ) || \
-        defined(__s390x__) || defined(__mips64)       || \
-        defined(__aarch64__) )
+        defined(__s390x__) || defined(__mips64) )
         #if !defined(MBEDTLS_HAVE_INT64)
             #define MBEDTLS_HAVE_INT64
         #endif /* MBEDTLS_HAVE_INT64 */
@@ -494,24 +520,8 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
                              size_t buflen );
 
 /**
- * \brief          Import X from unsigned binary data, little endian
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param buf      The input buffer. This must be a readable buffer of length
- *                 \p buflen Bytes.
- * \param buflen   The length of the input buffer \p p in Bytes.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_read_binary_le( mbedtls_mpi *X,
-                                const unsigned char *buf, size_t buflen );
-
-/**
- * \brief          Export X into unsigned binary data, big endian.
- *                 Always fills the whole buffer, which will start with zeros
- *                 if the number is smaller.
+ * \brief          Export an MPI into unsigned big endian binary data
+ *                 of fixed size.
  *
  * \param X        The source MPI. This must point to an initialized MPI.
  * \param buf      The output buffer. This must be a writable buffer of length
@@ -526,24 +536,6 @@ int mbedtls_mpi_read_binary_le( mbedtls_mpi *X,
 int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf,
                               size_t buflen );
 
-/**
- * \brief          Export X into unsigned binary data, little endian.
- *                 Always fills the whole buffer, which will end with zeros
- *                 if the number is smaller.
- *
- * \param X        The source MPI. This must point to an initialized MPI.
- * \param buf      The output buffer. This must be a writable buffer of length
- *                 \p buflen Bytes.
- * \param buflen   The size of the output buffer \p buf in Bytes.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
- *                 large enough to hold the value of \p X.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_write_binary_le( const mbedtls_mpi *X,
-                                 unsigned char *buf, size_t buflen );
-
 /**
  * \brief          Perform a left-shift on an MPI: X <<= count
  *

include/mbedtls/blowfish.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,12 +24,33 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_BLOWFISH_H
 #define MBEDTLS_BLOWFISH_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -31,7 +58,7 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#include "mbedtls/platform_util.h"
+#include "platform_util.h"
 
 #define MBEDTLS_BLOWFISH_ENCRYPT     1
 #define MBEDTLS_BLOWFISH_DECRYPT     0

include/mbedtls/bn_mul.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 /*
  *      Multiply source vector [s] with b, add result
@@ -37,12 +64,12 @@
 #define MBEDTLS_BN_MUL_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/bignum.h"
+#include "bignum.h"
 
 #if defined(MBEDTLS_HAVE_ASM)
 
@@ -196,30 +223,6 @@
 
 #endif /* AMD64 */
 
-#if defined(__aarch64__)
-
-#define MULADDC_INIT                \
-    asm(
-
-#define MULADDC_CORE                \
-        "ldr x4, [%2], #8   \n\t"   \
-        "ldr x5, [%1]       \n\t"   \
-        "mul x6, x4, %3     \n\t"   \
-        "umulh x7, x4, %3   \n\t"   \
-        "adds x5, x5, x6    \n\t"   \
-        "adc x7, x7, xzr    \n\t"   \
-        "adds x5, x5, %0    \n\t"   \
-        "adc %0, x7, xzr    \n\t"   \
-        "str x5, [%1], #8   \n\t"
-
-#define MULADDC_STOP                        \
-         : "+r" (c),  "+r" (d), "+r" (s)    \
-         : "r" (b)                          \
-         : "x4", "x5", "x6", "x7", "cc"     \
-    );
-
-#endif /* Aarch64 */
-
 #if defined(__mc68020__) || defined(__mcpu32__)
 
 #define MULADDC_INIT                    \

include/mbedtls/camellia.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,12 +24,33 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_CAMELLIA_H
 #define MBEDTLS_CAMELLIA_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@@ -31,7 +58,7 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#include "mbedtls/platform_util.h"
+#include "platform_util.h"
 
 #define MBEDTLS_CAMELLIA_ENCRYPT     1
 #define MBEDTLS_CAMELLIA_DECRYPT     0

include/mbedtls/ccm.h

@@ -29,7 +29,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -42,18 +48,39 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_CCM_H
 #define MBEDTLS_CCM_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/cipher.h"
+#include "cipher.h"
 
 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
 #define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */

include/mbedtls/certs.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,12 +24,33 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

include/mbedtls/chacha20.h

@@ -14,7 +14,13 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -27,13 +33,34 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_CHACHA20_H
 #define MBEDTLS_CHACHA20_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

include/mbedtls/chachapoly.h

@@ -14,7 +14,13 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -27,19 +33,40 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_CHACHAPOLY_H
 #define MBEDTLS_CHACHAPOLY_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
 /* for shared error codes */
-#include "mbedtls/poly1305.h"
+#include "poly1305.h"
 
 #define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
 #define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
@@ -57,7 +84,7 @@ mbedtls_chachapoly_mode_t;
 
 #if !defined(MBEDTLS_CHACHAPOLY_ALT)
 
-#include "mbedtls/chacha20.h"
+#include "chacha20.h"
 
 typedef struct mbedtls_chachapoly_context
 {

include/mbedtls/check_config.h

@@ -5,7 +5,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -18,6 +24,27 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 /*
@@ -43,16 +70,11 @@
 #endif
 
 /* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
- * it would confuse config.py. */
+ * it would confuse config.pl. */
 #if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
     !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
 #define MBEDTLS_PLATFORM_SNPRINTF_ALT
 #endif
-
-#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
-    !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
-#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
-#endif
 #endif /* _WIN32 */
 
 #if defined(TARGET_LIKE_MBED) && \
@@ -101,17 +123,6 @@
 
 #if defined(MBEDTLS_ECDSA_C) &&            \
     ( !defined(MBEDTLS_ECP_C) ||           \
-      !( defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || \
-         defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) ||   \
-         defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) ||   \
-         defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) ) || \
       !defined(MBEDTLS_ASN1_PARSE_C) ||    \
       !defined(MBEDTLS_ASN1_WRITE_C) )
 #error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
@@ -123,25 +134,14 @@
 #endif
 
 #if defined(MBEDTLS_ECP_RESTARTABLE)           && \
-    ( defined(MBEDTLS_USE_PSA_CRYPTO)          || \
-      defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+    ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
       defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
       defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
       defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
       defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
       defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
       defined(MBEDTLS_ECP_ALT) )
-#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative or PSA-based ECP implementation"
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
-    ! defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-#error "MBEDTLS_ECP_RESTARTABLE defined, but not MBEDTLS_ECDH_LEGACY_CONTEXT"
-#endif
-
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)           && \
-    defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-#error "MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED defined, but MBEDTLS_ECDH_LEGACY_CONTEXT not disabled"
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
 #endif
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
@@ -169,8 +169,10 @@
     defined(MBEDTLS_ECP_ALT) ||             \
     defined(MBEDTLS_CTR_DRBG_C) ||          \
     defined(MBEDTLS_HMAC_DRBG_C) ||         \
+    defined(MBEDTLS_SHA512_C) ||            \
+    defined(MBEDTLS_SHA256_C) ||            \
     defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
-#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
+#error "MBEDTLS_ECP_C requires a DRBG or SHA-2 module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
 #endif
 
 #if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
@@ -216,7 +218,7 @@
 #endif
 
 #if defined(MBEDTLS_GCM_C) && (                                        \
-        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
+        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) )
 #error "MBEDTLS_GCM_C defined, but not all prerequisites"
 #endif
 
@@ -265,14 +267,12 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
-      !defined(MBEDTLS_X509_CRT_PARSE_C) )
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
-      !defined(MBEDTLS_X509_CRT_PARSE_C) )
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
@@ -321,14 +321,6 @@
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) &&        \
-    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&              \
-    ( !defined(MBEDTLS_SHA256_C) &&                             \
-      !defined(MBEDTLS_SHA512_C) &&                             \
-      !defined(MBEDTLS_SHA1_C) )
-#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C"
-#endif
-
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) &&                          \
     ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
 #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
@@ -371,14 +363,6 @@
 #error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PKCS11_C)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
-#endif
-#endif /* MBEDTLS_PKCS11_C */
-
 #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
 #endif
@@ -572,48 +556,6 @@
 #error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_C) &&            \
-    !( defined(MBEDTLS_CTR_DRBG_C) &&           \
-       defined(MBEDTLS_ENTROPY_C) )
-#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C)
-#error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C) &&    \
-    ! ( defined(MBEDTLS_PSA_CRYPTO_C) && \
-        defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) )
-#error "MBEDTLS_PSA_CRYPTO_SE_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&            \
-    ! defined(MBEDTLS_PSA_CRYPTO_C)
-#error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&      \
-    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
-       defined(MBEDTLS_ENTROPY_NV_SEED) )
-#error "MBEDTLS_PSA_INJECT_ENTROPY defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&              \
-    !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
-#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with actual entropy sources"
-#endif
-
-#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
-    !defined(MBEDTLS_FS_IO)
-#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
-#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined, but it cannot coexist with MBEDTLS_USE_PSA_CRYPTO."
-#endif
-
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
     !defined(MBEDTLS_OID_C) )
 #error "MBEDTLS_RSA_C defined, but not all prerequisites"
@@ -629,10 +571,6 @@
 #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C)
-#error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C"
-#endif
-
 #if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) ||     \
     !defined(MBEDTLS_SHA1_C) )
 #error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
@@ -653,11 +591,6 @@
 #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
-    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
-#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
-#endif
-
 #if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) ||  \
      defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
     !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                          \
@@ -730,23 +663,6 @@
 #error "MBEDTLS_SSL_DTLS_ANTI_REPLAY  defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) &&                              \
-    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
-#error "MBEDTLS_SSL_DTLS_CONNECTION_ID  defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)            &&                 \
-    defined(MBEDTLS_SSL_CID_IN_LEN_MAX) &&                 \
-    MBEDTLS_SSL_CID_IN_LEN_MAX > 255
-#error "MBEDTLS_SSL_CID_IN_LEN_MAX too large (max 255)"
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)            &&                  \
-    defined(MBEDTLS_SSL_CID_OUT_LEN_MAX) &&                 \
-    MBEDTLS_SSL_CID_OUT_LEN_MAX > 255
-#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
-#endif
-
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
     ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
@@ -799,10 +715,6 @@
 #endif
 #undef MBEDTLS_THREADING_IMPL
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C)
-#error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_VERSION_FEATURES) && !defined(MBEDTLS_VERSION_C)
 #error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
 #endif
@@ -852,34 +764,6 @@
 #error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
 #endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
 
-#if defined(MBEDTLS_SSL_PROTO_SSL3)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
-#endif
-#endif /* MBEDTLS_SSL_PROTO_SSL3 */
-
-#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
-#endif
-#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
-
-#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) )
-#error "MBEDTLS_SSL_DTLS_SRTP defined, but not all prerequisites"
-#endif
-
 /*
  * Avoid warning from -pedantic. This is a convenient place for this
  * workaround since this is included by every single file before the

include/mbedtls/cipher.h

@@ -9,7 +9,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -22,19 +28,40 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_CIPHER_H
 #define MBEDTLS_CIPHER_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
 #include <stddef.h>
-#include "mbedtls/platform_util.h"
+#include "platform_util.h"
 
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 #define MBEDTLS_CIPHER_MODE_AEAD
@@ -174,29 +201,21 @@ typedef enum {
     MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
     MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
     MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
-    MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
-    MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
-    MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
-    MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
-    MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
-    MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
 } mbedtls_cipher_type_t;
 
 /** Supported cipher modes. */
 typedef enum {
-    MBEDTLS_MODE_NONE = 0,               /**< None.                        */
-    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode.         */
-    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode.         */
-    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode.         */
-    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode.         */
-    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode.         */
-    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
-    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
-    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
-    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
+    MBEDTLS_MODE_NONE = 0,               /**< None. */
+    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode. */
+    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode. */
+    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode. */
+    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode. */
+    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode. */
+    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode. */
+    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode. */
+    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode. */
+    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode. */
     MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
-    MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
-    MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
 } mbedtls_cipher_mode_t;
 
 /** Supported cipher padding types. */
@@ -227,30 +246,10 @@ enum {
 };
 
 /** Maximum length of any IV, in Bytes. */
-/* This should ideally be derived automatically from list of ciphers.
- * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
- * in ssl_internal.h. */
 #define MBEDTLS_MAX_IV_LENGTH      16
-
 /** Maximum block size of any cipher, in Bytes. */
-/* This should ideally be derived automatically from list of ciphers.
- * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
- * in ssl_internal.h. */
 #define MBEDTLS_MAX_BLOCK_LENGTH   16
 
-/** Maximum key length, in Bytes. */
-/* This should ideally be derived automatically from list of ciphers.
- * For now, only check whether XTS is enabled which uses 64 Byte keys,
- * and use 32 Bytes as an upper bound for the maximum key length otherwise.
- * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
- * in ssl_internal.h, which however deliberately ignores the case of XTS
- * since the latter isn't used in SSL/TLS. */
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-#define MBEDTLS_MAX_KEY_LENGTH     64
-#else
-#define MBEDTLS_MAX_KEY_LENGTH     32
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
 /**
  * Base cipher information (opaque struct).
  */
@@ -348,32 +347,14 @@ typedef struct mbedtls_cipher_context_t
     /** CMAC-specific context. */
     mbedtls_cmac_context_t *cmac_ctx;
 #endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    /** Indicates whether the cipher operations should be performed
-     *  by Mbed TLS' own crypto library or an external implementation
-     *  of the PSA Crypto API.
-     *  This is unset if the cipher context was established through
-     *  mbedtls_cipher_setup(), and set if it was established through
-     *  mbedtls_cipher_setup_psa().
-     */
-    unsigned char psa_enabled;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
 } mbedtls_cipher_context_t;
 
 /**
- * \brief This function retrieves the list of ciphers supported
- *        by the generic cipher module.
+ * \brief This function retrieves the list of ciphers supported by the generic
+ * cipher module.
  *
- *        For any cipher identifier in the returned list, you can
- *        obtain the corresponding generic cipher information structure
- *        via mbedtls_cipher_info_from_type(), which can then be used
- *        to prepare a cipher context via mbedtls_cipher_setup().
- *
- *
- * \return      A statically-allocated array of cipher identifiers
- *              of type cipher_type_t. The last entry is zero.
+ * \return      A statically-allocated array of ciphers. The last entry
+ *              is zero.
  */
 const int *mbedtls_cipher_list( void );
 
@@ -440,8 +421,9 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
 
 
 /**
- * \brief               This function initializes a cipher context for
- *                      use with the given cipher primitive.
+ * \brief               This function initializes and fills the cipher-context
+ *                      structure with the appropriate values. It also clears
+ *                      the structure.
  *
  * \param ctx           The context to initialize. This must be initialized.
  * \param cipher_info   The cipher to use.
@@ -459,33 +441,6 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
                           const mbedtls_cipher_info_t *cipher_info );
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * \brief               This function initializes a cipher context for
- *                      PSA-based use with the given cipher primitive.
- *
- * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
- *
- * \param ctx           The context to initialize. May not be \c NULL.
- * \param cipher_info   The cipher to use.
- * \param taglen        For AEAD ciphers, the length in bytes of the
- *                      authentication tag to use. Subsequent uses of
- *                      mbedtls_cipher_auth_encrypt() or
- *                      mbedtls_cipher_auth_decrypt() must provide
- *                      the same tag length.
- *                      For non-AEAD ciphers, the value must be \c 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
- *                      cipher-specific context fails.
- */
-int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
-                              const mbedtls_cipher_info_t *cipher_info,
-                              size_t taglen );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
 /**
  * \brief        This function returns the block size of the given cipher.
  *
@@ -708,7 +663,7 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
  * \param ctx           The generic cipher context. This must be initialized.
  * \param ad            The additional data to use. This must be a readable
  *                      buffer of at least \p ad_len Bytes.
- * \param ad_len        The length of \p ad in Bytes.
+ * \param ad_len        the Length of \p ad Bytes.
  *
  * \return              \c 0 on success.
  * \return              A specific error code on failure.
@@ -751,10 +706,8 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
  *                      unsupported mode for a cipher.
  * \return              A cipher-specific error code on failure.
  */
-int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx,
-                           const unsigned char *input,
-                           size_t ilen, unsigned char *output,
-                           size_t *olen );
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen );
 
 /**
  * \brief               The generic cipher finalization function. If data still
@@ -857,52 +810,30 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
                   unsigned char *output, size_t *olen );
 
 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_WARNING */
 /**
- * \brief               The generic authenticated encryption (AEAD) function.
- *
- * \deprecated          Superseded by mbedtls_cipher_auth_encrypt_ext().
- *
- * \note                This function only supports AEAD algorithms, not key
- *                      wrapping algorithms such as NIST_KW; for this, see
- *                      mbedtls_cipher_auth_encrypt_ext().
+ * \brief               The generic autenticated encryption (AEAD) function.
  *
  * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key associated with an AEAD algorithm.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and must not be \c NULL.
- * \param iv_len        The length of the nonce. This must satisfy the
- *                      constraints imposed by the AEAD cipher used.
+ *                      bound to a key.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
  * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
+ *                      readable buffer of at least \p ad_len Bytes.
  * \param ad_len        The length of \p ad.
  * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
+ *                      readable buffer of at least \p ilen Bytes.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p ilen Bytes, and must
- *                      not be \c NULL.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least \p ilen Bytes.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
  * \param tag           The buffer for the authentication tag. This must be a
- *                      writable buffer of at least \p tag_len Bytes. See note
- *                      below regarding restrictions with PSA-based contexts.
- * \param tag_len       The desired length of the authentication tag. This
- *                      must match the constraints imposed by the AEAD cipher
- *                      used, and in particular must not be \c 0.
- *
- * \note                If the context is based on PSA (that is, it was set up
- *                      with mbedtls_cipher_setup_psa()), then it is required
- *                      that \c tag == output + ilen. That is, the tag must be
- *                      appended to the ciphertext as recommended by RFC 5116.
+ *                      writable buffer of at least \p tag_len Bytes.
+ * \param tag_len       The desired length of the authentication tag.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -914,53 +845,36 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
                          const unsigned char *ad, size_t ad_len,
                          const unsigned char *input, size_t ilen,
                          unsigned char *output, size_t *olen,
-                         unsigned char *tag, size_t tag_len )
-                         MBEDTLS_DEPRECATED;
+                         unsigned char *tag, size_t tag_len );
 
 /**
- * \brief               The generic authenticated decryption (AEAD) function.
- *
- * \deprecated          Superseded by mbedtls_cipher_auth_decrypt_ext().
- *
- * \note                This function only supports AEAD algorithms, not key
- *                      wrapping algorithms such as NIST_KW; for this, see
- *                      mbedtls_cipher_auth_decrypt_ext().
+ * \brief               The generic autenticated decryption (AEAD) function.
  *
  * \note                If the data is not authentic, then the output buffer
  *                      is zeroed out to prevent the unauthentic plaintext being
  *                      used, making this interface safer.
  *
  * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key associated with an AEAD algorithm.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and must not be \c NULL.
- * \param iv_len        The length of the nonce. This must satisfy the
- *                      constraints imposed by the AEAD cipher used.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
+ *                      and bound to a key.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to be authenticated. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
  * \param ad_len        The length of \p ad.
  * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
+ *                      readable buffer of at least \p ilen Bytes.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p ilen Bytes, and must
- *                      not be \c NULL.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag           The buffer for the authentication tag. This must be a
- *                      readable buffer of at least \p tag_len Bytes. See note
- *                      below regarding restrictions with PSA-based contexts.
- * \param tag_len       The length of the authentication tag. This must match
- *                      the constraints imposed by the AEAD cipher used, and in
- *                      particular must not be \c 0.
- *
- * \note                If the context is based on PSA (that is, it was set up
- *                      with mbedtls_cipher_setup_psa()), then it is required
- *                      that \c tag == input + len. That is, the tag must be
- *                      appended to the ciphertext as recommended by RFC 5116.
+ * \param output        The buffer for the output data.
+ *                      This must be able to hold at least \p ilen Bytes.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer holding the authentication tag. This must be
+ *                      a readable buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the authentication tag.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -973,120 +887,9 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
                          const unsigned char *ad, size_t ad_len,
                          const unsigned char *input, size_t ilen,
                          unsigned char *output, size_t *olen,
-                         const unsigned char *tag, size_t tag_len )
-                         MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
+                         const unsigned char *tag, size_t tag_len );
 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
 
-#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
-/**
- * \brief               The authenticated encryption (AEAD/NIST_KW) function.
- *
- * \note                For AEAD modes, the tag will be appended to the
- *                      ciphertext, as recommended by RFC 5116.
- *                      (NIST_KW doesn't have a separate tag.)
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key, with an AEAD algorithm or NIST_KW.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and may be \c NULL if \p
- *                      iv_len is \c 0.
- * \param iv_len        The length of the nonce. For AEAD ciphers, this must
- *                      satisfy the constraints imposed by the cipher used.
- *                      For NIST_KW, this must be \c 0.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p output_len Bytes, and
- *                      must not be \c NULL.
- * \param output_len    The length of the \p output buffer in Bytes. For AEAD
- *                      ciphers, this must be at least \p ilen + \p tag_len.
- *                      For NIST_KW, this must be at least \p ilen + 8
- *                      (rounded up to a multiple of 8 if KWP is used);
- *                      \p ilen + 15 is always a safe value.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag_len       The desired length of the authentication tag. For AEAD
- *                      ciphers, this must match the constraints imposed by
- *                      the cipher used, and in particular must not be \c 0.
- *                      For NIST_KW, this must be \c 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *ad, size_t ad_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t output_len,
-                         size_t *olen, size_t tag_len );
-
-/**
- * \brief               The authenticated encryption (AEAD/NIST_KW) function.
- *
- * \note                If the data is not authentic, then the output buffer
- *                      is zeroed out to prevent the unauthentic plaintext being
- *                      used, making this interface safer.
- *
- * \note                For AEAD modes, the tag must be appended to the
- *                      ciphertext, as recommended by RFC 5116.
- *                      (NIST_KW doesn't have a separate tag.)
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key, with an AEAD algorithm or NIST_KW.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and may be \c NULL if \p
- *                      iv_len is \c 0.
- * \param iv_len        The length of the nonce. For AEAD ciphers, this must
- *                      satisfy the constraints imposed by the cipher used.
- *                      For NIST_KW, this must be \c 0.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data. For AEAD ciphers this
- *                      must be at least \p tag_len. For NIST_KW this must be
- *                      at least \c 8.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p output_len Bytes, and
- *                      may be \c NULL if \p output_len is \c 0.
- * \param output_len    The length of the \p output buffer in Bytes. For AEAD
- *                      ciphers, this must be at least \p ilen - \p tag_len.
- *                      For NIST_KW, this must be at least \p ilen - 8.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag_len       The actual length of the authentication tag. For AEAD
- *                      ciphers, this must match the constraints imposed by
- *                      the cipher used, and in particular must not be \c 0.
- *                      For NIST_KW, this must be \c 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *ad, size_t ad_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t output_len,
-                         size_t *olen, size_t tag_len );
-#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
 #ifdef __cplusplus
 }
 #endif

include/mbedtls/cipher_internal.h

@@ -7,7 +7,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -20,21 +26,38 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 #ifndef MBEDTLS_CIPHER_WRAP_H
 #define MBEDTLS_CIPHER_WRAP_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/cipher.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#include "cipher.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -116,29 +139,6 @@ typedef struct
     const mbedtls_cipher_info_t *info;
 } mbedtls_cipher_definition_t;
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-typedef enum
-{
-    MBEDTLS_CIPHER_PSA_KEY_UNSET = 0,
-    MBEDTLS_CIPHER_PSA_KEY_OWNED, /* Used for PSA-based cipher contexts which */
-                                  /* use raw key material internally imported */
-                                  /* as a volatile key, and which hence need  */
-                                  /* to destroy that key when the context is  */
-                                  /* freed.                                   */
-    MBEDTLS_CIPHER_PSA_KEY_NOT_OWNED, /* Used for PSA-based cipher contexts   */
-                                      /* which use a key provided by the      */
-                                      /* user, and which hence will not be    */
-                                      /* destroyed when the context is freed. */
-} mbedtls_cipher_psa_key_ownership;
-
-typedef struct
-{
-    psa_algorithm_t alg;
-    psa_key_id_t slot;
-    mbedtls_cipher_psa_key_ownership slot_state;
-} mbedtls_cipher_context_psa;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
 extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
 
 extern int mbedtls_cipher_supported[];

include/mbedtls/cmac.h

@@ -8,7 +8,13 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -21,18 +27,39 @@
  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
  */
 
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H
 
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/cipher.h"
+#include "cipher.h"
 
 #ifdef __cplusplus
 extern "C" {